Getting to YES: The Anti-Sales Guide to Closing New Cybersecurity Deals

Download Guide

Month: March 2023

9 Best Practices for Managing a Successful MSSP

Rotem-Shemesh
Rotem Shemesh Publication date: 21 March, 2023
Education vCISO Community
9 Best Practices for Managing a Successful MSSP

Being an MSSP today means that your services are more in-demand than ever before. Opportunities abound, as do risks.  

As we know this journey includes a lot of uncertainties, we wanted to ease it for you by providing real world, practical tips and advice from other MSSPs.  

We talked to our MSSP partners, collected valuable tips from them on how to get the most out of your MSSP business, and consolidated them all here.   

What follows are practical tips, thoughts, and suggestions for your MSSP business, touching on everything from technology to the commercial side of your company.  

1. Stay up-to-date with relevant technologies 

We all know that the cyber threats we face are constantly evolving. From malware automation to phishing kits available on the dark web, attackers are constantly trying to get ahead of our defenses.  

Just as the threat landscape is constantly changing, so too are the technologies at our disposal. Staying up-to-date with the latest technologies, products, tools, processes, and platforms ensures that you know you’re doing your best to keep your customers safe, while they know they are getting a valuable service from you. 

2. Build and maintain partnerships 

Great businesses take a long-term view when it comes to success. Of course, the short-term is important – employees and suppliers need to be paid, and the business has to run – but taking the long view can be the difference between your MSSP being “good” versus being “great.” 

Key partnerships can be with vendors, other suppliers, customers, third-party service providers, trade show organizers, and even other MSSPs.  

The strength of your relationships with your clients and vendors is crucial for the success of your MSSP business. Develop strong relationships with your clients by providing excellent customer service, responding quickly to their requests, being proactive, and articulating the value you give them regularly. Work with vendors that support this approach by providing the needed SLA and helping you communicate the value to your customers on an ongoing basis.  

These strong relationships will help you build trust with your clients and improve your ability to deliver security services that meet their needs.  

3. Ensure you know the current security gaps at all times 

This applies to your customers, to the market in general, and even to your own business. You can only effectively offer protection when you know what it is that you’re protecting; where the risks lie, now and in the future.  

Running a risk assessment at least once a year on each of your clients (though quarterly is better) will highlight security gaps, and help focus you on where resources should be allocated.  

Bear in mind that risk assessments should be updated regularly, as a one-time assessment is not nearly as effective as a series of assessments that show a change over time.  

While this may seem daunting and resource-intensive, there are modern platforms available that can automate this entire process, dramatically shortening it to just a few hours of work.  

4. Continually improve your incident response plan 

In the military, there is a strong emphasis on training and planning. The thinking is that when an incident occurs, everyone will know exactly what to do. The same is true for an incident response plan.  

Particularly when it comes to serious and time-sensitive incidents such as a ransomware attack, having an up-to-date plan can make all the difference.  

Experts recommend that an incident response plan should be a “living” document, while at the same time, it should be stress tested often; when an incident occurs, time is of the essence, and your reputation is on the line. 

What’s more, as noted previously, threats and technologies are constantly evolving. Your incident response plan should also evolve accordingly.  

5. Focus on communication 

Communication can solve so many real and potential problems. There are different applications of communication, each one is super important for your ongoing success: 

  • Communicate with current clients: this is tremendously reassuring and is often the catalyst to renewed contracts. This type of communication can include updates with regards to current and future capabilities of your practice, new services being offered, new technologies, and can position your business as a thought leader and trusted advisor.
  • Communicate with potential clients: You know how great your business is, but relying only on word of mouth for organic growth can slow you down. So make sure to set aside time for marketing, such as newsletters, LinkedIn posts, blogs, and so on. Having testimonials from existing customers will make these communications even more impactful. 
  • Communicate effectively during incidents: when things aren’t going well – like during a security incident – is exactly when your communication should increase. This assures your customer, prevents panic, and ensures an optimal outcome for all concerned. 
  • Communicate customers’ security posture: it’s a high-impact, high-value practice to communicate developments and changes to customers’ security posture to them on a periodic basis. This information should be standardized so that periods can be compared easily and any trends noted. And there is a bonus – sometimes it will reveal gaps that need to be addressed – an opportunity for you to sell more products or services.   

