MSSP CEO: Customer Execs Have ‘Gone Numb’ To Selling Cybersecurity Through Fear
Central Technology Solutions, Xperteks, General Informatics and Nexus IT executives talk about adding vCISO, vCIO, compliance-as-a-service offerings.
Customers are no longer motivated by scare tactics and fear as a way to sell cybersecurity and compliance-as-a-service, according to Earl Foote.
Instead of using fear, uncertainty and doubt (FUD) to sell these services, the CEO of Park City, Utah-based MSP Nexus IT told a crowd of solution providers this week that he’s found success selling security and compliance as a competitive advantage, “a way to differentiate your business and to go after bigger, better customers and more lucrative deals.”
“The C-suite has gone numb to FUD,” he said, even using an expletive to describe how little they care.
[RELATED: Cybersecurity Expert: MSSPs Should Look To Become ‘Trustworthy Security Doctors’]
MSSPs Talk How To Add vCISO Services
Foote shared his advice as part of a panel on adding virtual chief information security officer (vCISO) and compliance-as-a-service (CaaS) practices as a solution provider. He was joined by three other CRN 2023 MSP 500 members, including moderator Marcial Velez, CEO of New York-based Xperteks, during CRN parent The Channel Company’s XChange NexGen 2023 conference.
Ivan Burkett, IT director at Houston-based GB Tech, told CRN in an interview that, after attending the panel, he plans to review his MSP’s services for new ways to bring in revenue.
“I’m interested in monetizing services we probably shouldn’t give away for free,” Burkett said.
A New Way To Sell
Foote not only presents his vCISO and CaaS offerings to customers as a chance to increase revenue, but the truth is, adding these practices also opens doors for MSPs looking to add bigger customers.
“We’ve changed our approach in our sales process and in our marketing and branding from compliance is a risk to your business to compliance is an opportunity,” he said.
Panelist Tommy Vaughan, president of Lynchburg, Va.-based Central Technology Solutions, told the crowd that he agrees on a new approach to selling security and compliance services.
He went so far as to say he “would never” use terms such as vCISO and CaaS with customers.
“What do I think about compliance? I think it’s a nightmare,” he said. “What do I think of this (vCISO and CaaS)? It’s horrible. I’m so sick of acronyms.”
To achieve security and compliance for customers, MSPs shouldn’t worry about tools, but instead focus on the paperwork and process, he said.
In fact, while at NexGen, Vaughan’s team back home closed a deal involving the U.S. Department of Defense (DoD)’s Cybersecurity Maturity Model Certification (CMMC) compliance program, he told the crowd.
“We’ll have this whole thing turned around in less than a week,” he said. “And you’re like, how did I do that? It is all about process. It’s not hard. You don’t need a degree. And none of these vendors … can just magically do all that for you.”
Solution providers have been forced into becoming providers of security and compliance services because “industries moved all of their junk to our networks and now we have got to secure it,” Vaughan said.
And disgruntled customers at the jump don’t want to pay MSPs for security and compliance services that customers believe should be included in the standard solution provider package.
“You never walk into any customer site and they want to buy any of the service from you,” he said. “They don’t care.”
It’s up to solution providers to stand firm and prescribe these services to customers like a doctor would, he said. The solution provider has to walk customers through their processes, who have data access and the incident response plan, and provide it all in a simple as-a-service manner.
“You have to advocate for the change,” he said. “You have to realize that you’re the doctor. You don’t walk in and tell the doctor what scalpel they’re going to use. OK? Stop letting your customer tell you how to do your job.”
Adding The Practices
Solution providers need to separate these security and compliance offerings as an additional cost to customers, Vaughan said.
“You want me to enforce a policy, write a policy and help you make sure that you can prove” you are following it, he said. “You want me to do that for you? That’s a different service. … You get a few things set up, you can move into this space, and you’re going to be able to charge for the tools you’re currently not charging them for.”
A compliance set up and audit for a customer with 15 users can take around 10 or 20 hours, but subsequent set ups and audits are usually shorter, Vaughan said. A solution provider can charge up to about $8,000 up front for such a service. Then the solution provider can take that data and tell the customer the 10 or so projects they need to accomplish.
For a solution provider to manage all the work, the company will offer the customer a platform and documents for around $500 a month, he said.
The solution provider can give an average cost for the entire engagement to a customer, but promising a total cost is a bad idea given all of the variables that can adjust the final price.
“If you do it right, it’s going to bring you more actual profit that you can depend on because no labor is against it,” Vaughan said. “You need to take a look at it. Don’t be scared of it.”
In business, competitive advantage comes from being first or being the best, he said.
“There are not a lot of people doing it right now,” he said. “Right now, we have a chance to be first. I know I’m not the best at it. But I am able to do it. We are making money. It also makes the customer more sticky.”
Part of the problem with vCISO services is low barrier to entry, Vaughan told the crowd. And thus, not a major marketing benefit from adding the acronym itself to a solution provider’s customer offerings.
“There’s all kinds of things that you can do or say, but at the end of the day, you with your experience are going to be responsible for whatever those controls are in compliance,” he said. “If you move into it as a service, you have to understand that even if you don’t go hire somebody and you think you have to have this title, you don’t.”
