MSPs at an Inflection Point: How to Make the Most of Historic Changes

By Bob Layton

Bob Layton

Early in the Atomic Age, Albert Einstein observed, “Everything has changed but our way of thinking.” The same is true in the world of managed service providers (MSPs).

The coronavirus pandemic has already condensed a decade of evolution and disruption into a single year. During the pandemic, the subscription-based business model accelerated from trend to triumphant: subscription companies have grown six times faster than S&P 500 companies since the pandemic began, according to the Subscription Economy Index. And the so-called SolarWinds cybersecurity hack – so called because a third of its victims don’t actually use (subscription required) SolarWinds software – revealed staggeringly extensive network vulnerabilities MSPs must now defend for their clients.

Everything for MSPs has changed in little more than a year. And so must our thinking. To remain relevant and appealing to customers, MSPs must reimagine and rearchitect themselves around the central concept of risk. Price has always been central to the MSP discussion, but value is what successful MSPs sell. An era of growing risk to customers can also be an era of growing opportunity for MSPs – already surfing the subscription business model surge – to sell protection against risks that threaten their customers’ security, business continuity, even their very existence.

Flexible Security Pricing

In a recent podcast I hosted, Forrester analyst Jay McBain made a strong argument for new flexibility in what has long been an accepted iron rule in MSP pricing: $113 per month per user is all the market will bear. Those days are over if customers want the kind of security protection being demanded by their lawyers and boards of directors, McBain told me:

The $113/month/per user industry standard “checks the box for antivirus and firewall, and makes basic cybersecurity a line item inside that $113 per user. Now the world is very different. Security has seven basic layers and 17 necessary layers below that. There’s no way to fit what’s needed for security into $113 per month per user. It’s time for a whole new, separate conversation about security as a managed service.”

Each of us has a different story about how the pandemic has changed everything. From the point of view of a company providing vulnerability management for MSPs protecting their customers, the change has been from a single-network, essentially centralized workforce to a completely distributed workforce using heterogenous networks and multiple random ISPs. Providing corporate-level cybersecurity for the new distributed workforce is an entirely new ballgame.

When you add a new level of universal threat awareness triggered by the recent explosion of SMB ransomware and the deep and troubling government and corporate penetrations of the SolarWinds hackers, it’s easy to understand McBain’s belief that the all-in $113/month/per user MSP pricing paradigm – security included – is obsolete.

Growing Risks and Self-Defense

Which brings me back to the concept of risk. “Checking the boxes” to keep MSP prices at $113/month/per user, as McBain called it, is no longer enough. Antivirus and firewall, great. But can antivirus and firewall alone provide security strong enough to protect against the growing risks of doing business? Is a company willing to bet its existence on saying yes?

MSPs, in my view, have a lot to learn from the insurance industry because what MSPs are selling may feel like assurance but must be insurance. (More detail on this concept in a future article.) The days of buying and selling bits and bytes are over. What counts in the business world now is compliance, fiduciary responsibility, governance, business continuity and self-defense.

MSPs and their customers may put my face on a dartboard for saying this, but the events of the past year prove its time for McBain’s proposed secondary “separate” conversation about managed security services. Security is too important to whittle its layers down in MSP stacks to stay within $113/month/per user.

It’s time for MSPs and their customers to discuss security services and pricing separate and above what’s been industry standard for so long. It might cost MSP customers an extra $25 or even $50 per month per user to secure themselves appropriately for the new and increasingly threatening business world, but customers should weigh that extra cost against the risk of catastrophic loss.

Of course, this “secondary conversation” will put new pressure on MSPs to prove the value of everything they sell customers. Providing proof of value is a good thing. In the end, if everything has changed but our thinking, the wise reaction is to change our thinking.

Bob Layton is chief revenue officer of HelpSystems company Digital Defense Inc., a leader in vulnerability management and threat assessment solutions. He has more than two decades experience in sales, from the field to spearheading a global go-to-market channel strategy and operating plan. You may follow Bob on LinkedIn and @Digital_Defense on Twitter.