MSPs Say Security Should Be A Part Of Every Offering


Adding managed security services to a MSP's stable of services is an important driver of future growth, but it's not a move to be taken likely, according to a panel of MSPs.

Those MSPs, speaking to an audience of peers at this week's NexGen 2018 Conference and Expo in Anaheim, Calif., discussed both the importance of making sure security is a key part of any MSP's practices and some of what it takes to bring on a security practice.

The panel presentation was led by Chad Paalman (pictured, left), CEO of NuWave Technology, a Kalamazoo, Mich.-based MSP who said he saw first-hand the implications of not having a solid security system in place.

[Related: Fortinet: Firms Adopting Managed Security Services For Ease Of Use]

Sponsored post

Paalman said he had a medical practice in place a few years ago, and was called by a health-care client who got hit by the CryptoLocker ransomware. After finding the backups good enough to restore from and getting the client back in production, the next day the office manager called and asked if it was necessary to report the incident, to which Paalman responded that it might be better to ask an attorney.

"Next day, I had an attorney call me and [tell me] we were idiots," he said. "We destroyed the evidence."

The FBI also contacted Paalman to say that the incident, because of the health-care nature, should have been treated as seriously as a death where the site would be wrapped up to prevent messing with evidence.

Paalman's fellow panelists also noted the difficulties faced by MSPs looking to adopt security as part of their practices.

It seems as if the move to add security is a never-ending journey into chaos, said Lou Ardolino (pictured, center), director of client services at TBNG Consulting, a Milford, Conn.-based MSP.

TBNG Consulting recently hired the former chief information security officer of the State of Connecticut to put the right processes in place to make security a key part of its managed services, Ardolino said.

"But we are always asking, are we really ready to take on all this. … As an MSP, we're trying to figure out the road map when we're on it," he said.

Ben M. Johnson (pictured, right), CEO of Liberty Technology, a Griffin, Ga.-based MSP, said it is important to keep in mind that security is a journey, and one that is not a linear path.

"It's like the early days of managed services," Johnson said. "I don't think everyone has figured it out. I think even MSSPs [managed security service providers] are having issues. They know the security, but may not know the nuances of managed services."

Getting paid properly for services is an issue, but it can also mean opportunities, Ardolino said. He cited the example of a city government that eventually dropped his company because of budget concerns. TBNG Consulting's director of managed services a couple of months ago got an email from the mayor about a desktop issue, and in response sent an instant response team.

As a result, TBNG Consulting is back in with the city as a security services vendor, Ardolino said. "They know we have an instant response team," he said.

Clients, especially smaller businesses, often have no idea of the value a security service can offer, Johnson said. He said his company sees many people who believe they don't need security services because they feel their data is not worth stealing.

Johnson said he points out to such businesses that their data may not have a specific value in itself, but it is valuable because, if stolen, can be used in attacks against that business' customers. "There is a civic duty involved here. … What we're really selling here is risk-reduction," he said.

Ardolino said his company is looking at the possibility of starting a separate company focused specifically on the security business, but he realizes that such an entity would still require support from TBNG Consulting on the managed services side.

Johnson said there is a short-term advantage in setting up a separate security-focused entity.

"But in the long term, if every MSP is not thinking like an MSP, the industry will be in trouble," he said. "Security should not be an afterthought."