This document discusses five driving forces that contribute to a successful managed security services offering:
1) Intelligent software and technology solutions that can detect and isolate threats in real-time.
2) User training and education to reduce human errors and recognize threats.
3) Understanding today's changing threat landscape as attacks increase against SMBs.
4) Developing an effective go-to-market strategy to package and present security solutions.
5) Addressing the widening skills gap in cybersecurity talent through outsourcing or third-party resources.
3. 3
The potential risks and damages associated with modern cyberattacks are escalating
exponentially, and virtually every business has at least some level of vulnerability today. Gone
are the days where large-scale enterprises and Fortune 500 companies were the only targets of
cyberattacks—today, small- and medium-sized businesses (SMBs) are being aggressively pursued
by criminals who are looking to deploy phishing scams, malware and other malicious software.
To put it simply: without the right protection and preventative measures in place, your clients—
particularly those in the SMB space—won’t stand a chance in today’s fast-paced and constantly
changing threat landscape. With attacks like ransomware, distributed-denial-of-service (DDoS)
and other attempts to stall business or steal data, cybercriminals are becoming exceedingly
skilled at deceiving users as a means of extortion for financial or personal gain.
The greatest threats to the SMB today are sub-par education, improper tools and a lack of
awareness surrounding these attacks and how to prevent them. It isn’t feasible to expect a small
business to maintain a robust internal IT department, let alone a team of cybersecurity specialists
who can monitor and respond to alerts, identify potential threats and gaps in their protection
strategy, and perform other critical functions. In the same way that many SMBs have turned to
managed services providers (MSPs) to outsource day-to-day IT monitoring and management,
they are now beginning to look to third-party providers to help them deploy effective security
strategies and mitigate risk.
Introduction
Five Forces That Drive a Successful Managed Security Services Offering
4. 4
For the MSP, the need to deliver security-as-a-service poses its own set of unique challenges.
Finding, hiring and retaining security talent in the IT channel is nearly impossible, and the nature
of today’s attacks is forcing providers to deliver security in a very different way than they’ve
approached offerings like remote monitoring and data backup.
To further complicate things, there is no single security “technology” which can act as a cure-all to
any type of threat or attack—there’s simply no one-size-fits all answer when it comes to security.
In reality, a combination of products and services like firewall, patching, endpoint protection,
DNS, reporting and others can help form a strong defensive architecture for a given environment.
That offering, however, must be coupled with 24x7 monitoring, user training and education, and
a number of other important functions to offer a true protection strategy for your customers.
While many IT providers today are convinced that they need to somehow “become” an MSSP, the
reality is that the lines between MSPs and MSSPs are already blurring—and likely won’t exist a few
years from now. Security plays such an integral role in the modern IT environment that all service
providers will need to be prepared to support it in order to survive and continue thriving.
Introduction
Five Forces That Drive a Successful Managed Security Services Offering
5. 5
So how can MSPs accelerate their entry into the managed security space? What combination of point solutions, value-added
services and best practices will maximize your opportunity to succeed and capitalize on this tremendous market opportunity?
This eBook offers an overview of five driving forces that must be considered in order to build an effective,
successful and scalable managed security services offering.
Five Forces That Drive a Successful Managed Security Services Offering
DRIVING FORCE 1
Intelligent Software & Technology
DRIVING FORCE 2
User Behavior and Training
DRIVING FORCE 5
The Widening Skills Gap
DRIVING FORCE 3
Today’s Changing Threat Landscape
DRIVING FORCE 4
Your Go-To-Market Strategy
6. 6
DRIVING FORCE 1
Intelligent Software & Technology
To effectively detect and isolate modern cybersecurity threats, a combination of intelligent
software tools should be the first driving force behind your offering. A defensive architecture
featuring endpoint protection, threat management, security profiling and other technologies can
offer MSPs a ready-made suite of solutions which can detect and isolate threats, anomalies and
suspicious activity. The key here is not to think of security as just one blanket concept or offering,
but to really look under the hood and understand exactly which of these individual components
are needed to bring the right offerings
to your customers.
The ability to then generate alerts, reports and data based on real-time events and anomalies
is critical, as is the timeliness of these solutions. The most effective security technologies can
detect threats and abnormal behavior in close to real-time, enabling MSPs to quickly identify
and quarantine infected machines as needed while remediation processes begin. The longer
it takes to become aware of an attack, the more deeply and broadly that attack will penetrate;
and as time passes when attempting to remediate and resolve the issue, the risks and damages
associated with that attack typically increase as well.
The key here is not to think
of security as just one blanket
concept or offering, but to
really look under the hood and
understand exactly what
individual components are
needed to bring the right
offerings to your customers.
“
Five Forces That Drive a Successful Managed Security Services Offering
7. 7
Backup and disaster recovery should also play a critical role in your security offering. No security
software can truly be 100% effective and eliminate every single possible risk—and in those cases
where an attack is successfully carried out, especially in the case of ransomware or some type
of encryption-based infection, the value of being able to roll back entire systems and sites to a
previous backup image cannot be understated. Think of it as a last line of defense in your security
portfolio.
