MSSPs, or managed security service providers, are at an exciting point where market acceptance, awareness and demand have converged. This is positive for a potential MSSP but also for the customers and businesses it will protect, enhancing security for everyone. However, excitement and the prospect of profits can create haste, and with haste comes an increased risk of mistakes. AlienVault, which has been fortunate enough to work with and help ensure the success of a number of our MSSPs, has identified five key lessons learned and mistakes every MSSP should avoid in order to be successful.
Common Pitfalls MSSPs Should Avoid
Click through for five common pitfalls managed security service providers should avoid, as identified by AlientVault.
Selling a Product, Not a Service
This is not number one by alphabetical order or through some entropic process; it is in fact the most prevalent hindrance. Often, MSSPs pitch vendors they use or highlight some new wiz-bang feature of a product because technology is cool and it sells. Sure, it sells a product, but MSSPs don’t sell products, they sell services. Let’s say the water starts leaking in your house. Do you run to the Internet and Google, “why is my water leaking?” No, you Google “plumbers near me.” You call an expert and they say, “Yes, I am qualified to fix that problem.” They don’t say, “Well, I just bought this cool new wrench. It has 15 adjustments. Do you want me to use it?”
Customers want a service, or more accurately, they want assurance. Assurance that they are protected from the latest threats to their infrastructure so they can focus on their business. Technology changes, products come and go, but expertise is constant. Commitment to expertise is the foundation of any service. Sell yourself and that commitment; let the vendors sell products.
Waiting for the Right Customer or Just Waiting….
What about the market? Avarice aside, there are far more consequences to waiting than just profits. Waiting for the “right” customer is a mistake. What would the right customer be? Let’s see: Pays you a lot; never has alerts; comes direct to you; never complains… even without sarcasm, you know this “right” customer is a fairy tale. There most assuredly are “wrong” customers for a growing business, but refinement of that choice comes from experience, something that waiting doesn’t provide. AlienVault also encounters MSSPs waiting for their platform to be stable or for marketing materials to be created, almost treating these things like a serial process with one contingent on another. Waiting on sales? Beta test with someone, dog food your service, start automating things; you don’t need two keys to launch the missile here.
Not Automating
The merits and wonders of automation cannot be understated, and AlienVault has a rule: “Do it Twice and Never Again.” Why such intolerance to repetition? Scale. How do MSSPs generate profit and increase margins? Scale. How do you grow your business and expand? Scale. Automation, especially process automation, is a key element to an MSSP’s ability to scale. The more you keep security researchers researching and analysts analyzing, the more customers they can help.
Not Creating Standard Offers or Straying from Them
Not sure if we mentioned scalability before, but it’s kind of important. Wait, no, it’s really important. Standardization is one of the pillars of scalability; we can go back to interchangeable parts, assembly lines, Internet protocols and languages for an analogy, but we’d rather discuss the alternative to standard offers. These are often referred to in the biz as “custom offers” (if you didn’t cringe when you read that, you might not be in the MSSP business). Custom offers are a total nightmare in terms of technology, licensing, staffing, billing, revenue forecasting… well, the entire business actually. Reducing variability makes an offer easy to repeat and deliver. When it comes to offer creation, just remember to keep it simple and standard.
The Right Staff
We’re not referring to finding quality people (always do this) and the usual motivational talk banality, but about getting the right specialties in the door at the right time. Information security has expanded so wide that the idea of the “generalist” is almost extinct; there just won’t be the “one” who can run an entire security operations center (SOC), conduct research, do turn-ups, automate, etc…
Therefore, you must break out the functions of your MSSP and find experts for each specialty. In addition to “who,” there is also “when.” Knowing when to scale staff and when to hire for new skills is certainly a challenge, but often exuberance can cause businesses to hire too early or stubbornness will cause them to hire only after a problem becomes untenable. We’d love nothing more than to share a formula with you on when to hire X for Y at Z, but businesses are dynamic and unique, which is a euphemism for “you’re on your own with that.”
It’s often said that making mistakes is part of making progress, but it’s also said that those that don’t learn from history will repeat it. Remember to focus on your service, keep it standard, and look at everything from a scalability perspective.