Part of effective communication includes listening to customers; listening to what they want, and asking the right questions to understand what they really need, will allow you to sell more – and have happier customers. 

6. Regularly review and update your offering 

What clients wanted ten years ago – or even two years ago – is not necessarily what they want or need today. Your offering needs to reflect this.  

We’ve discussed evolving threats and new technologies; and while you can offer new solutions “piecemeal” or as add-ons, there’s a tremendous opportunity to create a whole new and exciting offering around many of these opportunities. 

Take strategic security services or virtual CISO services for example. With SMBs and SMEs increasingly targeted by attackers, every business needs vCISO services in some way. This could include comprehensive risk assessments, the creation of tailored security policies, compliance readiness, building remediation plans and ongoing cybersecurity management and execution for your clients. With this service in such high demand, your MSSP can offer this to clients, differentiating from the competition and creating a whole new revenue stream.  

Getting started is easier than many people think, especially if you use a dedicated vCISO platform that streamlines the processes and automates a big portion of the manual work allowing your team to be more effective.  

7. Demonstrate ROI 

In a world where budgets are tight and everyone needs to show results, being able to demonstrate ROI to customers is gold. You know you’re providing incredible value, but this needs to be presented to customers in the right way to be truly appreciated. Similarly, customers often have to demonstrate the ROI of your services internally – so it’s good practice to help them with easy-to-digest information. 

A great way to achieve this is to show how your work made the customer more secure over time.  

8. Leverage automation and AI 

Offering new services such as vCISO services sounds great in theory, but many MSSPs are apprehensive about starting or expanding this aspect of their business due to issues with scalability.  

Leveraging automation and AI can help you overcome these limitations, and turn a new offering into a key revenue driver for your business.  

For example, through a combination of AI algorithms together with CISO knowledge and knowhow, Cynomi’s vCISO platform automates manual time-consuming tasks and generates everything you need to provide vCISO services at scale: from risk and compliance assessments to gap analyses, tailored policies, strategic remediation plans with prioritized tasks, tools for ongoing task management, progress tracking and customer-facing reports. 

9. Know how to increase revenues 

There are always opportunities to increase revenues and margins, and upsell or cross-sell. Many of these fit nicely into the other areas mentioned here. 

For example, ensuring you know the current gaps allows you to offer the most valuable tools and services to customers.  

Or, communicating effectively with customers and educating them can ensure that your services and tools offered are not seen as an unwilling cost, but rather a positive investment for the business.  

Bundling services and tools is also a great way to manage costs while growing revenue, and thus boost your margins. You can provide standardized packages, or different “tiers”.  

MSSP tips for success 

We hope that these tips resonate with you, in your journey to grow your business and offer increased value to current and future customers.  

In conclusion, our biggest tip – one we’ve seen used by the most successful MSSPs – is to leverage the right tools and platforms to scale your business, and set yourself apart from competitors with a truly unique offering. 

One such opportunity is establishing a vCISO practice or expanding your existing vCISO offering. Want to learn from others who have already done that and succeeded? Check out the on-demand webinar Tips from MSSPs to MSSPs: Starting a vCISO Platform. 

Accelerate Your Cybersecurity Services with Cynomi vCISO Platform

The Risks and Benefits of Starting a vCISO Practice 

Rotem-Shemesh
Rotem Shemesh Publication date: 1 March, 2023
Education
The Risks and Benefits of Starting a vCISO Practice 

There has been a marked trend recently of MSP solutions shifting into the security space, and expanding their security-related activities. Much of this is “bottom-up” momentum, as SMEs and SMBs are increasingly becoming more security conscious, and MSPs and MSSPs are their natural “go to” partners for anything IT- or cyber-related. 

SMEs and SMBs have a growing need for cybersecurity services, specifically vCISO or virtual CISO services that augment their internal IT teams. This need is driven by numerous factors including more sophisticated cyber threats, insurance requirements and evolving compliance needs. 

The net result is that SMEs and SMBs are turning to their MSPs and MSSPs for strategic security or vCISO services – and these service providers generally want to provide such services as they bring tremendous benefits, and yet are often hesitant to do so due to perceived risks.

We’ll look into the risks, and the benefits, of starting a vCISO practice in your firm.

