ConnectWise CEO: MSPs Have Become Sort Of 'Complacent,' Must Get Into Managed Security
ConnectWise CEO Arnie Bellini says MSPs must create a new revenue stream and better protect customers by adding security services around encryption and penetration testing.
Security is center stage in every boardroom and presents MSPs with as big of an opportunity as cloud services, Bellini told the roughly 3,000 attendees of IT Nation 2016. But he said too many ConnectWise partners haven't even thought about establishing a managed security practice.
"You've sort of become complacent," Bellini said Thursday at the Hyatt Regency Orlando. "You've built your monthly recurring revenue and you're happy with that, but you're going to have to evolve."
[Related: ConnectWise Aims To Charm The Channel With New, Unified UI And Four Newly Named Products]
Some forward-thinking partners no longer include security as part of their basic managed services contract, Bellini said. Instead, Bellini said they add a 20 percent upcharge to the basic contract in exchange for providing customers with comprehensive security protection.
Those MSPs have been able to establish an entirely new revenue stream, Bellini said, with customers paying for both a 150-hour up-front assessment and as much as $2,500 per month for managed security services. MSPs should work to monetize their security offerings, Bellini said, since clients will turn to them first in the event of a security breach.
"You really have to add security to your managed services practice," Bellini said. "If you're selling managed services without managed security, it's like selling a hot dog without a bun."
The table stakes for any managed security practice are virus detection, malware detection and firewall intrusion detection, Bellini said, and all three of those are commonly offered by MSPs today.
But to truly add value around security, Bellini said MSPs must add penetration testing, disk encryption and network encryption to their line card, as well as an SSL for traffic coming from the outside.
"Security breaches are happening inside the office," Bellini said. "You've got to protect the network from the inside as well."
The most difficult part about providing true managed security, though, is creating an operations manual that documents how each individual client does all of its IT functions and processes, Bellini said. This should be done as roughly a 150-hour project up front, Bellini said, and billed to customers separately.
To help customers create a security manual, Bellini said MSPs will either hire a certified security expert from the outside or get an existing employee security certified.
Once everything else is in place, the final piece of a managed security practice is compliance testing, where Bellini said the MSP will test the client's security apparatus and make sure there aren't any outside vulnerabilities. MSPs should be carrying out compliance testing on at least an annual basis, Bellini said, and ideally on a quarterly basis.
"It's you kind of playing the role of outside auditor," Bellini said.
BrightWire Networks has rolled out some security offerings as part of its managed services practice, focusing primarily on lower-hanging fruit such as managed firewalls, said Gordon Carlisle, chief information officer for the Olympia, Wash.-based MSP.
"It's something that we need to offer to clients," Carlisle said. "But it's still a challenging road to navigate."
The challenges stem from a cost structure that's more aligned with the deep pockets of enterprise customers, Carlisle said. MSPs therefore face a challenge in making managed security affordable for SMBs with a smaller budget. At the lower price point, Carlisle said services such as real-time threat monitoring or penetration testing would be more difficult to pull out.
Clients with compliance needs tend to be interested in BrightWire's security offerings, Carlisle said, particularly at companies that employ dedicated compliance officers. Demand for security offerings at the rest of BrightWire's clients, though, is more of a mixed bag, Carlisle said, with many not seeing it as a serious issue.
"We're bringing it up in end client conversations," Carlisle said. "But it's a slow process to get them to recognize the threat."