Can You Really Make Money Out of Security Services?

Robin Vann

Babcock MSS



In our Member Tip of the Month series, we turn to our readers for their insight and advice on today's key industry trends and best practices.

The question I’ve been asked most by the service providers I’ve worked with over the years, from the largest blue chip telcos through to solution providers and resellers branching out into MSSP offerings, is this: “How can I know, Rob, that these security services will make me money?”

So I thought I’d make my tip of the month an overview of how security service providers can stack the odds in their favour, without too much heavy lifting!

Security service success? Ask the right questions!

I’ve seen a lot of great security services fail spectacularly. Often, this is because those businesses don’t ask themselves the most basic questions, namely:

  1. Will customers buy it?
  2. And who are the customers, anyway?

Security is never straightforward, so let’s work backwards and take the second question first. To answer this, you need to be absolutely clear on where your services are pitched. At existing customers? Or at a new market that you’re trying to open up?

Yet these two pitches are actually fundamentally connected, because:

  1. Existing customers win new ones: Security services are bought on trust and reputation. You need positive references from existing customers to capture the new customers that will grow and scale your business.
  2. Single solutions don’t feed new markets: Customers don’t typically buy security services in the singular, unless they are very niche (example: intelligence led SOC) or have proven, genuinely unbeatable USPs. But offer a variety of complementary security services and you can potentially sell into each customer – existing and new - many times, multiplying your revenue streams, as well as keeping your customers maximally protected

Conclusion: your leads are whoever has a need for the range of complementary security services that you can offer, whether they’re existing customers or brand new prospects!

Now to the first question: will customers buy it? In my experience this is the single most overlooked question when starting up services. But it’s not rocket science; we just need to map the services to the cyber risk level of the target customers to get a probable answer.

So where does the risk to your target customers come from? Is it opportunists and script kiddies? eCrime? Or high-end handcrafted malware from state-sponsored actors?

It’s critical to understand whether your service will mitigate the right risks for your target customers.


Quick clues: map profitable propositions to customers

While you can spend endless amounts of time researching and analysing this data, there is a shortcut I use. By looking at the level of a customer’s security spending, you can gain a fair insight into the maturity of that customer and hence their risk profile.

Those who spend virtually nothing are at great risk from opportunistic, low-level attacks. But by virtue of their low spend, they’re probably not protecting anything that would attract the attention of nation states, or justify the time and effort that a handcrafted attack requires.

Conversely, customers who spend high on security will almost certainly be well protected from simple attacks, but usually have something of higher value to defend – putting them at greater risk from the more specialised end of the cyber threat landscape.

(Caveat: these aren’t flawless rules. Insider threats and supply chain attacks can skew the results, but as a good initial indicator of whether your services are aligned to your target market, the rules have merit.)

The cyber crystal ball: what future for security services?

Looking forward, though, you’ll also need to look at pricing and competition, acquiring and retaining new service capabilities, and future-proofing the service and your revenues.

And staring further still into the crystal ball, I see changes on the horizon. Most security services today are prevention-centric, and that simply won’t support your profitability in the future. Why? Because, these days, no network is impenetrable. It’s how your services analyse and contain the threat once it’s in there that is the critical differentiator customers will be willing to pay for.

In short, MSSPs need to start to look at building capabilities or partnerships to strengthen analysis, monitoring and incident response services to customers. That’s where the money is.

No service provider can build today’s pipeline selling yesterday’s value!

You can catch me live at the CompTIA Leeds meeting discussing strategies for becoming a leader in managed security services – get more information and register here.

Robin Vann is sales and marketing director for Babcock MSS.

Previous tips of the month: 

Cardsharp: getting your business card to do some actual business
How to Get New Business from LinkedIn the Easy Way

Leave a Comment