The risks of starting a vCISO practice 

We’ll start with the risks. The top risks that keep MSPs and MSSPs from starting a vCISO practice in-house include:

Scale: Traditionally, vCISO services have been incredibly resource intensive, and notoriously difficult to scale. There are many human hours required to understand an organization, establish where gaps lie, create a plan to address these gaps, assess which regulatory frameworks must be complied with, establish the progress towards compliance, and so on. To do this for a couple of  customers is doable, depending on the size and skill set of your team. But anything beyond this is just a bridge too far for many service providers. 

Talent: Cybersecurity talent is scarce and expensive. Most service providers don’t have the required skills in house, at least not at scale. They might have a one or two CISO-level employees, but probably not more than that. 

Standardization: Not only is it challenging to scale a vCISO offering, but processes and outputs are hard to standardize, and sharing knowledge is difficult.

Budgets: Dealing with SMEs and SMBs means tighter budgets, an intense focus on ROI, and therefore a tougher sell. Sometimes the amount of resources such businesses require from a vCISO perspective – such as suitably qualified team members – does not make the proposition commercially viable.

Before you give up on the idea of a vCISO practice for your company, let’s look at some of the benefits of starting such a practice.

The benefits of starting a vCISO practice 

There is an impressive list of benefits when it comes to starting a vCISO practice. For example: 

Demand: There is a huge and growing demand from the customers. As noted previously, more and more SMEs and SMBs are needing vCISO services. To leave this demand unfulfilled, or worse, to have a competitor take up this demand, is a massive missed opportunity. 

Revenue: When set up correctly, an internal vCISO practice can be a reliable, recurring, and growing revenue stream that drives margins.

Differentiation: Offering vCISO services sets you apart from your competition, and ensures you’re seen as a leader from the perspective of both current and potential customers. 

All the benefits without the risks with Cynomi 

Cynomi offers a vCISO platform that was purpose-built for MSPs and MSSPs to easily start and scale a vCISO practice, with all the benefits and without the risks. 

How does it achieve this?

Automation: Cynomi eliminates most of the manual, resource-intensive work by automating the heavy lifting, while ensuring there’s the right level of customization that each client needs. Experience shows an immediate 70% reduction in vCISO labor hours.

Empowerment: You don’t need a CISO in place to start and scale your vCISO practice. Cynomi empowers beginners so you don’t need the high barrier of professional skills in order to provide vCISO services.

Scalable: Because the platform is built on AI and automation, the lift from going from one or two  customers to fifteen is negligible. Hear it first hand from InfoSystems’ CIO, Chris Bevil in this video.

Robust: The product leverages the knowledge of the world’s best CISOs, and standardizes the vCISO work process and output.

In short, there is every reason to start your vCISO practice together with Cynomi’s platform – but don’t take our word for it.  

Here is Grant Goodnight, PMO & Risk Officer at ESI – Electronic Strategies Inc.: “We’ve explored several products in order to find a solution that can effectively communicate risk and compliance gaps to customers that may not have IT or compliance backgrounds.  We searched long and hard to find a solution to help us streamline and improve the assessment process.  After finding Cynomi, we called off our search.”  

He continues: “Cynomi structures the assessment process in a way that is easy for our customers to understand and easy for our technicians to implement.  Using Cynomi, we can collaboratively assess client environments, identify gaps, and prioritize and track remediation. The dashboard is incredibly effective at communicating overall compliance posture and remediation progress to our clients, and the Cynomi generated assessment reports saves us dozens of work hours that used to be spent collating findings and drafting summaries.  Additionally, we’ve also begun using Cynomi as a way to evaluate customer environments for new engagements and to facilitate onboarding for managed and vCIO services.” 

This is confirmed by Efrem Gonzales of TecRefresh: “Cynomi enables us to provide vCISO services at scale, at a fraction of the time it took before, and increased our sales pipeline.”
 

Get your vCISO practice off the ground  

Getting started with vCISO services doesn’t have to be as threatening as you think. It can be really simple, if you’re using Cynomi’s vCISO platform.

For all the reasons outlined above, now is the time to start your vCISO practice with Cynomi. To get started, book your personal demo. 

Accelerate Your Cybersecurity Services with Cynomi vCISO Platform