There are a lot of shops out there billing themselves as managed security service providers (MSSPs). A lot. Who can blame them? Managed security isn’t a new concept by any means, but in light of all the headlines about data breaches, malware, ransomware and phishing attacks the last couple of years, SMBs and the midmarket are finally wising up to the need for something beyond the security basics. Well, a lot of them are, anyway. Those that aren’t will soon either come around or go out of business because they’d have to sell a kidney to get their data back from a cybervillain.

Just like “digital transformation” or “artificial intelligence,” no one seems to be clear on exactly what entitles an MSP to add that extra “S” in their designation. I’ve asked this question of dozens of cybersecurity professionals and gotten a wide range of answers. Some say it’s providing security awareness training and foundational security assessments and recommendations. Some say an MSSP has to offer some sort of end-to-end, detection-to-response comprehensive solution. And some have told me to stop being so picky and just let people stick that “S” in there if they want to. After all, isn’t a managed firewall or managed antivirus technically a managed security service? MSPs have been incorporating basic solutions like those since time immemorial (or at least the last couple of decades). Does that give them the right to “add the S”?

Ben Carr, chief information security officer at gaming company Aristocrat and former VP of strategy for security solutions provider Cyberbit, doesn’t think so.

“If I look internally at a program, I don’t necessarily even consider firewalls part of my security program anymore,” says Carr. “I consider that part of connectivity and networking. It’s in place and tangentially associated with security, but it’s really about connectivity.”

Ben Carr

Ben Carr

So if a managed firewall isn’t enough to give service providers a legit claim to managed security, what is? Carr says it isn’t some complicated mix of next-gen products and services. It’s pretty simple, actually. Security should be the partners’ core competency. It’s what they should build their practice on and bank their reputation on. They’ve got to be able to do more than talk about security in the same kind of layman’s terms they may use to explain cyberdefense to their clients. MSSPs should have an actual understanding of what they’re talking about, or be able to hire a whole bunch of people who do.

That last part, though, is easier said than done. Frost & Sullivan says we’re going to have 1.5 million unfilled cybersecurity positions by 2020. And that means that quality cybersecurity talent doesn’t come cheap. Security professionals are like the brain surgeons of the tech world. They know way more than we do, they’re way smarter than we are, and there are way fewer of them in the marketplace than we might like. That all adds up to big salaries.

Let’s say you’re a traditional MSP that wants to “add the S,” and you’re trying to figure out how in the world you’re going to afford to staff for it. There’s no way to do it so it’s both inexpensive and effective. But you don’t need to have the resources of Elon Musk, either. Carr says there are a couple of different ways to approach it. You can hire on a tiered model that puts a super-expensive senior cybersecurity analyst in charge of a team of junior people who are paid much less, focusing your energy on keeping that key hire happy and accepting likely churn (and misery) at the lower levels.

But maybe more effective – and slightly less medieval – is to find things to offer others can’t. A top graduate of a tier-one university program might get a very lucrative offer from, say, Visa, as an entry-level analyst. But when’s the last time you heard someone say, “When I grow up, I want to be an entry-level analyst for Visa”? An MSSP has a “breadth of experience” carrot to dangle. Market yourself as a place where professionals can learn what they need to learn in order to advance their careers faster than they would anywhere else. Acknowledge they won’t be a “lifer,” and snag them for a somewhat lower salary but the promise of more autonomy and exposure.

“That can be extremely interesting to get that experience built up, to build your career just so that you get to the point where then you can move out,” says Carr. “That being said, you have to realize that if you don’t have a career path for those people, they’re going to move on to do other things.”

And that’s no bueno to MSSPs trying to compete in this market. The absolute most important skill a managed services provider of any shape or size must possess is the ability to scale and provide better velocity than customers can — and to do it at cost. Sure, orchestration and automation, threat detection and other tools are really important to that effort, but as Carr says, “It’s easy to find the product. It’s hard to find the people. The people you’re hiring – the talent – that’s the scarce resource.”