Foote told the crowd that adding compliance and security practices to an MSP business might require partnering with other MSPs until you train your employees.
Common certifications for adding these practices include Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certified Safety Professional (CSP), he said.
“We started doing vCISO engagements with partners. And we still use those partners. But we’ve also started to build the capabilities out in house by helping our team,” Foote said. “We’re helping pay part of their tuition to go study those things to get those certifications to help build out the programs within our organization.”
Nexus built a CaaS package called NexGuard 360 sold to customers by seat and built on frameworks and controls with a documentation platform. His team is trained on how to sell the package as a stock-keeping unit (SKU).
Depending on the framework, the MSP might have to require multi-factor authentication (MFA), password management, employee cyber education, managed detection and response (MDR) and security information and event management (SIEM), he said.
While CaaS is part of the Nexus managed security services offerings – so far, in demand from health care and financial sector customers – vCISO services have been sold as project work, he said.
“We’re going to do vulnerability assessment, penetration testing, we’re going to formulate a security and compliance program for an organization,” he said. “And as part of that we’re going to sell them a project to get them ready to to afford a compliance audit, and then we’re going to institute controls, which is where compliances service comes into play, which is part of our managed security service package”
He cautioned the audience on readying themselves for adding around eight new tools to their stack and training employees on those new tools to build new security and compliance practices.
Adding vCISO and CaaS practices “is not that hard,” said panelist Don Monistere, CEO of Baton Rouge, La.-based General Informatics.
Monistere told the crowd that understanding how to work within a regulatory framework and a standards-based management platform is key.
“Start looking at the various standards that are out there specific to the industries that you typically serve,” Monistere said. “If it’s health care, there are obviously some specific things that you have to know. If it’s government, there are some specific things you have to know. And learn those standards and understand – can I find a way to mature my organization so that I can help them with that operational part of that?”
Monistere stressed engaging customers not just from the perspective of securing information and data or wiping PCs, but in “how do you operate as an organization so that you can not only say that you are securing information, but you can prove it. You can show evidence of it.”
Increased Demand
Foote has the data to back up a perceived rise in customer interest in new security offerings from MSPs.
At the end of Nexus’ second fiscal quarter, 70 percent of new deals in 2023 involved a vCISO engagement, he said. And “70 percent were businesses asking for us to help them figure out a compliance regulation and how to adhere to it.”
Part of the increased demand comes from new insurance carrier requirements, he said. On-page, five-question self-attestation questionnaires of the past have grown in length and depth around data security and governance practices, regulatory frameworks and the threat landscape.
What’s fueled interest in vCISO and CaaS from an MSP perspective, Monistere said, is growing regulation around what makes an MSP and what makes an MSSP.
Since February 2021, his home state of Louisiana has a law in effect that has definitions for MSPs and MSSPs that work with public bodies.
“There hasn’t been a whole lot of teeth to the law yet,” he said. “They’re not out there auditing. They’re not out there looking at us. They’re not. But it’s coming. And it’s going to come to many other states.”
The new regulation has opened up new conversations between government agency clients and General Informatics, he said.
When he explains that the state wants to know the agency’s information security policies, “that blows their minds, because they’re thinking, ‘Well, I hired you to do that,’” he said.
“No, you didn’t hire me to write your information security policy. But I can,” he said. “And if you’d like to enter into an agreement, where I’m your vCISO or vCIO, we can definitely do it.”
Monistere sometimes finds himself explaining to customers why the additional vCISO service is different from General Informatics’ provided customer success management, he said.
“The vCISO team, they are a team of executives who have built and strategized with multiple companies an entire security practice, an entire IT practice across large enterprises,” he said. “And so there’s a big difference between being a customer success manager and someone who can be a C-level guy.”
MSP Vs. MSSP
When asked how he handles the conflict of interest that arises from a business with an MSP and managed security services provider (MSSP) component, Monistere said that “we draw a pretty hard line delineation between the two organizations.”
“One does not interact with the other unless it is to consult with them on what they need to change or do within the environment that we’re working within,” he said. “But there is a conflict of interest. And I have had to say no to business where they say, ‘Hey you can have my MSP business or you can have my vCISO business or my compliance-as-a-service business. You can’t have both.’ And we decide which one is in the best interest of our organization and them as a customer and where the best fit is.”
General Informatics also separates its vCISO service from its virtual chief information officer (vCIO) service, he said. The vCISO business exists to audit his MSP’s work and provide mitigation plans to execute.
He tells his team that “if other MSPs can use our MSSP as an outsourced third party, then we’ve done this right,” he said. General Informatics serves as a vCISO for about 10 hospitals with another IT company managing them.
“Every once in a while, they get behind on all of their vulnerability management projects,” he said. “And so I will call them and say, ‘Hey, guys, I just want to let you know, your aggregated risk score continues to go up because your IT team is not mitigating the issues that we’re finding. Do you need help?’ We’re happy to get our MSP team engaged. And so we sell a lot of projects on mitigation because of that.”
General Informatics has considered running its security services business as a solely-owned subsidiary with its own Federal Employer Identification Number (FEIN). For now, it’s under a different department name within the company.
“We haven’t made the decision yet to completely separate it,” he said.