It can be tempting for managed service providers (MSPs) and managed security service providers (MSSPs) to take on new service areas. The latest statistics come out about the growth in the cybersecurity market and management decides the organization needs a bigger piece of that expanding pie. Or a couple of big customers request advanced services that might require a Security Operations Center (SOC) or sophisticated threat intelligence and threat hunting capabilities and the temptation to go all in becomes too great to resist.
For some, the transition from MSP to MSSP might not be too complicated. But for many, they may be getting themselves into difficult territory – one that promises much but might ultimately fail to deliver returns. In some cases, it might even become a legal liability or a customer relations disaster.
For many, it may be wise to focus on existing strengths and not venture too far from that path, at least not without a thoroughly considered plan.
One MSSP Business Model
Take the case of VARS, a Montreal-based MSSP that has established a clearly defined role for itself. It brings its clientele two things: a cybersecurity solution set and virtual Chief Information Security Officer (CISO). For the latter, it provides organizations with a vCISO on a retainer rate that is much cheaper than hiring a full-time CISO for an internal position. In any case, the cybersecurity job market is so tight and CISOs so in demand that even those successfully hiring a CISO might lose them rapidly due to headhunting and the lure of higher salaries.
From its vCISO hat, VARS advises its clients on overall security strategy and the enhancement of the client’s security posture by improving its culture, process, security administration, and upgrading its toolset.
“While we are developing a security culture in the organization, we also need to bring in quick controls that reduce the attack surface and put clear and formal processes in place,” said Alexandre Blanc, Strategic and Security Advisor at VARS.
Outsourcing Security Services
For this purpose, VARS has assembled a package of integrated and fully managed security solutions to help its clients take care of the broader security function. The trick here, though, is that VARS outsources the bulk of these services to specialist suppliers.
The company keeps its finger on the pulse of the security technology space to ensure it is offering the best services. Currently, its package consists of security awareness training, extended detection and response (XDR) for endpoint protection, risk-based access control, monitoring of the dark web, secure data transfer, email security, and security information and event management (SIEM). It also offers specific services that vary from client to client that encompass network and cloud security, identity and access management, data security, application security, and mobile security.
“The products we choose must be scalable, provide automation, and don’t bog things down in a lot of false positives,” said Blanc. “As part of our due diligence, we check product capabilities, but also verify the financial part: Can we make money with it, can it deliver real value to customers, and is scalable in terms of deployment and management.”
Risk and Responsibility
Perhaps the key ingredient of VARS’ service offerings is division of responsibilities and containment of the service provider’s risk.
VARS is firm that it does not “do IT.” It will not take over the administrative accounts of its clients. Instead, it advises on the best toolkits, sends access to those tools to its customers, answers questions, but does not touch customer systems.
“We explain the boundaries, arm them with the right collection of automated tools and access to support, and let them get on with protecting themselves,” said Blanc.
He gives the example of a situation concerning a laptop at a customer site that IT replaced. IT didn’t reinstall the security package recommended by VARS. When a breach occurred, someone attempted to blame VARS. By defining clearly the boundaries, VARS could hold its ground and lay out what happened and why, thus containing its risk.
“MSSPs should identify the best tools and partners that will cover the biggest portion of the risk, and also lay out the customer’s areas of responsibility clearly,” said Blanc. “Spend in such a way as to cover the bulk of your risk but understand that you can’t transfer all responsibility to others.”
VARS offers services from a collection of security vendors and MSSPs. These include Terranova Security, Perception Point, Cynet, Flare Systems, Logpoint, Cyolo, Cygilant, and Secure Exchanges. The company is open about its use of such services from other providers and displays their logos openly. Blanc noted that this adds credibility and fosters trust.
“We can go to a customer, know it will work effectively, and that we can use it profitably,” said Blanc. “We can recommend these solutions with confidence.”
Also read: Top Managed Security Services for SMBs
Getting Up to Speed
VARS began offering such services gradually, learning as it went along, figuring out what worked, and what didn’t. The company has a philosophy that when it deploys its integrated solution, the customer should not experience problems or get tied up in administration. Only rare exceptions should require specific manual handling by the customer’s internal IT team.
Another aspect of selecting an MSSP partner is finding one that has the technical resources and willingness to support its offerings and will be there for you.
“Find a partner that really knows what they are doing and backs you up so you can focus on sales and delivery, not on building trust,” said Blanc. “You may have to work through fire together. If the product betrays customer trust, we lose the market.”
Part of the VARS strategy is to offer tools from different providers with plenty of areas of overlap. In this way, if the endpoint tool misses something, the email monitoring tool is going to pick it up, and vice versa.
Its email gateway provider is Perception Point. As email is a primary avenue of incursion into the enterprise, VARS ensures that this channel is well covered. Perception Point provides VARS and its clientele with solid technology as well as dependable support.
For XDR, the company uses Cynet to provide broad coverage such as preventing and detecting threats on endpoints, networks, and users, as well as triggers for each identified threat, an automated investigation flow that reveals the attack’s scope and root cause; and the ability to apply automated remediation. Cynet’s managed detection and response team is available 24×7 should a need arise, and the MDR team continuously monitors the endpoints of VARS clients.
Getting Cyber Protection Quickly
While VARS conducts a thorough assessment to determine what its customers need, Blanc said he pretty much knows they all will need those services and urges everyone to install it right away as an immediate safeguard. Due to the nature of its business, VARS deploys services in a hurry to stop an ongoing attack, minimize damage and reduce ongoing risk.
“Cynet is the best bang for the buck as it covers so much,” said Blanc. “I recommend it right away even before the assessment, as it is quite possible that a new customer might get breached before our assessment is complete.”
Further reading on the security services business: