While it’s critical to think of security from the perspective of securing systems against risk and loss, as well as defending against the bad guys, it’s also a good opportunity for managed service providers (MSPs) to look at using security as a differentiator for both themselves and their customers.
As an MSP, you absolutely can (and should) use your security practice as a way to make yourselves stand out from other MSPs—it’s an increasingly important component of what you offer. But are you also looking at your customers and how security can help them differentiate their businesses in their markets?
I have worked with hundreds of customers—of all sizes and across all sectors—to look at the bigger picture and help them build security programs that benefit their businesses beyond simply securing their networks. The majority of businesses don’t think like this.
However, I have had some surprises along the way. One company that caught me off guard was a manufacturer that made pipe for oil drilling and gas transportation. I was expecting an old-school manufacturer’s approach to security, where I’d need to talk about things like cyberhygiene, how to measure risk, and how to do things appropriately for the level of risk their business faced. However, what I was met with was one of the most mature security setups I have ever seen. They were at the equivalent level of most banks. They really understood where security fit into their business, what their risk was, and how much they were spending on mitigating that risk. So, instead of talking about generic security issues, we discussed much more advanced topics, like automation and insider threats.
Differentiate yourself from your competition
So why did these guys spend so much of their budget on security? The bottom line was their customers were very large players in the oil industry. By having a solid security program in place, they were able to differentiate themselves from their competition and integrate closely with their customers’ sales and ordering systems, getting pipe to their sites much more quickly.
From a business perspective—although as a company they weren’t that big—a good security program really made a difference for them and differentiated them in their market.
At the other end of the scale, another surprise came from a pump manufacturer. Their pumps were extremely popular, as they could be managed remotely online and were used in all sorts of applications, from power stations to dams. Unbelievably, they had no security in place at all… they just manufactured pumps.
With this company, our first challenge was getting them to understand that they needed to start thinking about what having no security meant for their customers and how improving it could actually help them sell more, as well as remove the risk of the company itself being found negligent if one of the pumps it supplied was “hacked.”
The lesson here for MSPs is they need to not just look at their customers, but also look at their customers’ customers. What issues or regulations do these companies face, and how can you, the MSP, help your customer improve their security so they can claim it as a point of difference in their market?
Framing security in a different light
If you can approach your own customers and say, “We can help you move your business model forward to attract more business,” this frames security in a very different light, one that makes much more business sense. Your customers also need to understand that in the current climate, the businesses they work with are soon going to start asking if their systems are secure. They need to understand the situation and prepare; they need to be able to answer those questions to help them drive more business. As an MSP, this is certainly somewhere you can help and guide them.
A good example of why your customers need to think this way is the HVAC company that served as the entry point for the Target breach. This incident highlights the inherent problems if one company in a chain isn’t secure. Here, the HVAC vendor was not secure enough and the end user was not resilient enough, giving them too much access.
Today I am sure people are taking what happened at Target as a lesson and looking at how secure their partners and third-party vendors are. They are asking questions like “Wwhat are third parties doing to ensure security when allowed access into internal systems? Are appropriate controls in place across the chain?”
This is where you can really help and add value. Your customers need you to think of IT not just as a cost of doing business, but a business enabler—with security playing a significant role.
In my next blog, I’ll be looking at how regulations can actually be your friend when it comes to selling security.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.