5 MSP Profit Margin Killers: What to Avoid in Cybersecurity

This post has been updated since it first appeared in June 2021.

Like any other aspect of your service offering, you need to carefully craft and position your cybersecurity services if you’re going to realize a healthy profit margin. But unlike other aspects of managed service provider (MSP) business, a well-packaged cybersecurity offering requires that you pay attention to the unique features of the cybersecurity space.

Clients don’t always appreciate the need for cybersecurity, and inferior solutions can cut into your productivity and leave massive gaps in your clients’ security posture. When improperly executed, your cybersecurity strategy could be a serious drag on margin.

We’ve worked with many MSPs over the years on their cybersecurity offerings. The most successful ones avoided these five pitfalls when providing cybersecurity services.

1. Price tag myopia

A low price tag is important, but it’s nowhere near as important to MSP profit margins as efficacy.

Solutions that come at a low price point often aren’t being regularly updated and developed—since cybersecurity solutions defend against active adversaries, that means their vulnerabilities are quickly uncovered and left exposed, leaving you and your clients open to attack.

When these attacks happen, it’s an all-hands-on-deck scenario. Your technicians will be busy trying to evaluate the scope of the breach, remediating threats and assessing damage for weeks or even months. That leaves less time to spend on client-facing, revenue-generating activities.

And if your clients lose valuable proprietary data or face a ransomware attack, it could delay their growth or even shutter their business entirely, which means one less account for you. Even if they do survive the attack, it puts your relationship with them at risk.

The true cost of a cybersecurity solution isn’t always captured by the price tag. It also includes risk and your time.

2. Not considering time on tool

In addition to how much a given tool improves your clients’ overall security posture, it’s important for MSPs to think about the actual workflow involved in setup and maintenance.

As an example, we can look at the class of solutions known as secure email gateways (SEGs). Ignoring, for the time being, the fact that SEGs aren’t very effective at defending against the kinds of attacks facing Office 365 users, they also take up a lot of your time. In order to configure and maintain an SEG, a technician needs to update the mail exchange (MX) record, manage quarantined emails, monitor for new threats, address the high false-positive rate endemic to this class of solution and so on.

But SEGs are widely available, commonplace tools with an attractive sticker price. The result is that many MSPs choose to implement SEGs, even though they lose significant margin to maintenance requirements.

Another important factor to consider is how much time a given solution will take at scale. If you’re a smaller MSP and a given solution takes an hour or two to configure with another 30 minutes or so of weekly maintenance, then you might view that as acceptable. But what happens when your client base grows to the dozens or higher?

MSP profit margins are built on time—time to improve your tech stack, time to put out fires, time to market and grow, and time to nurture your client relationships. When MSPs select solutions without considering the time it takes to set up and maintain them, they’re shooting their profit margins in the foot.


New call-to-action


Capture d’écran 2023-07-19 à 15.27.06

3. Leaving gaps in the security stack

Most MSPs recognize the necessity of providing security services to their clients. Yet many also remain uncertain about the exact solutions to choose for their security stack. Considering the costs of a data breach or ransomware attack, MSPs stand to benefit from investing in solutions that provide multi-layered protection.

As an overview, you’ll want to find security solutions for:

  • Email: Email is the top attack vector, and it’s becoming even more attractive to hackers with the rise of productivity suites such as Microsoft 365 and Google Workspace. Email gives hackers multiple channels for exploiting end users, highlighting the need for robust email security. Email security is an essential component of your security infrastructure to protect against advanced phishing, spear phishing, and malware
  • Firewalls: Firewalls are a vital defense for your clients’ network perimeters. Without one, you leave your clients at risk.
  • Endpoint security: Endpoint security provides each device on the network its own security layer to prevent threat actors from compromising an unsecured device.
  • Backup/data loss prevention (DLP): If a ransomware attack does manage to penetrate your security, having all of your systems backed up and a DLP system in place could be the key to taking the attacker’s leverage away.
  • DNS filtering: DNS filtering lowers the chances that your clients’ websites will be targeted by an attack and reduces the number of phishing attempts your email security solution will need to address.

Related content: 5 questions to Ask When Choosing an Email Security Solution

4. Being allergic to marketing

Many MSPs got into their line of work because of an affinity for finding answers, solving technical problems and their interest in emerging technologies. As a result, marketing and sales can feel like a tedious part of their job. But marketing their services well is essential for MSP profit margins.

Rather than marketing, MSPs should look at it as education.

According to Verizon Data Breach Investigations Report 2023, small- to medium-sized businesses (SMBs) are 42% and 69% more likely to experience a security incident or data breach than large enterprises, respectively. SMBs now share similar attack surfaces as large enterprises with the adoption of similar digital tools and infrastructures. Still, SMBs continue to lack the cybersecurity resources and maturity of their large counterparts. They also tend to underestimate their cyber risk and the motivations of hackers to target them.

That’s why you should develop a communication strategy that explains the risk, demonstrates why cybersecurity services are valuable, and what differentiates you from competitors. Doing so can help you grow your client base and generate more ROI from cybersecurity.

5. Missing the partner for the product

Like any technically sophisticated product, you also purchase a relationship alongside your cybersecurity solution. It’s important that the vendor has a good track record in support, assists you throughout the buying process, and offers additional services. These services should include integration and configuration, positioning and marketing support, and other non-traditional offerings.

Whoever you select for your cybersecurity must treat you as a partner in an on-going relationship. They should show a commitment to ensuring that leverage their solution to its fullest potential.

MSP profit margins: Careful consideration is key

When it comes to cybersecurity, MSP profit margins ultimately depend upon careful planning and consideration. That’s especially true for MSPs selling Microsoft 365 services. Those that build a strategic cybersecurity offering for Microsoft 365 stand to reap the rewards.

If you’re ready to take the next step toward managed email security, consider Vade for M365, a collaborative email security solution for Microsoft 365 that is made for MSPs. Integrated and low-touch, the solution provides AI- and human-powered threat detection, cross-tenant incident response, automated and personalized phishing awareness training, and more.

New call-to-action