Ian Thornton-Trump

By Ian Thornton-Trump

This is one of two columns looking ahead at factors that will affect the managed security services market.

As discussed in my companion column, digital and managed-service delivery trend lines point to cloud-migration projects, SaaS-delivered services and security-as-a-service solutions for customer compliance as high-growth opportunities.

Deliver those three together and you’re poised for a great leap forward into expansion and growth — if your business-management processes and systems can keep up.

While native digital service providers weaned on MRR might have a simpler time of it, established MSPs tend to have a wide range of input costs and billing models in use. And if they’re not careful, resellers and DSPs adding their own managed services can fall prey to confusion. If you are going to start delivering migration projects and expand your security services for clients, you must become serious about tracking and managing your business.

Many MSPs have hybrid arrangements, with some customers in a traditional break-fix services model, commonly called Time & Materials (T&M), and others in a “pure-pay” MSP model, which is fixed service, per-seat pricing. As you grow, every customer you bring in the door will have different needs; core services may be at a fixed monthly price, but projects remain T&M. Security add-ons like incident response, which I discuss here, add another layer of pricing confusion, as do those panicked “security 911” calls.

The actual running of an MSP business (and reporting profitability) becomes more complicated when tracking the input costs to service delivery, along with the costs of delivering services themselves.

The more you can deliver in a SaaS model, the better cash flow tends to be. But not every billing scenario falls comfortably into the monthly bucket. The cost of servicing a typical client (or various client profiles) is one of the better metrics against which to measure success. However, when you adjust for different billing models, understanding your profit-and-loss situation, especially per customer, becomes very complicated. Look for a PSA platform that has the flexibility to track, input, manage and distribute costs for, as an example, your RMM or DLP solution across your customer base no matter the billing model, which might be:

To add further complications, there might be …

… different country and regional taxes and spiffs or rebates applicable to some services and not others. When you factor in the inevitably rising monthly, yearly and quarterly costs of delivering IT security services, the proliferation of different billing models can complicate the “cost per customer” or “cost per employee” calculation.

What really matters: Knowing how many hours and dollars it takes to service a customer.

This insight can bring to light problems that were once buried in spreadsheets. Maybe you are spending too many hours or too much money on one customer; maybe it’s time to look at a new product, employee, service or even sever some customer relationships to bring that input cost into line.

“Good customer service is all about consistency” — Jacada Autonomus CX

This service-delivery rule seems so simple in statement, but in my experience is the hardest thing to do in practice. No two customers are the same. If you are like most service providers, you have a range of hardware and software – some of it legacy – to support. As your services business evolves, you will negotiate one-off deals with suppliers and customers. It’s the nature of sales.

How will you deliver consistent service when you have inconsistent contracts?

I have seen service providers with between five and 10 customers fall prey to confusion, project-scope creep, inaccurate documentation, ad hoc billing and even not remembering what services are being delivered to a specific customer. It’s certainly true that more customers equal more problems, especially if you are not able to adapt. Translating yearly cost models or pay-as-you go SaaS solutions based on a customer or user count is also complicated and can result in an unending cycle of account credits and debits.

While reining in years of out-of-control billing processes is beyond the scope of this column, what you can do is decide on one model and stop digging the hole deeper. Strive for operational efficiency wherever you can instill it. Stop comparing apples to oranges in contracts. As you gear up to deliver security as a service for customer compliance, standardize the way you bill for those services. For example, waiting 30 or 60 days for a payment check on an invoice in an arrears billing model presents all sorts of problems for a growing provider who must maintain a positive cash flow to support an expansion of the customer base. With the huge diversification in payment options, from bank transfers to PayPal and leveraging direct credit card billing to gain loyalty points, there’s no reason for paper changing hands.

Ian Thornton-Trump, CD, CEH, CNDA, CSA+, is an ITIL-certified IT professional with 20 years of experience in IT security and information technology and a cybersecurity consultant with Harmony PSA. As the Cyber Vulnerability and Threat Hunting Team Manager for Ladbrokes Coral Group plc., Ian has an in-depth understanding of the threats small, medium and enterprise businesses face on a daily basis.