lolloj - Fotolia

IT security market: The cost of building a cybersecurity practice

Expanding into IT security services can be a costly endeavor for channel firms, requiring investment in new processes, talent and partnerships.

Security was a passion of Ron Culler's long before he transitioned his business from offering standard managed services to solely offering managed network security in 2000.

Culler, co-founder and CTO of Secure Designs, learned some valuable lessons along the way, not the least of which has been about the nuances that come with selling products versus selling services in the cybersecurity market.

Ron Culler, co-founder and CTO, Secure DesignsRon Culler

"From a product-sales perspective, you are going to need competencies, hire experts to be able to configure systems and build out systems, and to do the types of things you're going to offer as part of that sales offering," he noted.

Secure Designs delivers both firewall products and services. As a result, it built a data center complete with redundancies and internet connectivity -- everything needed to support its customers' data, Culler said. Secure Designs also offers compliance assessment services for audits, something the typical managed security service providers may not have, he added.

Why add security products and services?

The main drivers for partners to begin a cybersecurity practice are the shift away from securing the perimeter, the need to focus on prevention and detection, and an increased focus on proactive security activities, according to the CompTIA report Security in the IT Channel.

The digital transformation organizations are undergoing has made data a critical asset, and better data security is a big part of better data handling, the report noted. Data in flight and data privacy concerns are prompting the need for better monitoring and analysis.

"Extensive changes in IT operations, increased reliance on technology, and heightened awareness around breaches have all led to an evolution in the corporate security approach,'' the report stated. "What was once an isolated function within the IT department is now a broader initiative."

If you're looking at using third-party services or cloud-based services, you have to do your due diligence to actually vet those organizations.
Ron Cullerco-founder and CTO, Secure Designs

While many channel firms claim to have robust security portfolios that include a wide mix of technologies and services, CompTIA believes that having broad vendor features could lead companies to claim "a specific technology or service without necessarily having the wherewithal for immediate implementation."

In the cybersecurity market, among the technologies and services that generate the most volume or revenue overall, 38% of companies reported that firewalls are their biggest seller, followed by 20% that place antivirus at the top. The next highest item was security information and event management, at just 9%.

The necessary elements of a cybersecurity practice

Seth Robinson, senior director for technology analysis, CompTIASeth Robinson

As Secure Designs learned, when building a cybersecurity practice, incorporating products alone won't suffice. "New processes -- risk analysis, compliance management and cloud provider evaluation -- must be part of the security mix. Education of end users -- the weakest link in the security chain -- also requires greater emphasis," said Seth Robinson, senior director of technology analysis at CompTIA, in a statement.

Depending on your specialty, it's critical to offer 24/7 response, which requires appropriate staffing with people trained and certified to handle issues that arise, such as those involving the Health Insurance Portability and Accountability Act or financial services compliances, Culler said. They must also understand the ins and outs of the physical infrastructure. If the firm doesn't have its own data center, it needs to partner with one that does.

"If you're looking at using third-party services or cloud-based services, you have to do your due diligence to actually vet those organizations … and understand where their data is stored and how it's stored,'' he said. For example, if a partner decides to focus on clients in healthcare, "you have to have assurances that data at rest at a cloud provider, used as part of your offering, is encrypted,'' Culler said.

"Never assume anything with cloud or really anything you don't do yourself or don't know of yourself. Cloud is just somebody else's computer, and all the same security requirements, system requirements and design requirements that you'd implement in your own environment need to be implemented in a cloud environment -- and they may not be."

When Culler decided to transition into a managed security service provider, he "got rid of everything else." He also opted to focus on the small and medium-sized business (SMB) market, which he defines as companies with five computers up to 100.

While cybersecurity was a hard sell in the early 2000s when the SMB market didn't believe security was an issue, the company today manages over 8,000 firewalls across the U.S. and deploys about 200 new firewall instances a month, he said.

Finding security talent

John Reed, senior executive director, Robert Half TechnologyJohn Reed

There is a well-documented supply-demand imbalance for security positions right now, so companies are seeking to fill roles while skilled security professionals can have multiple offers and opportunities, said John Reed, senior executive director of Robert Half Technology. Healthcare, high-tech and finance areas are especially in need, he said.

If you are lucky enough to find security professionals, be prepared to pay for that expertise. Network security engineers are particularly in high demand right now and had a projected 6.7% increase in salaries for 2016, Reed noted. Data security analysts saw a projected 7.1% increase in salaries for the year. Network security engineers' salaries can range from $110,250 to $152,750 as a starting point, while data security analysts can see average salaries starting anywhere from $113,500 to $160,000, he said.

Finding skilled staff can be difficult, Culler said, "because they don't necessarily come out of a university with a computer science degree and cybersecurity expertise," and if they do, they tend to be "fairly broad and not very deep."

Secure Designs looks for individuals with some security experience, solid networking and infrastructure knowledge, "and the eagerness and aptitude to learn, so we're able to bring them in, build on their knowledge, and get them credentialed in the appliances and technologies we use. They go through the education process internally."

In North Carolina, where Secure Designs is based, salaries for cybersecurity professionals run between $60,000 and $100,000, he said.

"Seek out candidates who will be an asset to your security efforts, bringing a broad range of experiences that will allow them to identify vulnerabilities in your network, and pay attention to relevant certifications and skills that will enhance your security efforts," Reed advised. And don't overlook soft skills like communication abilities, he said.

The right approach to the cybersecurity market

There is a huge opportunity for solution providers and managed service providers to offer security as part of their business, Culler said, but echoing CompTIA, he emphasized that you have to do more than merely say you offer security services and products. "The larger you are as an organization, the more resources you obviously have, but the vast majority of solution providers and MSPs have a lot of things on their plate. So if you say, 'I do security, mobile and cloud,' you have to be a huge company or you have to partner."

The cybersecurity market will only continue to grow as new devices, technologies and services come into an organization, he said. "We're not taking things out," Culler said. "We're putting things in."

Next Steps

Learn about MSPs expanding their cybersecurity portfolios.

Get tips for developing a compliance practice.

For SMBs with limited IT resources, the emerging managed detection and response services market can help to prevent cybersecurity breaches and threats.

Dig Deeper on MSPs and cybersecurity