Security is the No. 1 concern of business owners today. This isn’t surprising given the number of hacks, breaches, data thefts, ransomware attacks, and privacy violations that we hear about on a daily basis. And those are just the ones we know about. According to the Online Trust Alliance’s (OTA) most recent Cyber Incident & Breach Trends Report, cybersecurity incidents nearly doubled from about 82,000 in 2016 to 160,000 or so in 2017. But since so many breaches go unreported, the OTA notes that this number could easily be more than double that.
The necessity to thwart cybercriminals and protect critical business, financial, healthcare, and other data has created a tremendous opportunity for IT service providers to address this challenge while benefiting from a continually growing revenue stream.
In this series, I’ll dive deep into the topic of selling security services and cover essential topics such as the solutions available within different levels of security offerings; how to lead with security to prospect effectively and set appointments; and how to price, position, and sell these services, even if you’re not a security expert.
Cybersecurity Services Features and Benefits
We know that security is the #1 concern of today’s business owners, regardless of the industry they serve, and that strategic leaders understand they must increase their security posture to protect their data, systems, and users against internal and external threats.
Therefore, offering cybersecurity services is a strategic client service and control point for security providers. These high value, high margin services represent a stable, growing revenue opportunity with an extremely low barrier to entry and delivery.
What are Managed Cybersecurity Services?
Managed cybersecurity services are a defined set of onsite or remotely delivered services that are prepaid for at a fixed rate on a recurring basis, where the security provider assumes complete responsibility for the management and delivery of these security services and their outcomes.
In addition, these services are governed by a service level agreement, or SLA, and are scheduled, preventative, and proactive. On the other hand, managed cybersecurity services are not measured by time invested. Nor are they reactive services. Finally, they are not billed for on a time and materials basis.
The Old Way of Delivering Security Services vs. The New Way
The old way of delivering security services to clients meant that the service provider was most profitable when their client was in the most pain, as the price of reactive, emergency security remediation services are always higher than scheduled, monitored, preventative services.
And clients are never prepared to pay for these reactive, costly emergencies, which can negatively impact their cash flow, operations, brand, image, and customer relationships, and create tension between them and their reactive security provider.
The new way of delivering managed cybersecurity services is much more attractive and beneficial to clients, as the security provider actively seeks out and delivers security solutions to protect their clients’ data and environments from security incidents and manages security risk and response for a flat monthly fee.
Because the managed security service provider, or MSSP, assumes more risk in the relationship, if they are to be profitable, they must ensure their client’s security and reduce vulnerabilities.
As a result, the MSSP is more profitable when their clients experience less threats, and their business goals align with their clients’ in this respect.
This reality creates a much stronger business partnership than a typical vendor relationship for the MSSP and their clients and paves the way for acceptance as a trusted advisor.
What Comprises a Security Offering and What Are its Benefits?
A basic security portfolio typically includes firewall management, anti-virus and anti-malware solutions, desktop and server operating system security, email security, web content or URL filtering, mobile security, data security including backups, dark web scanning, end-user security awareness training, and more.
And there are a variety of advantages for a client when engaging an MSSP, including enjoying a high level of confidence that drives continued innovation in their organization, instead of worrying so much about security threats that this concern stifles strategic growth plans and activities.
Along with improving their compliance posture, clients enjoy rapid detection and remediation of threats at much lower costs than reactive, “”after the event”” security remediation services, and gain a stronger posture to reduce insider fraud and theft, along with guarding against data leakage.
In addition, a clear path and process to identify and quickly address security incidents brings clients peace of mind, and predictable monthly fees allow them to budget for security more effectively for the long term.
When presented properly to a prospect, these and other factors make a compelling argument to engage in a managed cybersecurity services relationship.
Security Services Bundling and Pricing
To provide the best opportunity to engage with as many prospects as possible while maintaining healthy margins, the MSSP will bundle and tier their services to offer various distinct packages, with each successively higher-priced option adding more qualitative value in terms of services and benefits, along with more attractive SLAs that govern response time. This allows prospects to select the option that makes the most sense for their specific business needs, risk profile and budget.
There are several considerations for the MSSP when determining their pricing model, and several options, such as per endpoint, per user, or as tiered or bundled services. Or they may price strictly on value alone, with each opportunity quoted individually.
Their ultimate pricing strategy will also be informed by other factors, such as their SLAs’ response times and the hours they provide service to their client—8 to 5 Monday through Friday, 24×7, or on holidays and weekends.
Once the appropriate service bundle or tier is selected by the client, the MSSP will provide them a scope of work, or SOW, that clearly defines what is included and covered in the service relationship, and what is not. Typically, the SOW covers all of the agreed-upon security maintenance and service work the MSSP delivers for the specified endpoints, devices, and users within the SLA.
New users added, or new services or licenses installed or provisioned after service go-live normally fall outside the scope of an existing SOW, and will typically be added to the client’s overall agreement at an increased monthly fee by having the client authorize a new SOW or an addendum to the existing SOW.
To preserve margins, best in class MSSPs will understand the true cost of delivering their services to their clients, including the cost of third-party security products and services they bundle into their offerings, and establish a minimum desired margin for these deliverables.
Using a pricing calculator helps ensure consistent margin attainment and speeds pricing activities. Once the minimum price is established for a client, the security sales professional will try to increase the ultimate sale price by using consultative selling techniques to sell on value.
The Value of Becoming the Trusted Advisor as an MSSP
A trusted advisor is a critical business asset for their clients, as they work to understand their client’s business needs and priorities and develop strategies to actively seek out solutions to improve daily workflows, processes, and procedures and improve security to best assist their clients reduce risk and realize their business goals.
An effective trusted advisor earns their client’s loyalty by understanding their external competitive challenges as well as their internal operational challenges and works to help their clients advance their value proposition to their target market, improve client service, sales, marketing, and back-office operational processes through technology to help their clients retain and expand their market base.
These are the reasons that MSSPs operating as mature trusted advisors are so successful at consistently identifying upsell and cross-sell opportunities for new solutions sold to their clients while increasing their satisfaction.
Next time:
Don’t miss Erick’s webinar on How to Sell Cybersecurity Without Being a Security Expert too