Lastly, it’s worth noting that your customers are likely to have varying security concerns based on
their unique businesses, any industry-driven compliance requirements, and a number of other
factors—and you’ll want to be equipped to provide customized packages that are tailored to
meet each of their needs.
A private medical practice, for instance, is going to have significantly differnet security concerns
than a manufacturing plant or retail shop—but each of these customers expects you to provide
relevant security technologies and training to ensure they’re protected. In this regard, security
sales should not be thought of as one-size-fits-all offerings, but can instead be created using
some sort of base package or baseline offering which can then be customized or amended
based on customer needs.
DRIVING FORCE 1
Intelligent Software & Technology
Five Forces That Drive a Successful Managed Security Services Offering
8. 8
User training and education is
as important as the software
you’re leveraging as part of
your security portfolio.
DRIVING FORCE 2
User Behavior and Training
Security poses a unique challenge in the modern IT environment, perhaps
most notably because responsibility and accountability rest both on the
provider and the customer in an MSP-SMB relationship. This is not the case
with technologies like RMM and BDR, where the service provider bears the
entirety of the responsibility for setting up, maintaining and optimizing
those systems over time. Because of this, the second driving force behind
a successful security service is one that involves working directly with the
“victims” of these attacks: the end users at your customer sites.
Today’s cybercriminals are attempting to deceive users with phishing scams,
well-disguised email blasts and other social engineering techniques that may
never be detected by a software solution—and it’s for this reason that user
training and education is as important as the software you’re leveraging as
part of your security portfolio.
“
Phishing emails like this one can trick unsuspecting employees into
providing confidential data or information directly to hackers
who will use it for malicious purposes.
8
Five Forces That Drive a Successful Managed Security Services Offering
9. 9
The goal of training your customers is to help them better-understand and navigate today’s
threat landscape. Knowing how to recognize and assess potential vulnerabilities, identify
phishing attempts or malicious emails, and perform other functions can greatly reduce the risk
of a security breach or successful attack (a study from Wombat Security Technologies and the
Aberdeen Group confirms that increased investment in employee training can reduce the risk of
a cyber attack 45 to 70 percent).
Keep in mind that training doesn’t have to be exlusively in the form of live events or software-
based tools—there are plenty of ways to provide ongoing training and education through
informative content, blog posts, podcasts, webinars, and other channels in addition to physical
or in-person user training programs.
DRIVING FORCE 2
User Behavior & Training
Increased investment in employee
training can reduce the risk of a
cyber attack 45 to 70 percent
“
Five Forces That Drive a Successful Managed Security Services Offering
10. 10
DRIVING FORCE 2
User Behavior & Training
EDUCATION DOCUMENTATION
TRAINING
Workshops Onboarding
Lunch-and-Learn
Mock Phishing Exercises
Blog Content
Webinars
Podcasts
Newsletters
Process Guidelines
Incident Response Plans
Communication Guides
Setting Expectations
It’s critical to incorporate cybersecurity education into your service offering, as human error is one of the more
overlooked—and arguably most vulnerable—elements in your customers’ IT environments.
Here are some additional examples of the types of training and
documentation you can provide to your customers:
Five Forces That Drive a Successful Managed Security Services Offering
11. 11
DRIVING FORCE 3
Today’s Changing Threat Landscape
The rapid growth in frequency, complexity and severity of cyberattacks in recent years has
completely changed the face of the IT service provider market.
SMBs are facing security breaches and attacks that (on average):
Lack of Skilled
Employees
Lack of Budget
Lack of Security
Awareness
The Biggest Obstacles to
Stronger Cybersecurity
Among SMBs
Decrease Revenue by 9%
33%
Reduce Employee
Productivity by
41%
Disrupt Business
Activities by
Disrupt Business
Activites by
Reduce Employee
Productivity by
Decrease in
Revenue by
41% 33% 9%
Source: Cybersecurity Trends Report 2017
Five Forces That Drive a Successful Managed Security Services Offering
12. 12
While many SMBs think they are too small to be of any interest to cybercriminals, the reality is that they are
quickly becoming prime targets in today’s market—and are often used as the gateway through which cyber
attackers can permeate bigger data. More than 70 percent of attacks target small businesses, according to
National Cyber Security Alliance. Furthermore, an Aberdeen Group study shows that businesses with 1,000
employees or less have a 90 percent likelihood of having a data breach costing more than $216,000—and
according to SMB Group, 62 percent of hacked SMBs go out of business within six months of a successful attack.
Today, being in business is virtually synonymous with managing risk and vulnerability—and as a service provider,
your customers are looking to you to provide them with the latest information, updates and best practices
to maintain proper security and data protection. MSPs need to understand their customers’ security needs,
the landscape around them, and their current protection capabilities when developing security strategies for
clients.
To do so effectively, MSPs must remain vigilant and hyper-aware of emerging threats, vulnerabilities and
changes in today’s security landscape. Regularly consuming information, leveraging vendors and third-party
relationships, subscribing to security-focused blogs, podcasts and other content are all great ways to stay ahead
of the curve and ensure you’re prepared to provide real-time notifications and education to your customers.
