Recurring Security Assessments Can ‘Elevate’ MSP Programs: Galactic Advisors

Providing penetration testing and other third-party assessments can help MSPs to prove the value of advanced security services, said Bruce McCully, CEO of the cybersecurity assessment and consulting firm.

MSPs that can bring third-party security assessments to their customers on a recurring basis are going to have far bigger growth opportunities ahead, according to the CEO of cybersecurity assessment and consulting firm Galactic Advisors.

Bruce McCully, who also serves as chief security officer (CSO) at the Nashville, Tenn.-based company, spoke to an audience of MSP executives Sunday at XChange March 2024, which is hosted by CRN parent The Channel Company and being held this week in Orlando.

[Related: High-Value MSP Security Services Can Fend Off Low-Cost Rivals: Galactic Advisors]

While many MSPs already offer basic security-related services to their clients, “you elevate yourself with recurring, third-party analysis like penetration testing,” McCully said. “And it allows you to introduce things like advanced security compliance-as-a-service and vCSO services.”

Along with demonstrating the need that clients have for adopting additional security services, third-party assessments also can provide a reason for having more frequent conversations with clients in an advisory capacity, he said.

Ultimately, amid the ever-intensifying threat environment, “the risks are real,” McCully said. “And you can prove it with a third-party assessment.”

The notion that security assessments can be valuable for MSPs and their clients definitely resonates, according to Matt Disher, president and CEO of Southwest Networks, a Palm Desert, Calif.-based MSP.

In particular, with the need for most organizations to obtain cyber insurance, the insurer questionnaires often now ask whether penetration testing is being performed, Disher said.

And doing the assessments on a recurring basis is also important, since changes are continually taking place within an organization’s IT environment, he said.

For instance, “a new copier can come in that could bring vulnerabilities,” Disher said. “So having those assessments run on a regular basis is very valuable.”

Beyond doing assessments, McCully noted that many MSPs will need to meet a lengthy list of requirements in order to be able to offer vCSO services.

Still, the opportunity is massive, given the huge demand for CSOs and the shortage of professionals who can fill the roles, he said.

“I know some of you are thinking, ‘Can I really do this?’” McCully said. “And the answer is, of course—you already do lead and manage an effective security or compliance program, or you wouldn't be here.”