Five Mistakes MSSPs Should Avoid
MSSPs, or Managed Security Service Providers, are at an exciting point where market acceptance, awareness and demand have converged. I view this as a positive for a potential MSSP, but also for the customers and businesses they will protect, enhancing security for everyone. However, excitement and the prospect of profits can create haste, and with haste comes an increased risk of mistakes.
In my role at AlienVault, I’ve been fortunate enough to work with and help ensure the success of a number of our MSSPs. Following are five key lessons learned and mistakes that I recommend every MSSP avoid in order to be successful:
- Selling a Product, Not a Service
This is not No. 1 by alphabetical order or through some entropic process: it is, in fact, the most prevalent hindrance I see. Often I will encounter MSSPs pitching the vendors they use or highlighting some new wiz-bang feature of a product. But technology is cool! It sells! Sure, it sells a product; but you don’t sell products, you sell services. Let’s say the water starts leaking in your house. Do you run to the Internet and Google, “Why is my water leaking?” No, you Google “plumbers near me.” You call an expert and they say: “Yes, I am qualified to fix that problem!” They don’t say, “Well, I just bought this cool new wrench. It has 15 adjustments–do you want me to use it?” Customers want a service, or, more accurately, they want assurance–assurance they are protected from the latest threats to their infrastructure so they can focus on their business. Technology changes, products come and go, but expertise is constant. Commitment to expertise is the foundation of any service. Sell yourself and that commitment. Let the vendors sell products.
- Waiting for the Right Customer, or Just Waiting …
Did I mention the market? Avarice aside, there are far more consequences to waiting than just profits. Waiting for the “right” customer is a mistake. What would the right customer be? Let’s see: Pays you a lot; never has alerts; comes direct to you; never complains. Even without sarcasm, you know this “right” customer is a fairy tale. Most assuredly, there are “wrong” customers for a growing business, but refinement of that choice comes from experience–something waiting doesn’t provide. I also encounter MSSPs waiting for their platform to be stable or for marketing materials to be created. They treat these these things almost like a serial process with one contingent on another. Waiting on sales? Beta test with someone; dog food your service; start automating things. You don’t need two keys to launch the missile here.
- Not Automating
Those that have heard me prattle on about the merits and wonders of automation know that I have a rule: Do it twice and never again. Why such intolerance to repetition? Scale. How do MSSPs generate profit and increase margins? Scale. How do you grow your business and expand? Scale. Automation, especially process automation, is a key element to an MSSP’s ability to scale.
- Not Creating Standard Offers or Straying from Them
Not sure if I mentioned scalability before, but it’s kind of important. Wait, no–it’s really important. Standardization is one of the pillars of scalability. We can go back to interchangeable parts– assembly lines, internet protocols, languages for an analogy–but I’d rather discuss the alternative to standard offers. Often referred to in the biz as “custom”‘ (if you didn’t cringe when you read that, you might not be in the MSSP business), these offers are a total nightmare in terms of technology, licensing, staffing, billing, revenue forecasting … well, the entire business actually. Reducing variability makes an offer easy to repeat and deliver. When it comes to offer creation, just remember: Keep It Simple and Standard.
- The Right Staff
I’m not referring to finding quality people (always do this) and the usual motivational talk banality. I’m talking about getting the right specialties in the door at the right time. Information security has expanded so wide that the idea of the “generalist” is almost extinct; there just won’t be the “one” person who can run an entire security operations center (SOC), conduct research, do turn-ups, automate, etc. …
Therefore, you must break out the functions of your MSSP and find experts for each specialty. In addition to “who” there is “when.” Knowing when to scale staff and when to hire for new skills is certainly a challenge, and often exuberance can cause businesses to hire too early or stubbornness will cause them to hire only after a problem becomes untenable. I’d love nothing more than to share a formula with you on when to hire X for Y at Z, but businesses are dynamic and unique (which is a euphemism for “You’re on your own with that”).
It’s often said that making mistakes is part of making progress, but it’s also said those who don’t learn from history will repeat it. Remember to focus on your service, keep it standard, and look at everything from a scalability perspective.
This guest blog is part of a Channel Futures sponsorship.