DRIVING FORCE 3
Today’s Changing Threat Landscape
62 percent of hacked
SMBs go out of business
within six months of a
successful attack.
“
Five Forces That Drive a Successful Managed Security Services Offering
13. 13
DRIVING FORCE 4
Your Go-To-Market Strategy
In The Art of War, Sun Tzu says that victorious warriors win first and then go to war—while
defeated warriors go to war first and then seek to win. And while Sun Tzu’s wisdom is designed
for the battlefield, the quote perfectly illustrates the idea that MSPs must develop a strong go-to-
market strategy and action plan before beginning to pitch cybersecurity services to customers
and prospects.
First, it’s important to remember that security isn’t just one thing—it’s a combination of many
things, and needs to be presented as such. Many providers have historically defined security as
a one-size-fits-all concept, leading customers to assume that simply plugging into the “solution”
will keep them 100% secure. This approach sets false expectations for the customer, and puts
both parties at a disadvantage; providers should instead be very specific and prescriptive with
both the solutions that comprise their security offering and the way they are packaging and
presenting those solutions to customers.
And unlike other services which provide immediately tangible benefits for a customer, security
is actually providing protection from potential events; in that sense, security can be viewed as a
type of insurance for the SMB. Its important that MSPs actively inform and shape their customers’
view of security, and also help them understand the hard costs associated with things like
regulatory fines and downtime.
It’s important to remember that
security isn’t just one thing—
it’s a combination of many
things, and needs to be
presented as such.
“
Five Forces That Drive a Successful Managed Security Services Offering
14. 14
DRIVING FORCE 4
Your Go-To-Market Strategy
Define your target audience & customer base and
leverage buyer personas when possible
Build value & education through collateral including
blog posts, datasheets, eBooks, etc.
MSPs should also remain cognizant of their competitors’ offerings and look to maintain a
competitive edge in the market—but it’s important not to compete on price alone, or look to
mirror exactly what your competitors are offering to achieve parity with their services. Look
instead for opportunities to stand apart and differentiate from the crowd; this can include
vertical or geographic specialization, bundled value in your packaging or pricing structure
and other tactics.
Start with low-hanging fruit (existing customers,
known prospects and referrals)
Establish tangible lead goals & funnel metrics that
can be tracked, analyzed and optimized
Be concise, consistent & deliberate with messaging
across all marketing and sales channels
Leverage environmental assessments and scans
to measure risk and educate customers
Build strategic security plans and guidelines to
help customers remove unacceptable risks
Here are some additional exercises and best practices to keep in mind when
developing your go-to-market strategy for security:
Five Forces That Drive a Successful Managed Security Services Offering
15. 15
DRIVING FORCE 5
The Widening Skills Gap
The lack of affordable security experts and cybersecurity professionals in the MSP community
today is staggering. There’s been a skills gap and labor shortage in the IT channel for some time
now, but security has elevated the problem significantly—and many service providers today are
scrambling to figure out how to deliver effective service to support the security technologies
they’re selling.
A recent report predicts that the global cybersecurity workforce will have more than 1.5
million unfilled positions by 2020—and as more MSPs enter this space, the need for skilled and
experienced security professionals will undoubtedly expand as well.
Clearly, hiring a full staff of security professionals with the right skills, experience, certifications
and capabilities required to support any customer is no small task; and being able to find, afford
and retain that type of talent simply isn’t feasible for the average service provider. This forces
MSPs to be very selective with the personnel they seek out, which can make it difficult to
provide a wide breadth of security services to customers—and it’s why many service providers
are looking at outsourcing or leveraging third-party resources as a means of enhancing their
security service capabilities.
The global cybersecurity
workforce will have more
than 1.5 million unfilled
positions by 2020.
“
Five Forces That Drive a Successful Managed Security Services Offering
16. 16
In the managed services market, there’s no longer a question of whether or not MSPs should be
building cybersecurity services into their portofolio—it’s now just a question of how best to design
and deliver these offerings to clients and customers. MSPs who fail to properly address security
within customer environments will likely struggle to sustain a healthy business in the next few years.
The SMB is largely unprotected from the growing list of risks, threats and vulnerabilities that exist
in modern IT environments, and your customers are looking to you to be the trusted advisor and
expert they need to stay ahead of the curve and remain as secure as possible.
The five driving forces outlined in this eBook must all be considered as MSPs look to build their own
security offerings—and while there are a number of significant security-driven challenges facing
service providers today, MSPs simply cannot afford to ignore security or they’ll risk losing customers.
Conclusion
Continuum Fortify enables MSPs to deliver a complete, end-to-end cyber security offering without having to build and maintain in-
house operations. The solution combines powerful software with a suite of SOC services to deliver both foundational security and
highly advanced protections for SMB customers—including endpoint management, SIEM, advanced threat intelligence and the
capabilities and reporting required to ensure compliance in modern business environments.
Continuum Fortify: A Profitable, Scalable Approach to Cybersecurity
MSPs who fail to properly
address security within
customer environments will
likely struggle to sustain a
healthy business in the
next few years.
“
Five Forces That Drive a Successful Managed Security Services Offering
Learn More About Continuum Fortify