5 Key Lessons to Running an Effective, Security-Minded MSP
1) Educate Your End Users, Not Just Your Own Staff
Start with your SMBs. Focus on ensuring your clients are as well-educated as possible is a main priority. All businesses need to encourage constant security awareness amongst their employees, and it is your responsibility to empower them to do so. Consider the following initiatives when looking at how you can accomplish this:
- Make it a point to include security industry trends and news as part of your quarterly reviews. Be sure to discuss if and how their business fits in those trends, and why they should care.
- Develop a form of security awareness training that you can offer to your clients. You can start small by creating an information document or page for their internal intranet they can use as reference.
- Consider using online phishing training and services to supplement your own efforts. Make sure to share the results and explain what they mean.
- Help empower your clients to assess their employees themselves, and help them identify the most beneficial areas of training specific to them.
- Recommend a follow-up schedule to review progress over time.
Don't forget about your MSP. It is important to remind your own staff, while far more versed in the risks discussed, will benefit from this training. Using the same content will ensure a consistency in message, and will further encourage your entire team to be ambassadors for the security behaviors you are advocating.
2) Focus on How Well Their Business is Doing, Not How Well Your Business is Doing
Avoid granular details, focus on what matters. A trap many MSPs find themselves falling into early, whilst developing their managed services offerings, is focusing on providing the wrong kinds of data to their clients during their quarterly business reviews. These quarterly meetings are quite often the only time you are able to get dedicated time of key decision makers. Unfortunately, we are sometimes all too eager to share a glorious “100% customer satisfaction survey” rating and “how you nailed” your ticket acknowledgement SLA. While these are important statistics, it will not provide the kind of insight that can help your client understand what they can do differently to improve their business.
The most powerful information you can provide should effectively translate into a business value. This is typically in the form of either risk reduction, profit performance, or staff productivity. Anything outside of that, you may risk your client’s C-suite eyes’ glaze over, thinking about where they should go for lunch – not the data you are working so hard to present to them.
From a security perspective, there are several incredible insights on their business you can derive from the data you collect. You could consider providing insight on internet bandwidth usage trends, indicating areas of improvement for productivity, showing how a reduction in received spam is saving employee time (in actual hours) or any other metric that can interpret directly to an actual cost-savings tangible number.
Just remember when reviewing your quarterly review presentation, be sure to run your information through the ‘risk, profit, productivity’ filter as a way to substantiate your points and capture what will be most important to them. Tools and services, in essence, are simply “features”; those features must deliver value (in hard costs or opportunity), and the value must have discernable and clear benefit to the business in order to be justified.
3) Use Your Clients AND Yourself as a Security Reference
Is your MSP at risk? It is common for many IT Service companies to actually be the weakest link in the security services offering they deliver to their clients. We all use reference examples of the impact and success our services have had with our existing happy clients, but how many MSPs actually practice and implement what they preach internally?
There are arguably as many examples of MSPs being at the root of a security breach as there are the almighty and hated hacker. MSPs or more specifically, the occasional “rogue” technician inside an MSP have a great advantage over hackers. They already have all the credentials, access, and ability to steal and/or do harm without breaching the security solutions the MSP has deployed for the client.
The MSPs I have worked with previously were all small to medium sized businesses (SMBs) themselves. We are our own target market, however when we look at how we as MSPs are protecting our own data, and more importantly protecting our clients data internally, it is obvious and frankly a little disturbing. Imagine selling and delivering a security stack of great solutions to your clients, but leaving the back door wide open.
4) Review Your Security Stack Often
Stay on top of industry trends. Technology trends change so rapidly in the information technology industry, but arguably much more so with security products and offerings. Because of this, it is critical to evaluate your vendor relationships and technology stack frequently to ensure you are providing the best possible protection to your clients. Of course, this should not mean changing your preferred vendor partners each year as a rule, but simply establish a review process and challenge your vendor partners to defend their position as your number one choice.
Many MSPs invest a great deal of time and money in the partners they have chosen to align themselves; however, it can be too easy to remain status quo for the sake of “it’s too difficult to change” possibly leaving you disadvantaged in the market. Software products and services, in particular, are typically deployed to your customer base through automation and are definitely worthy of regular review.
5) Make Consistency King
Want your network to flourish? Standardize. One of the top keys for establishing an effective and successful managed services provider is practicing consistency and delivering a standardized level of service across all clients.
Arguably, no other single habit will reliably yield better results as your business scales, and having consistent and repeatable internal processes is the secret to doing this. While most MSPs recognize the importance of having these processes built on best practices, few have made the investment to document them, enforce them, and educate their staff on the importance of adherence. They may rely on one or two key team members to mentor the rest; however, without a formal ruling set of documented processes, it will inevitably lead to inconsistent IT practices and service delivery issues.
The key to delivering true, profitable, managed services day-in and day-out across all clients (and market segments for that matter) is standardized, repeatable, and scalable processes. To flourish, and maintain a value-based pricing approach in the current IT services environment, you will need to become ever more efficient in how you deliver your offering.
Taking this to heart, build an internal philosophy and culture emphasizing the importance of this level of process consistency and help your team understand just how impactful it can be. Be sure to take the time to help them understand the ‘why’ of these methods, not just the ‘how’ and the ‘what.’ This will foster a much more engaged team and they will end up assisting in keeping everyone accountable to the dogma you are preaching.
Ryan Barker, Vice President, Partner Success
Ryan Barker is an accomplished and successful IT channel professional with over 20 years of experience in computer systems. Ryan joined Passportal in early 2018 as Vice President of Partner Success, having first met Passportal’s CEO, Colin Knox, in 2005. Ryan worked alongside Colin at It Matters MSP and XCEL Professional Services prior to joining the team at Passportal. Ryan holds a Computer System Operations and Management Degree from the University of Kamloops in British Columbia, Canada.