By Bob Layton

Bob Layton

Sometime in the next year, people will start returning to their offices, which may or may not look different. There may be a lot less leased space than when workers dispersed suddenly in March 2020, or it may be the same real estate footprint with reconfigured layouts. No one really knows yet. But there are some things we do know:

Employees who formerly worked on a single corporate network controlled by IT spent the last year working remotely on a jumble of networks beyond their companies’ oversight or control. There’s no telling how much malware and dangerous junk their devices – their endpoints – will be bringing back. There may not even be an IT team onsite since IT dispersed when everyone else did. The companies’ workloads and critical applications may not be in a wiring closet or data center anymore, since they, too, dispersed suddenly – to the cloud.

Meanwhile, broad media coverage of the SolarWinds hack – in which adversarial nation-state hackers penetrated multiple U.S. government agencies and private corporations for reasons that remain chillingly unknown – has created an atmosphere of heightened cybersecurity awareness.

Managed service providers (MSPs) will be expected to protect their clients from this forbidding, roiling tangle of unknowable threats. Welcome to the Brave New World of Risk for MSPs.

MSPs as Insurance Companies, Only Better

If you took a short elevator ride with an insurance executive (when multiperson elevator rides were possible) and asked, “What does your industry do?” the answer would be: “We manage risk.” That’s MSPs’ business, too, but with a crucial difference: insurance companies crunch mountains of data to determine how likely all sorts of mishaps may be – from dented fenders to home-destroying conflagrations to death – but they can’t do much to mitigate that risk. MSPs can mitigate customers’ cybersecurity risk as well as manage it and should price their services accordingly.

In my last post, MSPs at an Inflection Point: How to Make the Most of Historic Changes, I noted the MSP industry, like many other industries, experienced a decade of evolution condensed into one pandemic year. Since everything has changed but our way of thinking, I urged MSPs with a life wish to change their way of thinking – from selling price to selling value. Do MSP clients want a “bargain” that can end up costing them their business?

As Forrester analyst Jay McBain told me on a recent podcast, the $113/month/per user industry standard “checks the box just for antivirus and firewall and makes basic cybersecurity a line item inside that $113. Now the world is very different. There’s no way to fit what’s needed for security into $113 per month per user. It’s time for a whole new, separate conversation about security as a managed service.”

It’s incumbent on MSPs to take a leadership position managing and mitigating risks for their clients in the post-pandemic world. In addition to the nightmare scenario of millions of workers returning to company networks with endpoints that have spent the last year in the cyber-jungle, MSPs must educate clients reluctant to adhere to logical security policies and protocols as they sail into the mystic unknown.

In my MSP career, I’ve had several clients whose executives refused to comply with requirements for complex passwords or multifactor authentication. The CEO of one client company insisted on using the password “123ABC.” He argued he was too busy, too important, to “waste time” trying to remember a complex password or use multifactor authentication. This story, sadly, is not rare.

As an industry, MSPs need to be bluntly …

… honest with clients, alerting them of the upcoming train wreck. “Your company must be more cybersecurity-aware. Yes, it’s going to take you longer to log on. Yes, you might have to use your cellphone for a second stage of authentication. But what’s more important, convenience and executive privilege, or the alternative?”

What’s the C-Suite’s Primary Job?

What, at the fundamental level, is the job of a company’s executives? Creating a vision, growing the business, protecting employees and customers, delivering on the brand promise through business strategy, and executing that strategy. Part of this Tier 1 roster of responsibilities must be taking cybersecurity into account. Too often, I hear executives say, “Hey, I don’t have anything of great value. Why would anyone target me?” Just check your news feed.

It’s definitely time for Jay McBain’s “separate conversation” between MSPs and their customers about managed security services. Security is simply too important to whittle its layers down in MSP stacks to stay within $113/month/per user. It might cost MSP customers an extra $25 or even $50 per month per user to secure themselves appropriately in the new and increasingly threatening business world, but customers must weigh that extra cost against the risk of catastrophic loss and business discontinuity.

The new conversation will give MSPs a chance to refresh their historic message, which was, “We’ll manage your mess for less.” The important selling point now is business relevance – relevance in driving better business outcomes, speed to market, ease of use, user experience and true partnership with customers.

Of course, this new conversation will put pressure on MSPs to prove the value of everything they sell. That’s a good thing. It’s what customers deserve.

MSPs might be reluctant to talk about raising prices (Oh, the customer arguments you’ll have!). Beyond the simple good business practice of offering customers real value rather than just a low price, however, there’s a silver lining: During the pandemic, subscription-based businesses have grown six times faster than S&P 500 companies, according to the Subscription Economy Index.

An era of growing risk to customers can also be an era of growing opportunity for subscription-based MSPs that offer rationally priced protection against risks that threaten their customers’ security, business continuity, even their very existence.

Bob Layton is chief revenue officer of HelpSystems company Digital Defense Inc., a leader in vulnerability management and threat assessment solutions. He has more than two decades experience in sales, from the field to spearheading a global go-to-market channel strategy and operating plan. You may follow him on LinkedIn and @Digital_Defense on Twitter.