MSSPs, or Managed Security Service Providers, are at an exciting point where market acceptance, awareness and demand have converged. I view this as a positive for a potential MSSP but also for the customers and businesses they will protect, enhancing security for everyone. However, excitement and the prospect of profits can create haste, and with haste comes an increased risk of mistakes. In my role at AlienVault, I've been fortunate enough to work with and help ensure the success of a number of our MSSPs. Following are five key lessons learned and mistakes that I recommend every MSSP avoid in order to be successful:
1. Selling A Product, Not A Service
This is not number one by alphabetical order or through some entropic process, it is in fact the most prevalent hindrance I see. Often I will encounter MSSPs pitch which vendors they use or highlight some new wiz-bang feature of a product. But technology is cool! It sells! Sure it sells a product, but you don't sell products, you sell services. Let's say the water starts leaking in your house, do you run to the Internet and google "why is my water leaking?" no - you google "plumbers near me". You call an expert and they say: "Yes, I am qualified to fix that problem!" they don't say "Well I just bought this cool new wrench it has fifteen adjustments, do you want me to use it?" Customers want a service, or more accurately, they want assurance. Assurance they are protected from the latest threats to their infrastructure so they can focus on their business. Technology changes, products come and go but expertise is constant. Commitment to expertise is the foundation of any service. Sell yourself and that commitment, let the vendors sell products.
2. Waiting For The Right Customer Or Just Waiting....
Did I mention the market? Avarice aside, there are far more consequences to waiting than just profits. Waiting for the "right" customer is a mistake. What would the right customer be? Let's see: Pays you a lot; never has alerts; comes direct to you; never complains.....even without sarcasm you know this "right" customer is a fairy tale. There most assuredly are "wrong" customers for a growing business, but refinement of that choice comes from experience, something waiting doesn't provide. I also encounter MSSPs waiting for their platform to be stable or for marketing materials to be created, almost treating these things like a serial process with one contingent on another. Waiting on sales? Beta test with someone, dog food your service, start automating things; you don't need two keys to launch the missile here.
3. Not Automating
Those that have heard me prattle on about the merits and wonders of automation know that I have a rule: "Do it Twice and Never Again". Why such intolerance to repetition? Scale. How do MSSPs generate profit and increase margins? Scale. How do you grow your business and expand? Scale. Automation, especially process automation, is a key element to an MSSP’s ability to scale. The more you keep security researchers researching and analysts analyzing the more customers they can help, the more customers they can help the more... " | close_thought.sh >> $current_text".
4. Not Creating Standard Offers Or Straying From Them
Not sure if I mentioned scalability before, but it's kind of important, wait, no, it's really important. Standardization is one of the pillars of scalability; we can go back to interchangeable parts, assembly lines, internet protocols, languages for an analogy but I'd rather discuss the alternative to Standard Offers. Often referred to in the biz as "custom offers"' (if you didn't cringe when you read that, you might not be in the MSSP business). Custom offers are a total nightmare in terms of technology, licensing, staffing, billing, revenue forecasting ... well the entire business actually. Reducing variability makes an offer easy to repeat and deliver. When it comes to offer creation, just remember Keep It Simple and Standard.
5. The Right Staff
I'm not referring to finding quality people (always do this) and the usual motivational talk banality, but about getting the right specialties in the door at the right time. Information Security has expanded so wide that the idea of the "generalist" is almost extinct; there just won't be the "one" who can run an entire Security Operations Center (SOC), conduct research, do turn-ups, automate, etc...
Therefore you must break out the functions of your MSSP and find experts for each specialty. In addition to “who” there is also “when”. Knowing when to scale staff and when to hire for new skills is certainly a challenge, but often exuberance can cause businesses to hire too early or stubbornness will cause them to hire only after a problem becomes untenable. I'd love nothing more than to share a formula with you on when to hire X for Y at Z, but businesses are dynamic and unique which is a euphemism for "you're on your own with that".
It’s often said that making mistakes is part of making progress, but it’s also said those that don’t learn from history will repeat it. Remember to focus on your service, keep it standard and look at everything from a scalability perspective.
I'm on Twitter now - pkt_inspector