Any IT vendor or managed services provider (MSP) looking to add security services has several different directions they can go to achieve success. But there are also certain mistakes they can make that usually bring about failure.
Here then are seven of the biggest mistakes a managed security service provider (MSSP) – or would-be MSSP – can make so you can stay on the path to success.
Dumping New Security Workloads on Existing Personnel
There’s so much money being made in security right now that it is tempting to just work with another provider and immediately offer ransomware protection or some other service to existing MSP or MSSP customers. However, this can lead to personnel overload, which can result in diminished quality of existing services as well as failure to deliver the new service in sufficient quality.
“Using the existing services team to manage the security posture is a bad mistake,” said Justin Crotty, senior vice president for channels at Netenrich.
Chris Furner, senior sales engineer at Blumira, takes it a step further. He says a whole new set of personnel are required.
“In order to be successful as an MSSP, you will need to be able to successfully operate both an MSP with mature security practice, and an MSSP as a separate department/division,” Furner said.
Alexandre Blanc, strategic and security advisor at VARS explains why. IT is focused on production and quick delivery, and security is focused on risk management and proper controls implementation.
While security must work with operations, its approach is totally different from operations. The KPIs used in IT operations are focused on availability and delivery performance, while security KPIs address risk reduction and business impact analysis, which encompasses far more than operations.
“Another issue is thinking that IT people can or should handle security; this is very wrong as the goals are totally opposed,” said Blanc. “Security should bring governance and be focused on information security, which is not the role of IT.”
Lacking Threat Differentiation
Crotty highlighted a tendency for MSPs or less experienced MSSPs to treat all threats or risks as being roughly equivalent. They provide no real differentiation of threat levels for the type of business they are protecting.
He gave the example of an MSSP with a team focused on endpoint protection services and endpoint monitoring. They may think it is easy to move into real-time threat monitoring and remediation, but these are very different skill sets. Those used to traditional endpoint monitoring can quickly become overwhelmed. They are likely to fail to consider the entire threat or attack surface and so not deliver adequate protection.
Build it and they will come may work in some other sectors, but it is often a bad move for an MSSP. Certainly, a few MSSPs have the internal development resources, the track record of development success, and a service roadmap laid out that can take them profitably and successfully into the future. But most don’t.
Deciding to suddenly build a threat remediation or extended detection and response (XDR) platform from scratch can take months or perhaps more than a year. And at the end of that, it is still likely to be years behind the offerings of other vendors that have been at this game for decades.
“Don’t try to build everything internally,” said Crotty. “Leverage expert partners to ensure you have a solid solution.”
Underestimating Personnel Needs
A common thread among the mistakes to avoid involves personnel. It is hard for MSPs and MSSPs to conceive what is really required to operate a security operations center (SOC) that offers around-the-clock threat management. That typically required several people for each shift and three shifts a day, seven days a week.
He recommends that MSPs avoid moving into the MSSP space until they have at least 75 employees
“An MSSP needs to plan to staff live engineers 24/7, which is a significant expense compared to an MSP’s typical model,” said Furner.
That’s why he recommends that MSPs avoid moving into the MSSP space until they have at least 75 employees. Because of the somewhat different skill sets required in order to be successful both in the MSP and MSSP space, this will probably be about the minimum size, he said. Smaller MSPs would likely struggle.
“Either pull highly qualified engineers from the MSP business and backfill their roles or hire new engineers and support staff for the MSSP business,” said Furner. “It would be very difficult for individuals to ‘wear two hats.’
“You will also likely need a sales exec at least part-time to sell MSSP services, separate from MSP services. The MSP and MSSP customer base may not be the same, and of course the product offerings will be different.”
Buying Tools, Not Expertise
One fatal error is to purchase IT or security tools hoping that they are enough to offer value. They never are.
“Simply buying some MSSP tools and packaging them as an offering to customers is a common mistake,” said Furner. “Security tools need knowledgeable people to run them and need knowledgeable people to run the overall operations. This is something that needs to be grown and not simply created by buying tools.”
Blanc agrees. He sees MSPs with the mindset that a product will fix it all. But without skills and knowledge and without business acumen, relying on tools and assuming they will keep a business safe is wrong.
Not Securing Your Own Security Infrastructure First
No MSP can expect to gain trust in the security field if they don’t have an outstanding record at safeguarding their own internal assets. Beyond that, MSPs need to demonstrate to their customer base that they take responsibility for certain areas of security and privacy. But all that comes well beyond venturing into the MSSP sector.
“MSPs who are considering an entry into the MSSP space should consider whether this is a wise move or if they should continue to strengthen their security practices under their existing MSP business model,” said Furner. “Many MSPs still have lots of work to do in bringing effective security improvements to their customers.”
Expecting Profitability Too Soon
Some MSP operations have a relatively fast time to value and time to profitability. However, this isn’t as easy in the MSSP space, typically. Furner challenged leadership to come to terms with the need to set realistic revenue/profit targets for MSSP operations.
“This business can be equally profitable as an MSP business, but at least initially there will probably be no profits, as the MSSP operations will need to establish their internal practices, and your sales team will need to get a pipeline of deals for the MSSP,” said Furner. “It would be a fatal error to make any attempts to sign MSSP deals prior to the MSSP business being fully operational.”
Blanc added that the headlines security generates in the press may not be so easy to translate into profits. Organizations, in general, don’t care about security until an incident happens, he said. They do not want to spend time on security, don’t want to spend money on it, and do not understand why they should. It may seem obvious to expose what happened to others in terms of incidents, but that rarely means much to organizations that haven’t been through a breach or a ransomware attack.
“It is critical to have a business acumen, because we must translate the risk in business language, and this means we must spend a lot of time quantifying and qualifying something that doesn’t exist in the mind of decision makers,” said Blanc.