9 Tips to Help MSPs and MSSPs Scale Successfully

Cybersecurity is one of the top IT spending priorities right now. According to a recent survey, 69% of organizations plan to spend more on cybersecurity this year than last, placing ahead of the cloud and artificial intelligence (AI). Established vendors and a wave of startups are bringing new security technologies to market as well as updating and improving existing solutions.

Due to surging demand, many traditional IT vendors and managed service providers (MSPs) are invading the managed security service provider (MSSP) space. With the rising frequency of cyber attacks and the complexity of the current enterprise security landscape, organizations are requesting cybersecurity services in record numbers. MSSPs are being counted on more and more to provide a wide variety of security services.

See the Top Managed Security Services for SMBs

The Challenges of Scaling Up

Surveys highlight several areas of opportunity for MSPs and MSSPs, such as incident response and remote workforce services.

Many organizations lack adequate incident response plans and capabilities. They need help in areas such as managed detection and response (MDR), securely deploying virtual desktops for an increasingly remote workforce, and in combating ransomware.

As a result, more than 75% of MSPs and MSSPs noted increased demand for security, business continuity and disaster recovery (BCDR), and remote work support services among their client base.

That’s why many MSPs are looking to enter the security space, and many MSSPs are tempted to add a greater number of services—or to expand their reach beyond their current niche or geography.

But scaling up managed services operations is far from easy. Hiring cybersecurity specialists can often be a major challenge. And organizations are finding it extremely difficult to recruit the talent they need at a time when they are overwhelmed by the rising volume of sophisticated threats.

Another issue is margins. It isn’t easy to scale up while generating sufficient profits to grow at the pace required and add the talent they need. Therefore, many MSPs and MSSPs face the challenge of staying profitable while also investing in expansion strategies and adding to their talent pools.

Also read: Five Reasons Why Your MSP Should NOT Become an MSSP

Tips for Scaling Up Successfully

Scaling up can provide your business with many opportunities, but it can also prove to be a challenging process that can easily go wrong, thus adding more costs to your business. The following are nine ways to overcome the barriers of scaling up successfully.

1. Assess current and future resources

Any MSSP intending to scale up should carefully assess current personnel resources and accurately forecast the staff they will need to deliver effectively to maintain service levels during expansion.

“Resources are often the barrier that MSSPs consider last when scaling up,” said Michael Hanauer, vice president of managed XDR sales and marketing at Barracuda MSP.

However, scale up and initiatives aimed at raising margins will falter if they can’t be supported by adequate resources.

Any resource evaluation should consider what internal software development resources you possess for the creation of your own software and security services. How much will you have to invest to develop such tools and bring them to market? Do potential revenue gains justify such an investment? How can additional or expanded security services be offered without disrupting current MSP service delivery efforts? Is it better to take on cybersecurity services internally or partner with knowledgeable companies that can do most of the heavy lifting?

Also read: Top MSSP Tools and Cybersecurity Vendors

2. Training and retention

To remain effective and efficient at delivering security services, MSSPs must be able to retain key talent as well as stay up to date on technologies and evolving threats.

When developing for scale, therefore, the capabilities of existing personnel need to be understood. Are they capable of delivering advanced security training, or will they need additional training? Alternatively, does the organization either need to hire more expert resources, or partner with another provider that possesses the right skills?

“Staffing is one thing, but the ongoing training and knowledge transfer required is often an afterthought,” said Hanauer.

Also read: How MSPs and MSSPs Can Attract Talent Despite IT Skills Shortage

3. Assess your market and maturity position

According to CloudBlue PSA, MSPs seeking to grow must accept that complexity is an inevitable consequence. Therefore, any efforts must be judiciously managed.

The key is to ensure complexity doesn’t erode profits or lead to a reduction in service satisfaction and employee overload. CloudBlue PSA lays out the three stages of growth. Before embarking on a project toward a specific security service niche, it is important to understand where the company stands in these three stages:

  • Build: This stage encompasses MSPs with limited clients and offerings that rely mainly on manual business processes.
  • Grow: This stage covers those with more than 10 offerings that are beginning to automate provisioning of services.
  • Scale: This stage includes MSPs with more than 10 cloud offerings that utilize automated provisioning and have at least 100 customers.

