Scott Barlow (Sophos)
Managed service providers (MSPs) are turning to security to build out new revenue streams through the provision of enhanced cyber offerings and services.
The shift in channel focus comes amid increased security investment at end-user level, driven by a sustained rise in attacks across local, regional and global markets.
The knock-on effect is an ecosystem seeking to capitalise on changing customer requirements by transitioning from the status of value-added reseller or MSP, into a fully-fledged managed security service provider (MSSP).
“That’s the debate today,” observed Scott Barlow, vice president of Global MSP at Sophos. “Can an MSP become an MSSP or is selling security services as an MSP good enough? If you look at the traditional security definition of an MSSP, it’s basically a company that aggregates security technologies on an unified platform and offers this to end-users.
“Most MSPs we work with are MSPs that are selling security services, although we do also have MSSPs as part of our program and they are very successful in what they do.
"The majority of MSPs are looking to increase value to customers through selling security services and wrapping the automation and services element - such as a SOC [security operations centre] around that offering.”
While MSPs ensure IT systems are operational, an MSSP’s role is to provide pure-play security offerings as-a-service, assuming a deeper level of responsibility and risk in the process.
According to Barlow however, the channel should first learn to walk before considering running.
“Before partners jump into security, they must figure out managed services and the tools and applications required internally,” cautioned Scott Barlow, speaking during the Sophos Partner Conference in Sydney. “Are the skill-sets of your employees the skill-set required to transition to selling services?
“If you look at the average sales person at a traditional partner, they get excited about closing a $50,000 deal. They get a rush of dopamine whereas with an MSP, you’re selling $1800 a month over three years.
“This will amount to significantly more than a term licence but $1800 per month isn’t as exciting to a sales person used to receiving a large chunk of compensation on day one.”
In assessing the Sophos ecosystem of partners, Barlow said the vendor’s top 100 MSPs globally sell an average of 4.4 products, spanning solutions such as endpoint, device encryption, email server and wireless through Sophos Central - a unified console for managing security products.
“Half are also deploying synchronised security which represents a positive step due to improvements in traffic through the synchronised application control,” he added. “Those that leverage Sophos Central are seeing a growth rate in the region of 3-5 per cent month-over-month.
“When an MSP selects Sophos, they are standardising on endpoint, mobile and firewall for example, and can up-sell across different products which means they can grow their own business. This is how MSPs make money.”
According to Barlow, here are five ways to sell security profitably as an MSP:
1 - Up-sell and cross-sell
“There’s lots of different security products available on a monthly subscription basis, such as phishing, wireless, server, firewall, email, disk encryption, mobile and endpoint. If you look at those options from an aggregate licensing standpoint, an MSP with 200 customers each housing five users has a total of 1000 aggregate users.
"So instead of looking at 1000 users, we instead look at how many licences of those users are consuming services. For example, endpoint, mobile and disk encryption would mean three licences x1000, resulting in 3000 licences.
“And that’s the benefit for an MSP because the more they up-sell or cross-sell, the higher the licence band is and the lower the price. This way, MSPs can increase profitability because the price from Sophos is going to go down but their price to the customer will remain the same. We’re seeing MSPs latch onto this due to its success.”
2 - Go deep with advanced offerings
“You don’t want customers to submit to the lowest bidder. Security shouldn’t go to the lowest bidder given the rise in attacks but we’re seeing challenges around customers going with these bids yet the vendor or MSP doesn’t have the required security expertise.
“We want MSPs to focus on being successful and that’s through providing more advanced solutions. For example, if MSPs have an exisiting managed services agreement in place with a customer, they might be integrating anti-virus as a check-box and that’s all the customer wants.
"But in that scenario the MSP isn’t operating or selling security services, and we’re starting to see MSPs remove that check-box. This means the MSP is no longer going to sell anti-virus as part of a basic managed services agreement, instead the true security providers are up-selling either a standard or advanced offering.
“They are layering that on top of an existing managed services agreement which means they can charge anywhere from 20-40 per cent more to carry out advanced security services. This means they are well-positioned to take over every security component of an organisation, such as device encryption, endpoint detection and response, alongside products such as Intercept X Advanced, Phish Threat and XG Firewall.
"Selling a synchronised security strategy resonates for customers and we’re seeing more MSPs selling more advanced solutions, rather than basic offerings.”
3 - Leverage vendor expertise
“Partners are spinning out security practices but this requires certain skills. If you look at a security practice, and if you’re running a SOC for example, the expertise required from a headcount perspective is incredibly rare to find. There’s not a lot of security analysts out there in the market and for the ones capable of doing the job, they are very expensive.
"MSPs should therefore leverage vendors to offset some of the costs and provide services. That’s how we are adding value as a vendor, through selling a system as opposed to selling seven or eight different vendor point solutions. That’s the message coming out to the market."
4 - Streamline offerings, increase visibility
“Normally, an MSP employs lots of people to manage training, certification and marketing development funds (MDF) from a range of vendors, sometimes as many as seven or eight. We launched our MSP program to lower management expenses through a single vendor. Now in this scenario, MSPs can instead reallocate resources spent managing multiple vendors to another revenue making part of the business through Sophos Central.
“It doesn’t matter who the vendors are or whether you’re using firewall, endpoint, mobile or wireless access point, MSPs can integrate all of those solutions into Sophos Central to have one management dashboard through one vendor and one flexible program.
“It’s difficult to find a pure-play security value-added reseller or MSP, the majority of partners we deal with are hybrid. It doesn’t matter how the channel sells, we want to align how we sell products and services to the channel which we do through third-party integration with ConnectWise, Kaseya and Datto / Autotask as examples.
"We’ve also built alerting through a centralised dashboard allowing MSPs to login and have a single view of all customers, rather than having to drill down into each individual user.
“Looking ahead, we’re also rolling out more advanced global policy capabilities allowing MSPs to make one change and have that change impact an entire customer base. For example, an MSP can add a new policy at endpoint level and make one change before deploying this across 10,000 users in 500 customers. These are the types of enhancements we’re working on for MSPs.”
5 - Strong internal hygiene
“The more advanced MSPs have very automated back-end systems, integrated with tools such as professional services automation (PSA) and remote monitoring and management (RMM), in addition to automated billing.
"We also require two-factor authentication - not multi-factor - which is an absolute requirement for MSPs. Lots of hackers today are targeting MSPs because once they break in they have access to an entire customer base."
