5 Mistakes MSSPs Should Avoid

MSSPs, or managed security service providers, are at an exciting point where market acceptance, awareness and demand have converged. I view this as a positive for a potential MSSP but also for the customers and businesses they will protect, enhancing security for everyone. However, excitement and the prospect of profits can create haste, and with haste comes an increased risk of mistakes.

In my role at AlienVault, I’ve been fortunate enough to work with and help ensure the success of a number of our MSSPs. Following are five mistakes that I recommend every MSSP avoid in order to be successful:

1. Selling a Product, Not a Service

This is not number one by alphabetical order or through some entropic process; it is, in fact, the most prevalent hindrance I see. I often encounter MSSPs pitching certain vendors or highlighting some new whiz-bang feature of a product. But technology is cool! It sells! Sure, it sells a product, but you don’t sell products; you sell services. Let’s say the water starts leaking in your house. Do you run to the Internet and google, “Why is my water leaking?” No, you Google “plumbers near me.” You call experts and they say, “Yes, I am qualified to fix that problem!” They don’t say, “Well, I just bought this cool new wrench. It has 15 adjustments. Do you want me to use it?” Customers want a service or, more accurately, they want assurance–assurance they are protected from the latest threats to their infrastructure so they can focus on their business. Technology changes, products come and go, but expertise is constant. Commitment to expertise is the foundation of any service. Sell yourself and that commitment; let the vendors sell products.

2. Waiting for the Right Customer, or Just Waiting

Did I mention the market? Avarice aside, there are far more consequences to waiting than just profits. Waiting for the “right” customer is a mistake. What would the right customer be? Let’s see: The right customer pays you a lot; never has alerts; comes direct to you; never complains … Even without sarcasm you know this “right” customer is a fairy tale. There, most assuredly, are “wrong” customers for a growing business, but refinement of that choice comes from experience–something waiting doesn’t provide. I also encounter MSSPs waiting for their platform to be stable or for marketing materials to be created–almost treating these things like a serial process with one contingent on another. Waiting on sales? Beta test with someone; dog food your service; start automating things. You don’t need two keys to launch the missile here.

3. Not Automating

Those who have heard me prattle on about the merits and wonders of automation know that I have a rule: “Do it twice and never again.” Why such intolerance to repetition? Scale. How do MSSPs generate profit and increase margins? Scale. How do you grow your business and expand? Scale. Automation, especially process automation, is a key element to an MSSP’s ability to scale.

4. Not Creating Standard Offers or Straying from Them

Not sure if I mentioned scalability before, but it’s kind of important. Wait, no, it’s really important. Standardization is one of the pillars of scalability. We can go back to interchangeable parts, assembly lines, Internet protocols and languages for an analogy, but I’d rather discuss the alternative to standard offers. These are often referred to in the biz as “custom offers.” (If you didn’t cringe when you read that, you might not be in the MSSP business). Custom offers are a total nightmare in terms of technology, licensing, staffing, billing, revenue forecasting–actually, the entire business. Reducing variability makes an offer easy to repeat and deliver. When it comes to offer creation, just remember: Keep it simple and standard.

5. Not Hiring the Right Staff

I’m not referring to finding quality people (always do this) and the usual motivational talk banality, but about getting the right specialties in the door at the right time. Information security has expanded–so widely that the idea of the “generalist” is almost extinct. There just won’t be the “one” who can run an entire security operations center (SOC), conduct research, do turn-ups, automate, etc. …

Therefore, you must break out the functions of your MSSP and find experts for each specialty. In addition to “who” there is also “when.” Knowing when to scale staff and when to hire for new skills is certainly a challenge, but often exuberance can cause businesses to hire too early. Or stubbornness will cause them to hire only after a problem becomes untenable. I’d love nothing more than to share a formula with you on when to hire X for Y at Z, but businesses are dynamic and unique, which is a euphemism for: “You’re on your own with that.”

It’s often said that making mistakes is part of making progress, but it’s also said those that don’t learn from history will repeat it. Remember to focus on your service, keep it standard, and look at everything from a scalability perspective.

I’m on Twitter now: pkt_inspector

See more at: https://www.alienvault.com/blogs/security-essentials/five-mistakes-mssps-should-avoid#sthash.z2rckKdV.dpuf

Joe Schreiber is the Director of Solutions Architecture at AlienVault. He has been doing IT security since the days of dial–up. With his team at AT&T Managed Security Services, Joe built one of the world’s largest SIEM systems, bringing thousands of devices under real-time security management and monitoring more than 2 petabytes of network traffic daily. Joe has extensive experience working with across the globe with MSSPs of all sizes. Guest blogs such as this one are published monthly and are part of MSPmentor’s annual platinum sponsorship.