Tips for MSPs on Starting, Growing an Established Cybersecurity Practice

Cybersecurity is no longer optional in businesses of any size. With ransomware and cyberattacks at unprecedented levels, many businesses rely on their IT service providers for help, and if they don’t have the wherewithal, they risk losing business.

Nearly one-third of companies said they use third-party firms with a dedicated cybersecurity practice, according to CompTIA’s State of Cybersecurity report.

Some 51% of organizations said they planned to increase investments in security due to a breach, including incident response planning and testing, employee training, and threat detection and response tools, according to IBM’s 2023 Cost of a Data Breach Report.

Even though some general-purpose MSPs may offer some level of cybersecurity services, experts say it’s no longer enough to just provide the basics, like firewalls and antivirus protection, given the increased sophistication of attacks. They need to up their game.

“We’ve been seeing for some years now the prominence of cybersecurity in terms of demand by customers,” said Carolyn April, vice president of industry research at CompTIA.

Most MSPs now offer antivirus protection, firewalls, and backup, she said, but customers are paying greater attention to what is happening with their data, and MSPs have to elevate their security service offerings.

Related:The Gately Report: AI Increasing Need for Zero Trust, ThreatLocker

CompTIA's Carolyn April

“Cybersecurity is the big practice, so if your MSP is just stuck with basics, you could be at a disadvantage to an MSSP, for example, who has decided to make it their entire practice,’’ April said.

MSPs not offering cybersecurity will only ever be able to work with a certain type of customer — who isn’t asking about cybersecurity because they typically aren’t aware of the overall value of IT managed services, noted Robin Ody, principal analyst of MSP analysis, Canalys.

“If you aren't working in cybersecurity managed services in some way, you are leaving value on the table,’’ Ody said. “Cybersecurity is growing higher than some other managed services, so you will be losing potential revenue.”

For example, one of the biggest areas of growth is managed detection and response (MDR), which Canalys estimates will grow 50% in 2024. This growth is partly due to growing customer awareness, which is driving demand, he said.

'Doing Nothing Is Not an Option’

Security is a key part of the value proposition at Netgain (a 2023 Channel Futures MSP 501 honoree), an IT services provider that focuses on health care, CPAs and legal. CEO Sumeet Sabharwal said his company looks at security as something that is constantly evolving. Netgain came out with a managed extended detection and response (XDR) service in 2023. Today, it is also “an absolute necessity” to incorporate AI and machine learning into a monitoring platform, Sabharwal said. Social engineering and the human factor are the two areas that continue to trip people up from a security perspective, he said.

Related:The Gately Report: Trellix Partners Shielding SMBs from Ransomware

Netgain’s competitive advantage is in providing full security managed services, he said, which provides “a tightly coupled experience” when there is a real threat and time is of the essence to mitigate it.

Netgain's Sumeet Sabharwal

“Doing nothing is not an option,’’ Sabharwal said.

MSPs that don’t offer more advanced security services should partner with an MSSP, he said. Or, they need to invest in upskilling existing staff.

From CompTIA survey responses, MSPs have stated that to grow revenue in the year ahead, they need to “double down on investments in cybersecurity skills,’’ April said.

“They know they are at a competitive disadvantage and many are taking steps to do so," she added.

"Plenty of MSPs are hiring and retraining their existing staff and making new alliances with vendors in the cybersecurity space," said April. "I don’t think it’s lost on many MSPs today that … almost any product and service has to have some security conversation around it.”

Customers may not know to ask, but providers should educate them on how to secure their applications and users, she stressed.

View Your Stack Through a Cyber Lens

If customers are asking you about cybersecurity and you don't know where to start, the simple answer is to research what others are doing, Ody said.

“Most partners could offer Microsoft Defender as a starting point, along with a basic EDR and MDR package,’’ he said. These packages don’t require that the MSP be an expert, he noted, “but once you get started on the journey you will quickly learn as a partner what is right and wrong.”

“Ultimately, cybersecurity managed services is not just about what tools to sell or building a SOC and becoming an expert,’’ Ody said. “It is about viewing your customers through a risk lens: Where are the risks? And what are the possible mitigations or post-event remediation strategies you can imagine?”

Partners increasingly are being asked to get cybersecurity certifications, so they should use these processes as starting points for their own offerings to customers, he advised.

“Once an MSP sees its stack through a cyber lens, every MSP becomes a cyber MSP,’’ Ody said.

If you don’t take cybersecurity to the next level, you’re reducing your value proposition, Sabharwal said.

“A lot of clients today want a provider with a certain level of sophistication,’’ he said. Without that, “you’re leaving money and value on the table. These are services that get layered in for more dollars, and we’re delivering more value.”

General-purpose MSPs must do an honest assessment of their capabilities and what they can feasibly do, Sabharwal said.

“A lot of MSPs choose to partner, and that’s not a bad option," he said.

If they opt for that route, they must be willing to do the hard work integrating a third party into their core business, not just from a marketing perspective, but from a process standpoint, he said.

“That’s where the rubber meets the road," asserted Sabharwal.

Often when an MSSP provides cybersecurity services, that fills a skills gap for the general-purpose MSP and the MSSP gains new business, so it’s a win-win for both, April said.