By Stephen J. Bigelow, Features Writer
Managed security service providers (MSSPs) face a myriad of technical challenges in the infrastructure they develop, the tools they employ and the processes adopted to drive services. There are also numerous business challenges that make it difficult to provide the right services at the right time and for the right cost. These issues can pose barriers to entry into the market and limit profitability if not addressed adequately. The first part of this hot spot tutorial explained the basics of
Significant technical and business challenges for managed security service providers
Managed security service providers face an array of technical challenges, but scalability, automation, internal processes and professional expertise are often cited as the most significant technical issues. MSSPs often face problems when scaling their business, usually because the core infrastructure elements implemented for the business don't provide the level of scalability, multi-tenancy or storage performance needed to meet their growing client base -- often a consequence of initial investment and development decisions.
"You cannot run a successful managed services business by trying to leverage off-the-shelf, prepackaged security technologies," said Jason Hilling, manager of platform solutions for IBM's Global Technology Services division in Atlanta.
Scalability concerns are also exacerbated by poor automation and a lack of back-end tool integration. According to Hilling and other MSSP experts, automation is critical to maintain an acceptable profit margin, especially for MSSPs that cater to the small and medium-sized business (SMB) market. Security tools are often custom software products, relying on experienced security professionals to develop meaningful rules and analytical behaviors for the software, providing the reporting and actionable results that clients pay for each month. Hilling noted the critical importance of connecting security offerings with back-end systems.
"It has to do with plugging those security products into their back-office systems of provisioning, billing, ticketing, workflow, event correlation and customer-facing portal," said Drew Savage, MSSP manager of the U.S. service provider group at Fortinet Inc. "It's a software [integration] project -- it's not about the security technology."
Business challenges can also vary, but are most commonly related to cost, regulatory compliance and pricing clients correctly within each vertical market. Compliance issues are particularly challenging, because new regulations are emerging and existing regulations are changing. You need to stay in touch with the current compliance landscape.
"Storing data for a healthcare organization means that the provider is subject to various aspects of HIPAA," Hilling said, noting similar compliance obligations in the retail vertical with PCI rules, as well as financial and other verticals. "The compliance piece is a tricky, difficult business driver for managed service providers."
MSSPs also need to deal with constant margin and pricing pressure. Clients understand that security technologies are constantly improving and becoming more economical -- they typically expect a provider to maintain a competitive menu of services and offer additional security features without a significant price increase each time that the service contract comes up for renewal. Providers are challenged to reduce costs in order to maintain service profitability. This places a heavy emphasis on process automation to reduce labor costs and is increasingly pushing providers to use offshore labor sources.
Pricing within each vertical market will affect your profitability. Some verticals, such as retail, are extremely frugal, while other verticals, like finance, will often pay a premium for managed services. As a managed security service provider, you need to know your customers.
A strong sales presence is also critical for revenue generation, and finding qualified sales professionals is another business challenge for MSSPs to contend with. "Always be looking for good sales people," said Steve Lubahn, senior technical sales representative for LockNET Inc. of La Crosse, Wisc. "Have a solid program to train, retain and attractively compensate your top sellers."
How to ease a client's transition into or out of managed services
Transitioning your client into managed security services is perhaps the most challenging part of any service relationship. The implementation must be planned and executed with great care. Problems at this point can incur added client costs, dissatisfaction and a rapid breakdown of the relationship. This is where an MSSP's professional project management skills are essential.
"There's no easy way around it," Hilling said. "It requires flawless execution on a very complicated list of tasks that do represent risk to network uptime and availability." Demonstrated experience with a record of smooth implementations can allay many of your client's fears.
One way to streamline implementations is to adopt a "project manager" model -- providing a single contact for the client on the MSSP side. Project managers coordinate with sales and engineering prior to the implementation. Project managers can also help after the implementation by providing follow-up and coordinating any important alterations prior to the client's final acceptance of the service.
The biggest implementation problems for an MSSP often occur early in the planning process, deciding what devices are needed (if any), determining their location in the client's architecture and then establishing the proper configurations. This requires accurate and complete network documentation from the client. Unfortunately, many MSSPs have limited staff sizes and cannot survey each client's site in detail, relying instead on details provided by the client. There's no substitute for due diligence. "That [network information] is the thing that is most often incomplete, inaccurate or just nonexistent," Savage said. "To have a technically sound, 'works-right-day-one' solution, you have to have all that information as an MSSP."
Service acceptance is generally the last phase of implementation. Once the service is running, your client has a set period of time (typically outlined in the service contract) to acknowledge and accept the service before billing is started. This offers the client a period to address unresolved issues and verify that they're getting the services they contracted for.
Managed services are typically not a lifetime commitment, and clients may eventually move away from your services in favor of less expensive providers, as a consequence of a merger or acquisition or any number of other reasons. So transitioning clients out of managed services is another process that you'll need to deal with as an MSSP.
Most service contracts include language that describes service termination. Tell your clients how they'll access their devices and the state those devices will be in after service termination. If you offer services to assist the client in termination or transferring services to another provider, be sure to outline the extent and costs associated with those services.
Common mistakes to avoid as an MSSP
Hilling and Savage point to several common mistakes made by VARs that choose to enter the managed security service provider market. Perhaps the most substantial mistake is a lack of long-term investment. For some VARs, this represents a lack of financial investment, inadequate investment in infrastructure or a failure to make the internal cultural shift necessary to meet the demands of an MSSP.
"Too many VARs are entering the managed service business thinking it will increase their margins, without realizing the level of resources and skill levels required to efficiently manage more than a handful of clients," Lubahn said. This problem is often worsened by a lack of business focus -- offering too many different products or services and thereby diluting sales efforts.
MSSPs are also challenged by the dynamic nature of security and the demands of rapid response. New virus outbreaks or vulnerabilities require immediate practical solutions. This is an area where investments in security professionals and mechanisms for rapid notification or patch deployment can make a substantial difference in the way you deal with new threats.
Finally, don't overlook the revenue potential in up-selling the user base. While a client may not utilize all of the features and functionality in their security hardware, your detailed understanding of those capabilities may lead to additional incremental revenue in the future simply by enabling unused features already available and in place.
For example, suppose you deploy a security device that includes intrusion protection, but that feature is not currently utilized. The appearance of a new worm or attack may offer exactly the right justification to up-sell those added services. From the provider's standpoint, the issue is as simple as activating an idle function on the client's security hardware.
"That flexibility, and the ability to quickly react to your consumer's demand -- as well as do things like launch email campaigns into your install base -- is just huge for the commercial viability of your service," Savage said.
This was first published in May 2008