As COVID-19 has opened the door for perpetrators to leverage the fears of people to serve their malicious ambitions, the rising security demands of organizations has driven many MSPs (Managed Service Providers) to seriously consider becoming MSSPs (Managed Security Service Providers). In addition, with profit margins declining from commoditized offerings, the need to provide higher-margin and value services is also a deciding factor in transitioning from MSP to MSSP.
According to ‘IDC’s Service Provider Pulse: 2Q20’, 16% of a service providers’ total revenue came from managed services, and from that, managed security services accounted for the highest percentage of revenue at 10%. With managed networks, app optimization and performance management growing year over year, it’s becoming more transparent for MSPs that developing broader areas such as security can aid their customers with their business.
But how do MSPs go about this? And is it beneficial for MSPs to become the next MSSP? To a large extent it depends on what end goal you have in mind and how much you are willing to invest. Prior to moving to a full MSSP model, there are several things to consider as transforming from MSP to MSSP is not as straightforward as adding an extra letter.
Is it time for MSPs to add security services to their portfolio?
MSPs face the same challenges as any other business when it comes to security: complex solutions to manage, a shortage of talent, and increasingly sophisticated attacks. But the risk of not addressing security is considerably higher for MSPs, because the future of their business depends on it.
Everything an MSSP does is focused on a ‘security first’ approach and they often focus on integrations between their security offerings to help automate their processes, while an MSP typically focuses on commoditized services such as managing email security, firewalls and intrusion prevention systems, rather than on security needs such as a MSSP. MSSPs must also consider liability issues as regulatory and compliance requirements have to be adhered to, including data sovereignty, privacy and sensitive data protection.
What investments are needed?
If you are considering offering your own Managed Security Service, investments can be steep:
Cost of technology
When deciding on the technology you want to offer, upfront investment for the necessary appliances, software licenses, as well as providing unlimited cloud-based DDoS protection for large attacks need to be taken into account.
Cost of maintenance
Maintenance agreements for appliances should also be factored into the overall costs.
Cost of operations
There is a growing requirement for 24x7x365 response and support when it comes to security, therefore an MSSP must set up an Security Operations Centre (SOC) that can provide 24x7x365 capabilities. Apart from providing specialist support for both internal and external customers, an SOC should also be equipped with a complete set of technologies that cover:
● Comprehensive suite of mitigation tools to handle DDoS attacks
● Broad-based visibility and threat detection capabilities (e.g. a portal complete with visibility and analytics capabilities, allowing customers to view service status, DDoS attack information and more)
● Networks (e.g. network-based intrusion detection, network traffic flow analysis)
● Management and Operations (e.g. a SIEM tool, incident response management solutions)
● Endpoints (e.g. endpoint detection and response)
Cost of Go-to-Market
MSPs will also have to consider building their own pool of talent. Apart from hiring skilled cybersecurity staff, whose salaries will be higher than those of other employees, the team will also require complete productization and go-to-market support, including sales enablement training, to help them sell, manage and support their products and services.
Consider partnering with existing MSSPs
Teaming up with a partner instead of building-out your own team may make more sense for some MSPs. Besides, this could also be the most economical option for the MSP. There is no getting away from investments, but finding an existing MSSP that already has the infrastructure and resources in place will help reduce the complexity. For starters, security providers will take the responsibility away from the MSP and take on the liability. But building out your own MSSP model is not simply a matter of implementing security services and tools, there are also other factors that should be taken into consideration.
For MSPs seeking to partner, you will need to consider how the partnership can help set yourself apart from other competitors. Look at it from an operational standpoint and scalability. Is automation and API integration in place to facilitate integration into your existing day-to-day operations.
Training should also be considered. One of the biggest challenges with training employees is keeping it up to date and relevant. It shouldn’t be a case of completing the training just for the sake of doing it; this should be monitored on a regular basis and any opportunity to refresh that education should be taken.
What Nexusguard can offer
Whether you’re looking for 24x7x365 complete managed security or an on-call expert advisor, we offer a range of managed DDoS services designed to protect your organization, detect threats and react to cyber incidents on your behalf.
From a cost and risk perspective, it makes absolute sense for MSPs to join forces with established MSSPs such as Nexusguard, who not only operate a round-the-clock SOC staffed with multilingual security experts, but also has extensive experience in productizing a service and generating return of investment on technology through its Transformational Alliance Partner (TAP) program.
Furthermore, we have proven that within 90 days, it is possible for MSPs to transform into MSSPs, offering a suite of managed cybersecurity services to their customers.
For more information on becoming a partner of the TAP100 program, visit https://www.nexusguard.com/tap100