Internal controls and automation must become more capable as the organization expands to keep up and avoid drowning in complexity. And organizations in the build stage or that have not progressed much of the way through the grow stage are advised to postpone major scale-up plans until they have matured enough to manage.

4. Verify user demand

It can be tempting to dive into new security services based on headlines about ransomware attacks or other threats. Surely everyone wants such a service.

If you put a lot of work into the development and launch of a new service, it is vital to be able to upsell it widely to existing customers and use it to open new markets. But that takes marketing savvy and finding out just how strong the potential demand is.

Hanauer suggested several questions to ask:

  • Is the scaled-up security service something the existing user base needs and is willing to pay for? 
  • What is the driving force for the scaled-up security service; it might be compliance, threat landscape, data sensitivity, or some other driver. 
  • Is demand likely to be long-lasting and stable?

“If you start at the customer and work your way back, you can build your services to solve customer problems, rather than build services that you think your customers will want,” said Hanauer.

5. Communicate to others

Scaling up can be a big leap. Thus, it can be helpful to turn to vendor partners to see what research they may have to help you support the change. Speak with your peers, some of whom will have had experience of scaling up and security. Some of them will be willing to relate lessons learned along the way that will prove useful.

6. Partnering or not

Going it alone may seem cheaper but not if you have to hire expensive security experts, provide personnel for a large security operations center (SOC) with round-the-clock shifts, and spend a year developing applications that have to compete against vendors that have been in the security space for decades.

“Consider if you can scale up services without doing everything in-house,” said Hanauer. “MSPs can outsource parts or all of the scale up service without burdening their existing resources, investing into costly infrastructure, or staffing as a way to reduce their TCO (total cost of ownership).”

7. Partner selection

If the MSP decides to scale up via the partnership route, potential candidates must be evaluated carefully, as no two are alike, according to George Tubin, director of product marketing at Cynet.

Some provide a SaaS tool but are found wanting when it comes to support. Others put the burden of deployment wholly on the MSP and are reluctant to become involved in the resolution of complex issues. There are also partners that are willing to share risk and shoulder much of the support and deployment responsibility.

He offered several points to consider during partner selection:

  • Is the partner able to capture incident data to enable forensic analyses?
  • Does the partner candidate provide automated incident workflow and reporting as well as root cause analysis and crisis management?
  • Does the partner solution have multi-tenant capabilities that support multiple customers on a single instance?
  • Can the partner accommodate on-premises as well as public, private, or hybrid cloud options?
  • Is it possible the partner could use the relationship to become a competitor?
  • Does the candidate have deep experience in serving your target market, whether it is defined by geography, company size, or industry vertical?

8. Develop a strategic plan

All of your assessments and considerations should be distilled into a strategic plan on how to scale up profitably, rapidly, and effectively. This should include a marketing strategy built around the delivery of business value, not just the availability of cybersecurity features.

A key aspect that is often missed is to try to rely only on existing customers. This will never be enough. The strategy should address upselling to existing clientele and opening up entirely new customer channels.

The overall strategy should also seek to enhance existing strengths. If service delivery is strongest locally or in a specific niche, for example, it is best to formulate strategic elements around that by adding resources to improve the volume and quality of delivery in those segments. In short, don’t shift into a completely new area where you have no experience, no customers, and no know-how.

9. Measure and Execute

The success of the scale-up program should be grounded on metrics which demonstrate whether the plan is working well or not. That means defining a set of metrics to measure business results, such as leads generated, website traffic volume, email responses, new subscriptions, existing customers signing up for the new service, revenue, and other parameters.

And then, there is execution. One good tactic is to test out new services and strategies in a limited market before full launch. Existing customers may be willing to try it out for you to iron out bugs. And marketing strategies can be piloted before getting the final greenlight. By monitoring results and using them to make adjustments in service delivery, support, or marketing to improve outcomes, scaling up can be accomplished.

Read next: MSP Clients Are Unhappy. Here’s Why and What To Do.

Drew Robb
Drew Robb
Drew Robb has been a full-time professional writer and editor for more than twenty years. He currently works freelance for a number of IT publications, including eSecurity Planet, ServerWatch and CIO Insight. He is also the editor-in-chief of an international engineering magazine.

RELATED ARTICLES

Must Read