5 Tips for Managing Risk as an MSP

Risk is everywhere, and oftentimes, it is unavoidable. For managed service providers (MSPs), there is the risk of failing to keep up with advancing technology, of misreading customer needs, of succumbing to the tactics of competitors, of over-expansion, and a great many others. Instead of living a life of endless panic and worry about the latest crop of risks, though, the key is to manage that risk and to take steps to mitigate any consequences.

Also read: 9 Tips to Help MSPs and MSSPs Scale Successfully

  1. Pay Attention to Your Customers

MSP success is typically founded on providing a quality service that a particular set of customers needs. By correctly assessing that need and delivering a service that fulfills it, MSP growth is as close to guaranteed as it gets.

Many MSPs find a workable pattern, and the years go by without them ever seeing the need to adjust it. Year after year, the numbers look good. But then, if they start to flatten or even dip slightly, and nothing is done, danger awaits. That predicament appears to be the case in more than a few MSPs these days.

A survey by CloudBolt Software of over 300 senior-level employees around the world found that 79% are frustrated with their existing MSP and are actively looking to replace them within the next 12 months. That means 4 out of 5 MSPs have gotten complacent about their customer base. This indicates that many providers have lost sight of the needs of their customers.

The survey also found areas of complaint to be not properly optimizing cloud spend (60%), not providing sufficient multicloud options (58%), and not providing deep visibility into cloud spend (41%). These same respondents said they would be willing to pay a premium to a service provider that delivered on those current shortcomings.

Clearly, it is time for MSPs to engage their customers, find out how their services are actually perceived, and take urgent steps to avoid large-scale attrition.

  1. Look at Risk in Contracts

Many MSPs are now offering security services to provide the value their customers need. Whether the MSP leverages services from an MSSP, or partners with a vendor that offers co-managed services backed by a 24×7 security operations center (SOC), MSPs must appreciate that the cyber threat landscape can be a tough place to live. There is a potential trap awaiting those operating in this zone—being open to blame for anything that goes wrong.

“MSPs should consider the risks of taking full responsibility for a client’s security posture, as this could leave them open to a lawsuit in the event of a breach and damages,” said Christopher Crellin, senior director of product management at Barracuda MSP.

Also read: Top MSSP Tools and Cybersecurity Vendors

  1. Define Your Own Risk as Narrowly as Possible

There are varying degrees of risk. Cloud providers are very good at defining their responsibilities for security and privacy, for example. Even if a breach occurs, they can still offload blame to customers in many cases due to incursions happening because of hacked user passwords or for other reasons that initially can be traced to a fault at the user end of the cloud service incursion.

Some MSPs, however, are less than adept at defining their level of risk. Yet this is an area that can seriously put the business at risk of failure.

In addition, having a narrow and clearly defined strategy gives businesses the opportunity to partner with other providers who may be able to handle other risks, such as security awareness training, extended detection and response (XDR), access control, dark web monitoring, secure data transfer, email security, and security information and event management (SIEM). This helps to distribute risk in a way that minimizes the repercussions resulting from serious incidents.

“We help customers identify the tools that will cover most of their risks and partner with other providers who take on much of the risk,” said Alexandre Blanc, strategic and security advisor at VARS. “We can’t transfer all responsibility, so we are careful to identify the different risk factors and minimize our own risk.”

Also read: Incident Response Services: A Big Opportunity for MSPs and MSSPs

  1. Minimize Talent Risk

An MSP with one or two talented developers or security professionals may feel like they are in skill set heaven. But all it takes is one resignation, one headhunter intervention, or one personal life crisis to disrupt the personnel equation. As a result, the MSP could soon find itself unable to deliver the level of quality it needs to survive.

Those without limitless personnel resources are advised to minimize talent risk by leaning heavily on partners.

“The global talent shortage can be a real challenge in staffing an in-house threat hunting team,” said Scott Barlow, vice president of Global MSP and Cloud Alliances at Sophos. “MSPs should look to their vendors that offer tools to deliver security and other services while maintaining expertise and excellence across their core competencies.”

Also read: How MSPs and MSSPs Can Attract Talent Despite IT Skills Shortage

  1. Understanding the Difference Between IT and Security

Blanc makes the point that there is a massive difference between delivery of IT services and delivery of security services. And that adds significantly to risk.

“One big risk of transitioning to becoming an MSSP is dropping full control of the decision-making process and moving to more of an advisory position,” he said.

With IT services, business needs come into it, but IT typically retains a large degree of control of what is needed and how to deliver it. In security services, on the other hand, operations and management typically must work together on making decisions. IT may recommend a particular approach or solution, but business factors and needs enter in.

“Being an MSSP, we make risk-based recommendations against potential incidents and against uncertainty, but we no longer directly decide anything,” said Blanc.

Read next: Five Reasons Why Your MSP Should NOT Become an MSSP

Drew Robb
Drew Robb
Drew Robb has been a full-time professional writer and editor for more than twenty years. He currently works freelance for a number of IT publications, including eSecurity Planet, ServerWatch and CIO Insight. He is also the editor-in-chief of an international engineering magazine.

RELATED ARTICLES

Must Read