To tier or not to tier - that’s always the question when building out the security offerings your MSP will offer clients. Find out what fits you best in this second part of the series that builds upon the personal experience of the author.
Silver, gold, or platinum? All in? Custom plans tailored by industry or company size? There are many ways to build out your security offerings, and over the past dozen or so years, I’ve tried most of them. Like so much in this industry, there is no one perfect answer that suits all of us. But after trying each of the above options, I can shed some light on how we got to where we are now. Currently, we are mostly all-in but offer extra options for those with compliance requirements or that just want a stronger security posture.
Read the first part of this series: The ideal security stack - part one
The best thing about building a tiered security offering is that you have options. However, the worst thing about building a tiered security offering is also that you have options.
For many years I stuck with good, better, best options in both our managed services, and security plans. But that made for some complicated discussions and sales meetings. One of the most useful aphorisms I’ve encountered is “there is no such thing as a confused buyer” and having that much choice really does limit you more than you may realize.
While we still have three MSP tiers (though one is just for onboarding w/billable project work), I have reduced my security to a single primary offering that is bundled with all three MSP plans. We do offer some upsells to that stack (more on that later), but everyone gets a solid security stack without cutting corners. I honestly believe that there is no such thing as a business that does not need to focus on IT security, neither as a client nor as an MSP.
It is important to remember that no matter what else you get right, if you get security wrong, you lose.
That is why we place our full security plan at every site. Note that I did not say “we offer'' but rather “we place” as there is a big difference there. Nothing differentiates my MSP practice more than our focus on security. I would make the argument that every MSP should behave this way, but we are a very long way from that reality, and for now, that continues to be our “why”. Though, it is important to note that nothing we do engenders more pushback than trying to proliferate our security stack to all of our sites, and all of our users’ behaviors.
I never thought I would miss the days when, in terms of IT security, cost was the biggest issue. In today’s world, the bigger issue is the inconvenience of securing your business, including things such as DPI SSL, MFA, user training, and more. I’ve often drawn a very simple diagram for our clients. It is a straight line with “S” on one end, and “E” on the other. Secure or Easy. Of course, you know where we want that dot to land, and that is why we are an “all-in only” shop.
Having said that, and while we do deliver a complete security stack everywhere, there are a few options that we can add for those with greater needs or desires. In this sense, we can custom tailor plans for those with compliance needs, but still behave as an all-in-only shop. For the time being, our main options are application whitelisting and privilege escalation. I am sure that some of you include these in your base plan and I can surely understand the argument that every MSP should do the same. But we do not do so, yet.
That really comes down to the issue of the trade-off between secure and easy, as referenced earlier. While I would love to have nothing but standard users at every site, and providing privilege escalation as needed, we are not there yet. And who does not want the peace of mind that application whitelisting would provide? But as with so many other things we have made our long security journey one step at a time and will never be truly done with it. I have no doubt that our stack will continue to evolve, perhaps even in unpredictable ways.
I can say with certainty that our security offerings will broaden and deepen over time. We will offer more services and place more emphasis on universal adoption of those offerings. After all, the nature of the threats we face changes all the time, and the numbers continue to move in only one direction. My cadence has been to offer additional optional services every year, and then move some of those into our security stack every other year, upping prices on that second year. What I cannot say is if, or even when, this may change.