Like any other aspect of your service offering, you need to carefully craft and position your cybersecurity services if you’re going to realize a healthy profit margin. But unlike other aspects of managed service provider (MSP) business, a well-packaged cybersecurity offering requires that you pay attention to the unique features of the cybersecurity space.
Clients don’t always appreciate the need for cybersecurity, configuration and maintenance can take significant time, and accidentally choosing an inferior solution can leave massive gaps in your clients’ security posture. When improperly executed, your cybersecurity strategy could be a serious drag on margin.
We’ve worked with many MSPs over the years on their cybersecurity offerings. The most successful ones avoided these five pitfalls when providing cybersecurity services.
1. Price tag myopia
A low price tag is important, but it’s nowhere near as important to MSP profit margins as efficacy.
Solutions that come at a low price point often aren’t being regularly updated and developed—since cybersecurity solutions defend against active adversaries, that means their vulnerabilities are quickly uncovered and left exposed, leaving you and your clients open to attack.
When these attacks happen, it’s an all-hands-on-deck scenario. Your technicians will be busy trying to evaluate the scope of the breach, patching vulnerabilities, assessing damage and more for weeks or even months. That’s less time they have to spend on client-facing, revenue-generating activities.
And if your clients lose valuable proprietary data or face a ransomware attack, it could delay their growth or even shutter their business entirely, which means one less account for you. Even if they do survive the attack, it puts your relationship with them at risk.
All of this is to say that the whole cost of a cybersecurity solution isn’t always captured by the price tag; some of it comes in the form of increased risk. And some comes in the form of your time, too.
2. Not considering time on tool
In addition to how much a given tool improves your clients’ overall security posture, it’s important for MSPs to think about the actual workflow involved in setup and maintenance.
As an example, we can look at the class of solutions known as secure email gateways (SEGs). Ignoring, for the time being, the fact that SEGs aren’t very effective at defending against the kinds of attacks facing Office 365 users, they also take up a lot of your time. In order to configure and maintain an SEG, a technician needs to update the mail exchange (MX) record, manage quarantined emails, monitor for new threats, address the high false-positive rate endemic to this class of solution and so on.
But SEGs are widely available, commonplace tools with an attractive sticker price. The result is that many MSPs choose to implement SEGs, even though they lose significant margin to maintenance requirements.
Another important factor to consider is how much time a given solution will take at scale. If you’re a smaller MSP and a given solution takes an hour or two to configure with another 30 minutes or so of weekly maintenance, then you might view that as acceptable. But what happens when your client base grows to the dozens or higher?
MSP profit margins are built on time—time to improve your tech stack, time to put out fires, time to market and grow, and time to nurture your client relationships. When MSPs select solutions without considering the time it takes to set up and maintain them, they’re shooting their profit margins in the foot.
3. Leaving gaps in the security stack
Managing a full stack of security solutions might seem like it’ll eat up all of your time, but realistically, providing for only a segment of Microsoft 365’s cybersecurity needs is like locking your front door but leaving your window open. Considering the costs of a data breach or ransomware attack, it's far more prudent in the long run to invest in full, comprehensive coverage.
As an overview, you’ll want to find security solutions for:
- Email: It’s the most common attack vector, and email security requires end users to make smart decisions. Anything that can help minimize phishing attacks and show end users who they can trust helps reduce the load on all the rest of your security infrastructure.
- Firewalls: Firewalls are a vital defense for your clients’ network perimeters. Without one, there’s little point in providing security at all.
- Endpoint security: Each device on the network needs its own security layer; otherwise, it’s just a matter of a threat actor getting lucky and compromising an unsecured device.
- Backup/data loss prevention (DLP): If a ransomware attack does manage to penetrate your security, having all of your systems backed up and a DLP system in place could be the key to taking the attacker’s leverage away.
- DNS filtering: DNS filtering lowers the chances that your clients’ websites will be targeted by an attack and reduces the number of phishing attempts your email security solution will need to address.
Picking the right security stack is nothing to take lightly. If you want to dive deeper into this topic, review our blog, Transitioning to Managed Security Services: Choosing Your Security Stack, to learn more.
4. Being allergic to marketing
Many MSPs got into their line of work because of an affinity for finding answers, solving technical problems, and their interest in emerging technologies. As a result, marketing and sales can feel like a tedious part of their job. But marketing their services well is essential for MSP profit margins.
Rather than think of it as marketing, a helpful trick is to think of it as education.
For example, many small- to medium-sized businesses (SMBs) aren’t even aware that they need cybersecurity. In part, this is because data breaches are only reported when they occur to a major player in the market. Consider the fact that only 30 percent of SMBs are concerned about ransomware, while 60 percent of the MSPs protecting those SMBs reported facing ransomware attacks. According to the FBI’s IC3 report, ransomware attacks caused $29.1 million in losses in 2020 — many of which were incurred by SMBs.
Building a communication strategy that explains the risk, demonstrates why cybersecurity services are valuable, and what makes you different is key. Effective marketing isn’t about pushing your services onto prospects; it’s about educating your audience on why your services are merited. Doing so ensures that you’ll grow your client base and generate ROI on your cybersecurity investments.
5. Missing the partner for the product
Like any technically sophisticated product, you also purchase a relationship alongside your cybersecurity solution. It’s important that the vendor has a good track record in support, fluently answers your questions during the buying process, and offers additional services, like integration and configuration, positioning and marketing support and other non-traditional services alongside their product.
Whoever you select for your cybersecurity must treat you as a partner in an on-going relationship; not as a completed sale. If their position is to treat customers as the latter, then there’s little reason for them to help you with your challenges down the road beyond the fear of a bad review. If they fall in the former camp, they’ll want to invest time in ensuring that you’re using their product to its fullest potential.
Careful consideration is key
When it comes to cybersecurity, MSP profit margins ultimately depend upon careful planning and consideration; it’s not the sort of thing that can be improvised. That’s especially true for MSPs selling Microsoft 365 services—but those MSPs that do build a strategic cybersecurity offering for Microsoft 365 stand to reap the rewards.
To learn more about why cybersecurity is driving business growth for MSPs, how to offer managed security services, and how to consolidate your cybersecurity tech stack, read our new eBook The Channel OpportunityWith Microsoft 365.
In it, you’ll find guidance for MSPs looking to provide managed security services with an eye towards growing their margins.