There are usually two driving forces behind the strategic decisions tech companies make. The first is determining if potential moves will be profitable. Will there be a respectable return on their investments? Could the project or program fundamentally shift the organization’s balance sheet in a positive direction?
The second factor revolves around the company mission statement and business plan. Do the proposed changes align with the organization’s long-term objectives and its core values?
The answers to all those questions don’t necessarily need to be positive to proceed, especially when an organization is forced to implement major changes to survive, but they offer management teams a guide when making less critical decisions. It’s a first pass litmus test that can be used to determine the risks and challenges associated with various business options.
MSPs and solution providers should pledge themselves to that process before building out advanced cybersecurity practices. While tech companies can theoretically offer every available tool and provide a comprehensive portfolio of assessments and consulting services, that usually doesn’t make sense. Most channel firms have financial and resource utilization limitations.
In other words, they can’t be all things to all people ̶ even in the cybersecurity space. Data and network protection is no longer a matter of installing and updating the right tools. An effective cybersecurity strategy now includes policy and procedure development, comprehensive and periodic network assessments, and advanced testing. Compliance with government regulations and industry standards adds to the complexity, with third-party evaluation requirements and other stipulations.
Compliance and Insurance Muddle the Issue
The reality is that the channel debate over whether providers can deliver all these services themselves is becoming somewhat of a non-factor. Many of the cybersecurity insurance policies that channel firms and their clients purchase have third-party auditing requirements.
That’s also a good rule of thumb for clients needing to adhere to HIPPA and other compliance standards. While some say bringing in a third-party auditor will weaken the primary provider’s value proposition, it benefits everyone in the long run.
Those reviews become “checks and balances” that validate an MSP or MSSP’s protection plans and minimize their liabilities and exposure. A good auditor also makes infrastructure and process recommendations that could lead to new project and services for providers.
End-user training and strict policy enforcement are often at the top of that list. When those recommendations come from neutral partied, it validates providers concerns and makes business leaders more likely to sign off on those long-asked-for advanced security programs.
One Size Does Not Fit All
While auditing is a specialized field that almost demands a third-party approach, there are other reasons why a channel firm shouldn’t be a jack of all cybersecurity trades. The most prominent factor is client variability.
Most SMB-oriented providers support a diverse clientele. Even firms with strong vertical specializations rarely have more than 50% of their customers from a single industry. Most of today’s channel firms started out with a couple of small clients in their community and took in any prospects that came their way. Only after most providers understand their value proposition and capabilities do they create specializations.
That can have a big impact on security. A diverse clientele will have different compliance and protection needs, which could significantly increase the size and scope of a provider’s cybersecurity practice. Just imagine the personnel and training requirements for an MSSP that supported clients in the medical, insurance, and financial fields.
It would be nearly impossible for a small team to understand and address the compliance issues in one of those industries, let alone three. Without making major investments ̶ such as hiring experienced sales and technical professionals and providing them with the tools and educational resources needed to support each of these verticals ̶ MSPs will struggle to protect those clients.
In other words, fifty customers may have fifty or more unique cybersecurity concerns. While some of those issues may be similar, a “one size fits all” may leave some clients exposed or feeling left out.
Partner and Prosper
Of course, the simple answer to the diversity and complexity problem is to partner with firms that can fill cybersecurity knowledge and skills gaps. Alliance with penetration testers and auditors, and peers who specialize in PCI, HIPPA, and other compliance concerns.
When done right, those partnerships can elevate the stature and business prospects for all involved. Small MSPs can grow their organizations with access to more advanced security services. Their partners will, in turn, see their opportunities grow. If neutrality isn’t required, those firms can build referral networks and develop co-marketing programs that emphasize the breadth and strength of their collaborative services.
Most of all, partnering allows each party to hone its skills and optimize its resource utilization. Practice does make perfect. Especially in the case of cybersecurity, where faultlessness execution is job one.
Want to learn more about building advanced cybersecurity practices and partnering? Join the CompTIA IT Security Community, a collaborative group of tech professionals engaged in developing tools and best practices for addressing those objectives.
Brian Sherman is president of Tech Success Communications, a channel-related content and social media development firm. He served previously as the chief editor at Business Solutions magazine and senior director of industry alliances with Autotask. Contact Brian at [email protected]
