COULD THERE BE A BETTER PLACE to be in IT right now than the intersection of managed services and security?
Indeed, while sales of security hardware, software, and services will climb at a 9.4% compound annual growth rate through 2023 to $151.2 billion, according to IDC, sales of managed security services will grow at an even better 13.9% CAGR during that same period from a base of $21 billion last year.
The margins on managed security, which can easily top 65%, are pretty good too. “It’s incredibly lucrative,” says Angela Hogaboom, CEO of Ocular, a solution provider with specialized security and compliance expertise in Denver.
Ready to get in on that? Be prepared, experts say. You may be an MSP and you may offer security services, but that doesn’t necessarily mean you’re in the managed security business.
Definitions vary, but most channel pros with experience in the field agree that a true managed security offering is a multilayered package of sophisticated, subscription-priced services that combine to help client assess their needs, protect their data, detect attacks, and respond to breaches. Steep profits aren’t the only payoff, either.
“Even more important to me, coming from the MSP space, is the stickiness that you get with your clients,” says Scott Beck, CEO of BeckTek, an MSP and advanced security provider in Riverview, New Brunswick. “When you get those solutions in, and they get used to it and you get their staff trained around it, you become almost irreplaceable.”
Most providers sell managed security plans separately from their core managed IT service bundles. Many let customers choose from a menu of basic, intermediate, and advanced tiers.
Included in those options, typically, is a mix of behavior-based endpoint protection software, next-generation firewalls, spam and DNS filtering solutions, email and network security protection, an endpoint detection and response system, two-factor authentication, BDR, and a dark web monitoring service that alerts you when a client’s credentials have been stolen. Vulnerability assessments that identify gaps in a customer’s defenses, security awareness training that teaches end users to recognize phishing scams, and cyber-insurance policies that lessen the financial impact of successful attacks usually factor into the package as well.
So do remote monitoring and support from a professionally staffed security operations center (SOC). Building a SOC can cost millions, however, and staffing one with experienced analysts is expensive. As a result, most managed security providers partner with an outsourced SOC vendor. That’s something Joshua Liberman, president of Albuquerque, N.M.-based MSP and system builder Net Sciences, would do even if it wasn’t more cost-effective.
“I just don’t see, even if the money was there to do it, that it provides me significant benefits over dealing with people who are truly expert [and] who can analyze millions of data points when we can only analyze thousands,” he says of operating his own SOC.
Successful managed security providers apply that thinking beyond just the SOC. “If you need to Google how to do something, a pretty good general rule of thumb is that maybe you should consider outsourcing it,” Hogaboom says. Your margins will dip some, but your clients will be safer, and therefore happier with you.