Build a Cybersecurity Services Offering
Level up your approach to offering security-as-a-service.
You want to shift the focus of your IT services toward cybersecurity. There is an appetite for this in the market, and this is a much higher-valued service than traditional IT strategy, services, and support.
You don’t want to simply resell protective technology, but would rather take a more strategic approach that ensures that there are no gaps in your offering that create a false sense of security in your customers.
You are not sure how to position your offering against what you might already have, and competitive offers.
Our Advice
Critical Insight
- Security services are journeys, not simply solutions for resale. Don’t try to sell a turn-key solution that activates “protection” upon purchase. Rather, approach security services offered as a partnership. It is, after all, a continuous journey of improvement and course correction that evolves in accordance with the changing cyberthreat landscape as well as your customer’s shifting business proprieties.
- Know your role. A Virtual CISO cannot govern an unmanaged process, just as an MSSP cannot enforce a policy which hasn’t been written. Between customers, providers, and any other third parties, it is critical to know who is playing what role in the information and cybersecurity protection spectrum.
- Change the conversation from cost to risk. The question is not whether the customer can afford protection. Rather, it’s how much risk can they afford to withstand. Create service tiers aligned to these levels of risk rather than tiers aligned to affordability.
- Deliver your services the same way every time. Customers are like snowflakes; each one is unique. Your service offering will address this uniqueness within its interactions and deliverables, but the delivery of those interactions and deliverables must remain consistent across your customer base.
Impact and Result
Customers buy services that replace or uplift a function within their organization. Your job is to clarify which function you’re serving, and specificallywhat that function will do. In this research, we help you do just that.
- Determine the functional role your service offering will play within the customer’s organization
- Develop the activities within that role based on a well-known cybersecurity framework.
- Standardize the activities so that they can be performed consistently by your entire delivery team.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
10.0/10
Overall Impact
$13,700
Average $ Saved
20
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
InfoWorks, Inc.
Guided Implementation
10/10
$13,700
20
Oklahoma Office of Management and Enterprise Services
Guided Implementation
10/10
N/A
N/A
Build a Cybersecurity Services Offering
Level up your approach to offering security-as-a-service
Analyst Perspective
Cybersecurity defense is an ongoing continuous improvement process.
As providers we must stop selling “solutions” and instead offer “services”. As consultants we must engage on strategy, risk, and compliance.
Over the last decade the Managed IT Services industry has done a fantastic job at productizing IT services. They can aggregate a suite of common technology solutions from multiple distributors into a complete “tech stack” and resale it’s ongoing operation and management for combined cost-per-user.
But I see many challenges with taking this same model and shifting it squarely into the cybersecurity space. For one, there may be gaps in the service offering. Perhaps the solution bundles end-user device protection with managed firewall, email protection and backup, and security awareness training. On paper it seemed complete, and added up to a per-user price that was digestible. But perhaps it failed to include a solution for better password management, or privileged access management. Gaps in the offering mean gaps in cybersecurity defense; how does a provider know where to stop stacking on solutions?
Our approach to ensuring a complete cybersecurity offering is to clarify two items: what role you play, and what that role does against a well-known control framework. Whether you’re looking to offer Virtual CISO, or MSSP, or something of your own design – deriving what you deliver based on who you are and what controls you’re working with – your offering will be tightly scoped, scalable, and much easier to explain to your prospects.
Fred Chagnon
Principal Research Director
Consulting & Technology Service Provider Industry
Info-Tech Research Group
Executive Summary
|
Your Challenge You want to shift the focus of your business to cybersecurity. There’s an appetite for this in the market, and it’s a much higher-valued service than traditional IT strategy, services, and support. You don’t know how to create an offering that customers will buy; with so many services and technology tools in this field, what is the right offer? You’re not sure how to position your offering against what you might already have, and competitive offers. |
Common Obstacles Your existing customers may already believe that cybersecurity protection has been fully in scope. Your customer does not differentiate cybersecurity from broader technology problems. Ask them who they’d call if they experienced a ransomware attack; if you’re already established as their MSP or Virtual CIO, it’s probably you. A true cybersecurity service offering goes beyond traditional network and infrastructure security, into protecting identity, shaping behavior, and addressing risk and compliance. |
Info-Tech’s Approach Customers buy services that replace or uplift a function within their organization. Your job is to clarify which function you’re serving, and what that function will do specifically. In this research, we help you do just that.
|
Cybersecurity enhancements are an objective for most small businesses
Companies are accepting that cybersecurity is a business imperative – not an insurance policy.
Companies realize the need to enhance cyber security and focus on regulation compliance.
- 52% of small businesses are looking to enhance cybersecurity protections.
- 21% feel they also need to focus on security & privacy regulation compliance (ConnectWise).
IT Service Providers will fill the skill gap by increasing focus on managed cybersecurity services.
- The number of IT service providers offering cybersecurity services is expected to increase by 70 – 80% in the next three years.
- Partnerships with security operation centers (SOCs) are also expected to grow by 70-80% in the same amount (ConnectWise).
IT Consulting Practices will be sought out for specific cybersecurity engagements.
- The cybersecurity consulting market is growing at a CAGR of 8.4% year over year (Douglas Insights).
- Strategic planning, vulnerability testing, risk assessment, and audit preparation and remediation remain the most commonly sought after consulting engagements.
Many organizations who make use of MSPs think “security” is all-inclusive
In truth, traditional MSPs typically cover a fraction of cybersecurity controls.
Network & Infrastructure Security (inner ring)
- Traditional MSPs typically cover network and infrastructure security. They encompass the protection of systems and networks. This includes such perimeter security as firewalls, access management, password management, DNS protection, network traffic encryption, etc.
Cybersecurity (middle ring)
- MSPs typically cover cybersecurity. They encompass the protection of business assets from digital threats, and assist with privacy and regulation compliance. This domain covers security policies and procedures,
Information Security (outer ring)
- The enterprise is responsible for information security. Everyone must protect non-digital information, including hardcopy data, and the distribution of information through non-digital means.
Info-Tech Insight
Separating network security controls from cybersecurity controls is a challenging thought exercise even for experts in the field, so don’t expect your customers to know the difference. Be clear on what you cover.
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Talk to an Analyst
Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.
Book an Analyst Call on This Topic
You can start as early as tomorrow morning. Our analysts will explain the process during your first call.
Get Advice From a Subject Matter Expert
Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.
Unlock Sample ResearchContributors
- Samuel Bourgeois, vCISO, Dataprise
- Vincent Lanzillo, CTO, Customer Success Agio
- Michala Liavaag, Managing Director, CISO Advisor Cybility Consulting Ltd.
- Ken Muir, CISO, LCM Security Inc.
- Mani Padisetti, CEO & Co-Founder, Digital Armour
- Rosy Pushkarma, CISO, Company Confidential
- Jan Schreuder, Co-Founder, Cyber Leadership Institute
