Thinking Smarter About M&A—Are you secure?

With the continued focus in our space on the movement from MSP to MSSP, it’s crucial to remember that products alone don’t necessarily make you an MSSP.

For smaller customers, although you might be able to provide a range of security solutions (like EDR and backup) and compliment these with an RMM to provide insight and control over end user devices, this is not enough to call yourself an MSSP. It takes a lot of investment to build out an MSSP division—you need the right skillsets, alongside evolving tools that will allow you to provide a broad range of deeper functionality, such as pentesting, security auditing, and forensic analysis.

To be an MSSP, security needs to be part of your DNA. This security-focused DNA can then be supported by technology. And mergers and acquisitions offers one of the quickest ways for MSPs to bridge this knowledge/DNA gap.

For those organizations that are growing aggressively in this way, selecting the right security partners is essential, and we’re seeing a lot of discussion and concern in this area. The bulk of the time, this conversation falls loosely into two categories:

1. Are our vendor partners secure?
2. Are our vendor partners providing the right security products for us to leverage in the market?

Why Too Many Vendors Can Increase Your Attack Surface

When MSPs start to consolidate, one of the key challenges that they can be faced with is that the range of different security solution vendors being used across the new consolidated organization can end up increasing their attack surface and threat exposure. This is one of the fundamental reasons we advise picking your best-of-breed solution partners at the start of your consolidation journey, and then ensure these are rolled out across the entire organization as it grows.

This does, of course, place added emphasis on how you choose those partners. As part of your partner selection process, you need to be doing a deep-dive evaluation of your prospective vendor’s security posture. This means looking at how heavily they are investing to both minimize their own risk as well as harden security for their customers—i.e. you. Ultimately, you need to feel comfortable and be confident with their position if you are to build a strategy with that particular partner.

This is why at N‑able we encourage our larger MSPs that are growing via M&A to meet directly with our CISO before committing to our products. This way, they have the opportunity to assess where we are and get visibility into the moves that we’re making around securing our own infrastructure and solutions.

Be Certain Your Partners are Keeping Up With Market Changes

Similarly, when it comes to evaluating specific products, you need to be certain your partners are keeping up with changes in market and offering the products you need to be able to secure your customers. For example, with the movement away from traditional AV to enhanced EDR at the moment, you need to be confident your prospective vendor is picking up on trends like this and that they are being reflected either in their existing product offering or within their product roadmap.

As a customer, you need to ensure you’re doing the right level of due diligence as this will help you minimize your risk as well as provide you with a far deeper level of confidence in your chosen vendor. Not just that, they have the right level of focus on their own security posture but also have the knowledge and ability to match what your customers are looking for from a product offering perspective.

Standardizing on this one vendor—as opposed to 12 (and we do see this in the industry)—will help you to grow and scale as a partner with them, as well as reaping the benefits of standardization as I’ve discussed in my previous blogs.

Davide Di Labio is senior director of sales at N‑able