Cybersecurity is inherently complicated. It’s not an easy job, and it’s a never-ending one as well. There’s unfortunately no such thing as “completely secure”. There’s “more secure” and “behaving securely”, but you’ll never finish the game. Cybersecurity is a constant cycle of challenge and response.
Many businesses can only make their cybersecurity as strong as their budget and human resources constraints allow. This can be frustrating for people working in the field. To us, it’s obvious that we—IT providers, security analysts, CSOs, etc.—should do everything necessary to ensure our organizations are as secure as possible.
At some point, however, we have to understand that the concept of “everything necessary” is an endless pursuit. You have to prioritize. As security providers, we need to be able to choose which initiatives and investments will have the greatest return. This is true not only for the security protocols and procedures we put in place internally, but delivering managed cybersecurity solutions to customers as well.
Scaling your security business
It’s no secret that demand for cybersecurity services is skyrocketing. Managed service providers (MSPs) and managed security service providers (MSSPs) are shooting themselves in the foot if they’re not focused on growing in the current market. But it’s also no secret that the labour market is tight. Highly trained and educated cybersecurity workers are expensive, and even entry-level tech employees are hard to find and retain.
So for MSPs and MSSPs trying to grow their business, the options can seem limited. You can try to hire more people, which costs time and money, or you can try to become more efficient with the resources you have, which comes with its own set of challenges. Which is the better path?
The answer is neither, and both 😊.
Short-term solution: Make the most of what you have
People can’t have every skill set. This is something MSPs need to recognize when it comes to cybersecurity. Your people most likely wear a few different hats with regards to their roles and responsibilities. If your budget is strapped, think about how you can be efficient with the money you have. Can you be creative and still provide a great return?
When I talk to MSPs and MSSPs, a lot of the conversation is around how to do more with the same amount of people. For a company that provides services, outsourcing and automation might seem like an oversimplified response, but we’ve had a lot of success when we present this in a realistic and constructive way. We’ll ask, “What roles are you having trouble staffing?” as well as “What do the people working for you now like most? Where are they more valuable?”
The idea is: focus your attention, resources and manpower on your existing services that are profitable and appreciated by clients, and then find alternative solutions (be it outsourcing or automation) for other projects you want to accomplish. Hone in on the high-value, client-facing activities, and fill in the gaps for the less-exciting (but nevertheless important) stuff.
Standardize and automate where you can
Standardizing and automating as many operations as possible can help MSPs create a formulaic revenue model based on customer profiles with similar needs. Organizing the services you provide around specific verticals or target markets will also help implement a rinse-and-repeat strategy for your business that will increase your monthly recurring revenue.
There are solutions out there that can help you deliver cybersecurity while maximizing your current staff capacity and continuing to add value for clients. Some Sherweb partners have been able to double the number of clients they could manage with the same number of staff. It’s not magic, it’s simply outsourcing time and labour-intensive activities like alert monitoring, incident response management and SOC activities. This gives you more time to focus on new projects that make your MSP business more profitable.
Remember: you don’t need to say yes to everything. Sherweb partners that have seen the most success in the cybersecurity realm are the ones that say no. That sounds crazy, saying you’ll have more business by declining business, but we’ve seen it over and over again. Building out a standardized stack for security automation as well as a standardized procedure by leveraging PSA or RMM will give you a dependable practice with consistent results.
The MSPs and MSSPs we work with that grow the fastest are the ones who present a succinct offering. They say, “I’m replacing your firewalls and router— your network equipment. Here’s my antivirus software. Here’s my EDR software.” It has to be standard. Once you have that, you can go above and beyond with special projects to your heart’s delight.
Becoming more efficient with the resources available to us is a much more reliable path to success than trying to solve the labour crisis by ourselves. However, while automation, standardization and outsourcing will help address your capacity requirements and ability to scale, you’ll never be able to ignore the HR side of things completely.
Speaking of labour crisis…
We know that the number of cyberthreats increase every day and incidences of successful cybersecurity penetrations continues to accelerate. The damage done per successful security breach is also increasing, despite the fact that we have more security tools at our disposal than ever before. And yet, fewer qualified humans are available to fill positions in the field. The cybersecurity talent supply is significantly lagging behind rapidly growing demand.
If you’re currently trying to find experienced cybersecurity talent with specific knowledge of the role you need filling, you’re probably banging your head against a wall. These people do exist, they’re highly educated and specialized, but you will struggle and compete to win them. If you succeed, they will be incredibly expensive, because supply.
On the other hand, finding personnel willing to perform work such as overnight security monitoring, alert response and incident management is also a challenge in the current labour market. There’s no simple fix for this. But that doesn’t mean there aren’t any solutions.
One of the things we’ve done internally is train existing IT employees to be cybersecurity specialists. We start by providing targeted training. Later, we assign them tasks assisted by automation and AI. Then, more high-level cybersecurity analysts provide further training on a number of standardized cybersecurity jobs.
Hiring in IT isn’t easy, but it’s still easier than hiring cybersecurity talent specifically.
Another potential solution is grassroots and educational activities that drive people toward STEM subjects. If more people are exposed to the field of cybersecurity, it’s only natural that more people will subsequently consider it as a career option.
Sherweb works with academic institutions to create intern opportunities for students in cybersecurity programs. Collaborating with schools gives us an opportunity to create our own talent pipeline and influence the skills employees come with after they graduate. There’s also the potential for these interns to return to us as full-time employees, bringing our efforts full circle.
Don’t shy away from this opportunity
Now is the time to capitalize on cybersecurity demand. There’s a lot of business out there for MSPs and MSSPs to take on. Even if you don’t have the capacity right now, you can be more productive with the tools currently at your disposal by standardizing, automating and outsourcing processes wherever you can.
You could also leverage a partner like Sherweb to help you make it happen. By offloading menial tasks on our services, you can then reserve your best talent for where they matter most, on the front lines of your business with your customers. Sherweb provides services specifically designed to fill gaps on MSP security teams. Some of these roles are simply things nobody wants to do—nobody wants to respond to an alert from a security system on a Sunday night— but that are crucial just the same. We can also assist with higher-level tasks and business strategy, empowering MSP partners to achieve their unique goals.
A competitive labor market and talent deficit is something everyone in the tech business has to wrestle with, but it’s not the responsibility of individual MSPs and MSSPs to solve the crisis. Channel businesses can still offer security services and solutions despite a lack of cybersecurity talent. Empowering MSPs to do so is what Sherweb strives toward as a value-added cloud solutions partner. Take a look at our Partner Guide to learn more, or reach out to us to start a conversation about how we can help your security business grow.