Security is no longer an add-on service for MSPs, and bundling these services is a good strategy for those looking to grow revenue and be more marketable.
Erick Simpson
That said, it takes a lot of time, effort, and investment for MSPs to develop these bundles of products and services, and to deliver them themselves, noted MSP expert and influencer Erick Simpson, CEO of MSP Mastered and Channel Mastered.
“For many MSPs, it makes more sense to partner with a vendor who has a comprehensive suite of services focused on strengthening the security posture of their clients and the MSPs themselves.”
In the past year or so, there’s been a trend of MSPs working with resellers and security vendors who select the products and services an MSP should offer in a single solution, and resell them in that bundle to the MSP, according to TeraCloud President Eric Long. This includes SIEM (security information and event management) and SOC (security operations centers), he added.
“They bundle that together — and it’s usually expensive — but not everyone can act as an MSSP (managed security services provider). The alternative is for the MSP to go out and secure the individual services on their own and build their own stack.”
Best Practices on Bundling Cybersecurity Services
When combining services, MSPs should have at least one to two offerings, including basic security services like DNS filtering, antivirus, anti-malware, and ransomware protection.
None of the minimum core services should be a la carte, recommended Shawn Walsh, a partner and senior consultant at Encore Strategic Consulting.
“You can’t really offer a true managed service without that as the minimum. You’re setting yourself up to be sued by clients who experience a security incident. It’s not a reasonable risk.”
He recalled a law firm client that experienced a data loss, and when the company pulled the backup tape, it was broken. Walsh got called into “a tense meeting” with the firm’s partners, he said.
Eric Long
“One growled at me and said, ‘Why did we have data loss? We pay you a lot of money every month.’” Walsh reminded the client that during contract talks, the company chose to handle backup themselves.
“He said, ‘You should have insisted,’” Walsh recounted. “We never allowed a client to choose their tech stack again.”
For clients, the MSP is the expert that needs to be able to make the case for spending more on additional security offerings. “They’re not qualified to make the decision.”
Additionally, MSPs should partner with resellers who have a good portfolio of products to help build a comprehensive set of offerings, Walsh advised.
TeraCloud mainly offers bundled security services at three different tiers. Bundling services enables the company the flexibility to change the vendors they do business with, Long said.
The upside of bundling is that the MSP doesn’t have to think about what services they should provide.
“There’s nothing worse than a proposal with 15 different products,” Long said. “They’ll look at each line and say, ‘I don’t need this or that.’ This negates having that conversation.”
Factors to Consider When Designing Bundles
Deciding what cybersecurity products and services to include in a bundle comes down to the client’s risk profile, Walsh said.
Shawn P. Walsh
“In the MSP industry, we have a bad habit of just copying what everyone else does,” he said, which makes it hard to stand apart from the competition. If all the pitches looked the same to the client, it will go with the lowest bidder, Walsh observed.
However, costs and vendor sprawl must be controlled when designing a security bundle, Long explained. Don’t create overlap by signing up for the latest widget when you already have a widget in your stack, he said.
It’s also important to have a growth strategy in place for adding new clients, Long said. And the MSP should make sure they are being billed correctly by the vendor.
MSPs also must show compliance when a client files a cyber claim, stressed Simpson. Many claims were denied by insurance carriers when a customer had experienced a breach because they did not comply with the policy’s minimum requirements, he said.
MSPs should understand the total cost of delivery of services, and include a forecast of labor hours, then add in the cost of all their third-party tools, said Simpson. Once they figure that out, they can add their desired profit margin. He suggested a markup of 60% to 70%.
“I recommend longer-term agreements when you can get them because of high growth profit margins.”
Image: iStock
