Cybersecurity Is a Process, Not a Product: What to Consider When Building Your Offering

You’ve decided to offer cybersecurity services, but aren’t sure where to start. Unfortunately, you won’t find one list that everybody agrees, or that shows which products and services should be included. Many people have differing opinions on cybersecurity, and that’s OK.

Cybersecurity is a process, not a product. The approach we take at Collabrance is based on a constantly changing landscape. Successful managed service providers (MSPs) are more focused on the holistic IT solution than any one product you may be providing.

To build our managed security service provider (MSSP) offering, we used the National Institute of Standards and Technology (NIST) Framework to help guide us to outcomes that focus on the end user’s cybersecurity needs. Although much of the managed services industry is unregulated, the federal government does have guidelines that are embodied in the Framework, which NIST describes on its website:

What is the Framework, and what is it designed to accomplish?

The Framework is voluntary guidance, based on existing standards, guidelines and practices for organizations to better manage and reduce cyber cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cyber cybersecurity management communications amongst both internal and external organizational stakeholders.

Is my organization required to use the Framework?

No. Use of the Framework is voluntary.

Even though the Framework is not law today, smart money is betting that, in the future, some or all of it could eventually become law. Progressive IT service providers are already aware of this and keep it top of mind.

To what extend should you outsource?

When it comes to cybersecurity, keeping up with the demands of the market is nearly impossible to do on your own. No reseller has the money or expertise to do it all. Every time an issue comes up, you need to decide whether to build what you need, buy it or outsource it. With that in mind, here are a few best practices you can implement to help your organization keep pace.

Have an Evolving Road Map

You need to make someone responsible for the technology road map in your organization. You have your current IT stack that needs to be monitored, but you also need to keep a constant eye to the future and adjust accordingly. You should have built an IT priority list of short-, medium- and long-term needs that stays top of mind with everyone in the organization. This means your technology road map needs to be fluid. Just because it looked a certain way five months ago, that doesn’t mean the priorities can never change. MSPs must be agile enough to make adjustments and keep moving forward.

Vet Constantly

Many people don’t realize cybersecurity is a full-time job. The number of IT needs your customers have, combined with more-sophisticated competitors in the marketplace, means you need to have someone fully dedicated to vetting potential solutions for things such as:

  • Technical ability
  • Support acumen
  • Current stack alignment
  • Price vs. value
  • Tenure
  • Financial health
  • Ownership structure

If you don’t have someone whose job it is to vet technology solutions, I strongly suggest you partner with someone who does have this capability.

Keep Your Finger on the Pulse

You must stay close to your customers and know what is happening in the IT channel to help stay ahead of the “bad guys.” This positions you as a leader and not a laggard in your market from a competitive perspective. MSPs who have made the transition into cybersecurity offerings have adjusted their approach to be in the business of risk mitigation rather than information technology.

What Should You Do Next?

  1. Look at the NIST Framework, and evaluate if you meet all the demands.
    a. If you do, you’re ahead of most providers—good job!
    b. If not, see #2
  2. To fill the NIST gaps you can’t meet, you must decide if you want to:
    a. Build it
    b. Buy it
    c. Partner up
  3. If you picked 2a, do you have the time and money to get it in the market quickly?
  4. If you picked 2b, look at the rest of your gaps; do you have the resources to buy the technology in order to own the solution? This is VERY expensive today, as cybersecurity multiples are constantly soaring.
  5. If you want to have rock solid cybersecurity offering TODAY with minimal investment, I suggest you outsource and partner.

Your customers demand and deserve the best you can offer. To help maximize your profitability and reduce your risk, partnering can help you achieve your goals while at the same time delivering excellence to your customer.

Collabrance White-Label MSP & MSSP Solutions

It would be worth your time to compare your offerings. Today we make a distinction between MSP and MSSP. In the future, my hunch is the MSSP offering will be considered table stakes. I believe the expectation of the customers will continue to rise, so your cybersecurity IT solution must adapt to remain relevant and be successful.

Greg VanDeWalker
About the Author
Greg VanDeWalker, Senior Vice President, IT Channel and Services, is responsible for strategic vision and performance for the IT and Unified Communication financing business units, as well as Collabrance LLC, the GreatAmerica master managed services provider. Prior to joining GreatAmerica in 2003, Greg was General Manager for the transportation division of US Bancorp in Denver, Colorado. He began his leasing career in 1991 with Business Credit Leasing (BCL) in sales and sales management. Prior to BCL, Greg was a tax accountant for Arthur Andersen & Company. Greg was recognized by MSPMentor in 2014 in their Top People in Managed Services list. In 2015, Greg was named on the “100 People You Don’t Know But Should” list, and in 2016 and 2017, he was awarded the Channel Chief designation by CRN. He was also honored as an ENX Difference Maker in 2017. Greg has served as Chair of the inaugural Managed Print Services Community of CompTIA, and has helped various advisory boards in the IT, telephony and office equipment channels.