The Role of the MSP as Security Educator

Dave Sobel

Dave Sobel

he lack of a comprehensive IT department equipped to implement security protocols and keep employees up-to-date on the latest threats is common among many MSP (Managed Service Provider) customers. As a result, many breaches occur because an employee clicked on an infected link, or didn’t understand security risks and best practices. Inevitably, MSPs now find themselves in the security business, which raises questions around the responsibility of MSPs to create awareness and provide education around security best practices to their customers.

To better understand how MSPs can add value to their Managed Services offerings with security, I spoke with Dave Sobel of LogicNow where he is MAXfocus’s Director of Partner Community. (MAXfocus is a MSP platform with more than 10,000 monthly subscription customers in more than 100 countries.) Sobel is an expert at identifying the business opportunities and shared his thoughts on how MSPs can turn security into a recurring revenue stream, including leveraging their role as a security educator.

Is Managed Security something from a channel perspective that MSPs and dealers getting into Managed Services should be looking at as a way to make money among their menu of services?

Sobel: The answer is definitely yes. Managed security is a big opportunity. Thinking of this from a 2015 perspective, it’s a big deal. Whenever I talk about security I always start with a reminder, security is not a checkbox that you buy. I can’t sell you a SKU that automatically makes you secure. I wish I can bundle it up as a product and sell it to everybody, but it doesn’t work that way. It is a service because it is not only an initial set of workflows, but ongoing maintenance around that. And it’s done as an ongoing risk management and process management exercise.

For example, a lot of the things we look at from a security perspective. From a SMB and MSP perspective, there are a lot of different ways to go about this and small businesses need to combine a couple of different things. Combining malware management with proper patch management and perimeter security like e-mail, with managing users to make sure they’re using things like Web protection and not going to [questionable] Websites. Couple those technical services with the ability to provide policy management and help customers make sure they have ‘use’ policies for all the various technologies—all of those different pieces combined are managed security.

So you view security as a separate offering?

Sobel: You can sell it as an independent offering, but it works well rolled into the overall infrastructure offering and managing all the components of an environment. We also offer user support and all of the other components that go into running a network, and security is also covered with disaster recovery and backup management both onsite and onto the cloud.

Are small businesses in tune with this, meaning do they understand they need to think about security and it’s something they should be spending money on?

Sobel: They do, especially the more you start talking about compliance issues and legal requirements. If they take credit cards, at a minimum users should be PCI compliant. My advice is to make it practical to your customers. It’s not going in and saying ‘I’m going to make everything secure.’ Talk about why it affects their business and what you need to do that’s relevant to them for their markets.

As far as educating the channel, how do you do that as far as getting them to understand what to look for and how to best present managed security?

Sobel: We do that in different ways. We have a set of products that can help them do that. More importantly, we help by making sure they understand how to put it all together into an actual service. We offer online education, including videos and white papers. We also provide training at our conferences. We visit other communities we’re involved with like CompTIA and their security community. There’s lots of different ways we bundle this all together to make sure we’re providing the education to help these guys understand exactly how to take it to market.

When you were referring to products earlier, can you give me a couple of examples of what you meant by that in this context?

Sobel: We have various software solutions that when combined do a nice job of delivering what an SMB needs for managed security. Remote management, patch management, MaxMail for mail security, and a Web protection utility built into MAXRM.

From a channel perspective on the education side, do you need to be proactive about educating your MSP customers or are they coming to you, especially since education is essential for them to be successful at selling managed security? 

Sobel:  We do this as required as part of our obligation to deliver the software. Some solutions providers, the best in class guys, it comes naturally to them and it comes to them quickly; others need more hand holding, so we invest heavily to make sure they have the resources to do that, including having a security expert like Ian on our team.

Is that something that sets you apart from your competitors?

Sobel: I think so and that’s one of the reasons I work at MAXfocus. I was a former Managed Services provider for about 10 years and ran my own firm in DC. Everyone on my community team has a channel background. We have a team of four customer-based people who have nearly 60 years of combined experience in the channel.

Is there anything that you know now from a security standpoint since joining MAXfocus that you wish you knew back when you were an MSP?

Sobel: The fact that there are so many tools that can be combined into a service. The piece that’s most obvious to me now is the real value of the scale of integration, having everything integrated into a single platform. That has compelling value. When I first started offering Managed Services about 15 years ago it took a lot of work to combine this all together and a lot of product components that the MSP had to do. Now it’s straightforward to put this all together and offer a compelling service. The other thing that’s interesting is there’s been so much thought and investment going on in security, particularly when you combine what we’re doing from an education perspective with resources like CompTIA. As solutions providers become educated, it’s just a small investment of time on their part.

Are there certain questions that MSPs need to be prepared to answer when they’re out there marketing your products?

Sobel: Number one is measuring business outcomes. That more than anything is the area where you need to be prepared. Your customers are going to want to measure success based on business outcomes more than technical delivery.

How do you prepare yourself to answer that question?

Sobel: By measuring things like downtime and showing what the downtime costs the business and where the cost of downtime can be mitigated, as well as helping them understand the end customer’s business and cost of operation and security, and helping maintain that.

Anything above and beyond that someone from the channel should be prepared to answer?

Sobel: The other area is making it relate to the end customers’ market. If you’re focusing on medical, financial, manufacturing, or retail, understand what those customers’ specific business needs are and apply the technology to that. For example, understanding the difference between PCI compliance and HIPPA compliance. The good news is that vendors like MAXfocus have invested in resources to make sure that a solutions provider is well educated.

As far as your existing partners are there certain areas where you see them consistently falter and where there is room for improvement?

Sobel: The best solutions providers are the ones that master the ability to understand the cost of delivery and base their models around that. One of the areas we’re working to help our solutions providers across the board on is understanding what it takes for them to deliver a particular service. How are they making money?

Why do you think it’s difficult for some of them to figure that out?

Sobel: Many solutions providers come from a technical background and the business skills come as they’ve grown their business. That’s one of the areas we’ve invested in by building a Community Team to help on the business side of things.

What other ways are you helping them grow that we haven’t discussed in our conversation so far?

Sobel: We’ve been putting a lot of time and effort into white papers and sales playbooks, which are strategies for sales engagement that solutions providers can take and help bundle solutions. We’ve got one coming out around Managed Security for example that takes a lot of the things we’ve been doing from a security perspective and helps them bundle it together in a service. We show them how to sell that service and position it, how to overcome objections, and what the market is looking for.

If I were a Managed Services provider reading this, I’d get serious about security if I wasn’t already. 

Sobel: Managed security opens up a lot of doors for a solutions provider to continue to position themselves as the outsourced CIO. There’s angles around being the compliance officer, there’s angles around helping them manage their business needs, and I would be continually elevating my conversation because we’re the best solutions providers. That’s what the data tells me. I implore everyone to look at Managed Security from the position of how can I become the CIO, how can I be the chief compliance officer, how can I help with these business challenges, and how can I use technology to deliver them?

 

 

 

 

Scott Cullen
About the Author
Scott Cullen has been writing about the office technology industry since 1986. He can be reached at scott_cullen@verizon.net.