NEARLY ALL OF US have experienced the overwhelming weight of providing security for our clients. Of course, that pales before the amazing diversity of options we have to choose amongst for provisioning those security products and services. To make matters harder, this rich and expanding ecosystem is not only growing but also changing as vendors adjust offerings and pricing structures or get acquired. Plus, the “threatscape” evolves constantly, and different clients may require different levels of security. All of this makes building the ideal security stack a daunting proposition, a bit like hitting a moving target from a moving target. Read on to see how one intrepid MSP manages this morass.
Tiers or “All-In” Only?
Securing your networks is so important that many MSPs offer only the “all-in” option. They provide every service to every client without choices. While most of us would love to do this, there are mitigating concerns. A stack that includes everything from endpoint detection and response to device encryption imposes not just added costs, but complexity as well. And some of your clients may require (and put up with) a “stiffer security posture” than others. If you make things too hard to use, your clients will work around you.
That said, with all the hacks and breaches in the news, a lot of the groundwork for this selling has been laid for you already. And when you consider your potential legal exposure should your client get breached, the all-inclusive option looks even better. Another advantage of going all-in is that you don’t have to worry about designing bundles or tiers of services, or grapple with what is safe to leave out of your bundles. Everybody gets everything in this one-size-fits-all world and there is a very good argument to be made for this.
In an ideal world, we’d all offer only these all-in plans. But the reality of cost/benefit and risk analysis means we cannot go all-in for every customer site and that some sites require different security postures. For that reason, Net Sciences offers three tiers of security services, each of which adds more services to the last one. The specific services you weave together to provide at each tier depends upon an analysis of the threatscape, your clients’ needs, the security marketplace, and more. And, of course, it will change as these variables change.
Identify and Strategize
Whether your intention is to go with all-in, tiers, or a la carte, you’ve got to identify the risks you’re mitigating and then find the appropriate tools and procedures to protect against them. There is no precise formula here. Your experience in the field, your exposure to vendors and technologies, and your interactions with peers are all important. Wearing both your security and business hats at once is important too. Approach securing your clients’ networks as an exercise in risk management, as you may find that selling mitigation is easier and more effective than simply selling security. After all, you don’t sell gym memberships based on working out five days a week. You sell them based on results.
If you do decide to build security tiers, the natural question to follow is how many tiers to offer and how to build out those tiers. We limit our offerings to no more than three options. Beyond that, we tend to see confusion set in, and there is no such thing as a confused buyer. Keep it as simple as possible, and remember that the bundle is indivisible, as you don’t want to have to manage a unique set of services for every site. We offer a Basic plan with six security services, an Advanced plan with three more security services, and a Comprehensive plan with another three security services. Over time, we’ll migrate all of our customers to either the Advanced or Comprehensive plans, further simplifying offerings and fortifying sites.