Creating a Mandatory Advanced Cybersecurity Package for MSP Clients
by Travis Ray, Channel Account Manager at Infogressive
If only it was that easy, right? Unfortunately, the landscape of cyber threats is evolving faster than MSPs and their clients can keep up with. MSPs know that offering a cybersecurity package is a great way to add MRR and protect their clients, but offering is the wrong approach. Advanced security services should be mandatory for all clients.
I’ve helped MSPs develop this strategy and add $15-20K of MRR immediately. Typically, less than 5% of their client base will opt out. You might lose a couple of clients, but they’re probably the clients you’ve wanted to fire anyway. Here is how to implement this strategy:
Fill gaps in your current MSS stack.
Start by looking at what you offer now and where the gaps are. Utilize a defense-in-depth approach and a security foundation like the CIS 20 Critical Controls to help identify what you have covered in your current lineup and where you fall short. In fact, there’s a free resource that allows you to take an assessment of your current security and receive a cybersecurity report card based on the CIS 20 Critical Controls.
Many MSPs’ security services are mostly preventative: Firewall, Anti-Virus, and maybe email security or security awareness training. Unfortunately, preventative security is not a guarantee that your clients will be adequately protected—you need to compliment prevention with detection. Consider services like EDR, SIEM, and Vulnerability Management. Partner with an MSSP if managing these kinds of services would be a challenge for your technical staff. By outsourcing, you add MRR with new mandatory services without the overhead and limit your liability as well.
Once you have the new services identified, begin working on a pricing structure, per seat or per user, and so on. Don’t be afraid to charge 25-40% of your current pricing model for this new security package.
Educate clients about cybersecurity.
You don’t want to spring mandatory services on clients without warning. Instead, start by developing an educational strategy. Quarterly Business Reviews (QBRs) are a great medium—if you aren’t already doing QBRs, start doing them now. QBRs will also make it easier to show the value of the new security services after they have been implemented.
Use your marketing and sales teams to start engaging clients about security and reiterate what security services you offer. Use industry-specific security statistics and start telling the story: “As your trusted advisor on IT, it’s our responsibility to make sure you know cyber-crime is a real risk to your business that needs to be mitigated.” Security education needs to be a priority for at least a full quarter.
Create your documents.
While sales and marketing are educating customers, operations and leadership should be creating the new services announcement and an opt-out agreement. Your mandatory services announcement should include pieces from your education campaign to reinforce the need, what is currently provided, what is going to be mandatory going forward (and why those services), what the cost will be, and when it goes into effect. Do NOT offer the opt-out in the announcement. The opt out is a last resort for customers who refuse to mitigate their risk.
Your opt-out agreement needs to get their attention. By opting out, the client is accepting 100% of the liability. Thoroughly outline the risks the customer is accepting. If the opt out agreement will not make the client pause and reconsider, it’s not strong enough. Include projected costs of responding to a cyber security incident for a client of their size and industry, along with additional costs to deliver managed services while the client is breached, even if they do not use your firm for incident response.
Launch your new Mandatory Cybersecurity Services.
There are two ways to launch your new Mandatory Cybersecurity Package:
- In phases to your entire customer base:
This is the approach I recommend to my MSP partners. Start with a portion of your smaller customers to make future phases easier and learn from unforeseen challenges. Now you are better prepared for phase two and three, minimizing challenges for those more critical clients. Phases two and three will be comprised of fewer customers but more endpoints and ensure it’s not overwhelming for your technical team.
- At renewal of existing managed services:
This strategy can be easier from contractual and deployment standpoints, putting less strain on operations or engineering teams. However, you lose negotiation leverage with clients that push back since they might have already been shopping other providers with their renewal coming up.
If you are not protecting your clients with an advanced cybersecurity package, you’ll probably lose them as a client when (not if) they suffer a cybersecurity incident. An advanced mandatory security package shows your value as their trusted IT advisor and adds coveted MRR for you, the MSP. If a customer elects to opt out, your liability is minimal and potential loss of a client has less impact after substantially increasing MRR from the 95%+ of your clients that accepted.