For a number of reasons, many businesses today do not have a comprehensive internal IT department and instead outsource their IT operations to a managed service provider (MSP).
But while this approach may satisfy financial or resource-based issues, the lack of an internal IT department actually leaves one important issue unresolved: IT security education.
A reliance on external IT resources means there is less focus on keeping employees up-to-date on the latest IT security threats, meaning many breaches occur simply out of naivety and ignorance of best practice.
Inevitably, as a result of having to deal with these issues on a reactive basis, MSPs are finding themselves increasingly in the security business. The opportunity here is two-fold: increase client awareness of threats in order to reduce likelihood of breaches, and position the service provider as an educator and ultimately an outsourced CIO.
Knowledge is power
It is widely accepted that knowledge can contribute more than 50% of the total cyber threat defence. Understanding what not to click on, which updates to install, how to spot illicit emails and so on, is the oft-repeated first line of IT security defence. All the very best malware, email security and web protection tools can be completely undermined by a single user unwisely connecting a malicious USB stick to the network.
We all know this, but the average member of the workforce does not – and if the IT department is outsourced, there are no internal ambassadors regularly reminding employees of the dangers and reinforcing best practice. Instead, the outsourced team is all too often kept at arm’s length and restricted to remedial work rather than the more valuable pre-emptive prevention.
As a result, there is an opportunity for service providers to buck the trend and offer IT security education to their clients, rather than simply managing the IT security tools in the background. In the interests of a more complete, effective and proactive service provision, service providers should be jumping at the chance to sidestep the fire-fighting that results from being kept at a distance.
In the absence of internal IT resource to provide security education and reinforcement, there is therefore a gap in a business’ knowledge, creating a lucrative opportunity for service providers who can offer holistic managed security services that include education as well as purely technical solutions. However, there are a number of factors service providers for which need to be prepared if they decide to add this to the portfolio.
Firstly, service providers need to fully understand the customer’s business and their total costs of everyday operation. This in turn links to the lost opportunity cost of downtime and what security breach-related outages would therefore cost the business.
End customers are always going to measure success and value based on outcomes more than technical delivery. Service providers trying to sell managed security would therefore be well-advised to avoid focusing on the effectiveness of their technology portfolio and how adept they are at using it, and instead talk in terms of the service costs versus the downtime loss.
Secondly, service providers need to be prepared to make managed security relevant to the end customer’s business and market. Whatever vertical the business focuses on – medical, financial, manufacturing or retail – service providers must fully understand what those customers’ specific business needs are and relate the technology and service to the nuances of that individual industry.
For example, service providers targeting retail or healthcare need to understand the difference between PCI compliance and HIPPA compliance and how IT security services will impact it, or the dramatically different needs of a ‘critical’ business operation.
This isn’t the only reason why MSPs should be eager to provide IT security education. Managed security services are not just about service providers selling broader services and mitigating the number of threats they need to deal with.
By introducing managed security, the role of the service provider changes and evolves into something more than just a provider of a technical service. The broader requirements of managed security – employee education and policy management – are inherently consultative, advisory and emphasise more than just technology selection.
This transition from ‘break-fix’ to focusing on the business as a whole is a methodology that can be applied beyond security into the whole of the IT function, offering a springboard to a position as that Holy Grail for service providers: an outsourced CIO.
Sourced from Alistair Forbes, GM, LogicNow