THINKING ABOUT getting into managed security services? The first step is recognizing you’re already there.
If you’re protecting your SMB customers’ data against loss, theft, or unauthorized access with foundational security like firewalls and anti-virus, you’re in the security business, says Mike Semel, president and chief compliance officer at Las Vegas-based Semel Consulting LLC. The question now, he says, “is how do you take what you’re doing and reframe it, but also expand on what you’re doing in a way that makes sense?”
Tread carefully down the road to scaling a security practice though, advises Michael O’Hara, a cybersecurity expert and head of MikeOSecurity, in Sparta, N.J. “There’s a real temptation to jump into that business without really knowing what you’re getting into,” he says, adding that the consequences of being ill-prepared are twofold. First, you could put your clients at risk; and second, you could harm your firm’s reputation.
No doubt there’s plenty of opportunity in security. The number of attacks targeting SMBs, including phishing, advanced malware, zero-day, and ransomware, is rising, according to the 2018 State of Cybersecurity in Small and Medium Size Businesses study, conducted by the Ponemon Institute and sponsored by Keeper Security. In the last 12 months, 67 percent of SMBs fell victim to a cyberattack and 58 percent experienced a data breach. Plus, nearly half of respondents say they have no understanding of how to protect their companies against cyberattacks.
That’s where you come in. Here’s how to get started and grow.
Get Educated or Bring in Talent
The first step is to educate yourself about the cybersecurity landscape, says O’Hara. “You don’t have to be the one to get that education, but make sure you have somebody on your staff [who] understands what the real threats are, understands foundational security, understands policies, procedures, and awareness—that’s your bedrock.”
This doesn’t have to be a difficult or expensive process, says Semel. “You don’t have to fire your old staff, and you don’t have to hire all new staff, but maybe you have to take your techs and your engineers and put them through something like CompTIA Security+ training.” He also suggests acquiring the CompTIA Security Trustmark+ certification and using it as validation that people can trust you with their most valuable data.
Terry Cole, CEO of Cole Informatics LLC, an MSP in Parsons, Tenn., who’s in the process of building a security practice shares Semel’s belief in the power of security credentials. “My intention [is] either to become CISSP [Certified Information Systems Security Professional] certified, or hire that, or both.”
Acquiring knowledge of the Linux world helps as well, according to Rory Sanchez, CEO of True Digital Security, a security, governance, and IT management company with an office in West Palm Beach, Fla. “There are so many open source tools that can really help an MSP or an MSSP [managed security services provider] get their game to the next level at not a lot of expense,” he says.