Brought to you by MSPmentor

Adding security offerings is almost a mantra across the managed service provider (MSP) business.

Given the very public explosion of ransomware and an ever-growing list of other threats, IT services providers increasingly are looking to make money on the insatiable demand for cybersecurity.

But just how how realistic – or profitable – is it for a traditional IT services provider to start selling managed security?

“I think that’s, frankly, the million dollar question that a lot of MSPs are asking,” said Scott Barlow, vice president of global MSP for security software vendor Sophos. “I think there’s a lot of money to be made in adding security services to an MSPs offerings.”

Robert Mcfarlane, chief financial officer at Arizona-based managed security services provider (MSSP) Mosaic451, agreed – sort of.

“An MSSP practice is not an easy bolt-on to an MSP practice…” he said. “There is absolutely margin in the MSSP space, but ‘adding security’ to a MSP practice is a difficult proposition.”

Mcfarlane suggests MSPs have a few basic ways to make money off of security: they can partner, they can resell/white label, or they can build their own security product and migrate.

Regardless of the approach, barriers to entry in most cases are considerable.

Maintaining a 24-7 security operations center (SOC) and hiring qualified professionals from a candidate pool with virtually no unemployment, are among the major obstacles.

Often, newcomers to managed security are sophisticated technologists with extensive cybersecurity knowledge, Mcfarlane said.

“If you look at new entrants into the MSSP space, it’s not typically MSPs or VARs, but military contractors, large carriers and consulting firms,” he said.

In his opinion, there’s not been a great rush of MSSP vendors seeking to provide white-label security services to MSPs.

“There is not the maturity in the market nor the need for third party distribution,” Mcfarlane said.

At Sophos, it’s Barlow’s job to show MSPs how to launch and grow successful security practices. Through the firm’s MSP Connect partner program, MSPs can offer end users a sophisticated suite of cloud-based security offerings, delivered as a service.

“We just last week launched an ability for MSPs to co-brand,” Barlow said. “Every user within a customer base will now see that MSP’s logo.”

MSPs looking to add security services should offer and deliver more than a firewall, and endpoint protection software, he said. 

“The partners that we work with on the Sophos side are really trying to instill more of a security culture in their customer base,” Barlow said. “We work with MSPs who charge a premium for cybersecurity offerings.”

In empirical terms, that can translate into margins of 20 percent or much more, depending on the ability of the MSP to shrewdly package the services they leverage from their MSSP vendor.

“We have a lot of partners that are wrapping all of Sophos’ security offerings into a premium package that goes on top of the standard managed services that they’re offering,” Barlow said.

In addition to the margin on reselling services, MSPs should look to take over their clients’ needs for compliance services, implementation of security policies and procedures, and documenting of those policies and procedures.

“Those are reproducible and reusable,” Barlow said. “(And) that expertise is going to (command) a premium.”

Given the cost and shortage of security talent, MSPs looking to dabble in cybersecurity might consider taking some training and certification courses to help them decide where their market opportunity lies, he said. 

“It’s not just a product thing,” Barlow explained. “You need to look at the people and the policies.

“It requires people, process and technology.”

And the future could offer MSPs even greater opportunities to sell security solutions that do more, at lower cost and with less required in-house skill.

In November, Symantec launched Endpoint Protection 14, a layered suite of cyber-defense tools that uses machine learning to detect potential threats and execute a response based on analysis of more than 4 trillion threat types previously identified through log data.

But Mosaic451’s Mcfarlane warns that it’s easy to lose sight of what’s truly important in security.

“Security is not a standalone solution,” he said. “Customers should be wary of any provider that tries to sell them a ‘magic hardware’ platform that will purportedly address all their security needs.”

“Security hardware is a tool for human security professionals,” Mcfarlane added. “It does not replace them.