If you’re like most MSPs, you’re always looking to increase either the scope of current services within a given customer or are looking to expand your service offerings.

It’s a delicate balance providing useful, valuable services that customers appreciate with the need to run a growing business. But, at the end of the day, it’s not just revenue you’re looking for; it’s profitability. When you define your services, set service expectations, etc., you do so calculating how much time it will take your techs to address requests and resolve problems – and how much profit you’ll make to continue to grow your business.

But the business of security is a bit different from other services. While there’s still the same mixture of keeping the environment operational and addressing issues when they arise, with security, one issue can put your customer out of business.

So, how do you build a security offering that is profitable, while also ensuring your customer’s security?


There are 3 steps every MSP must take to reach the goal of profitability with a security service offering:

  •  Make the Offering Predictable – Predictability is the key to profitability; if you know what it’s going to cost you to provide the service (and you know what you’re charging the customer for that service), you’ll always know what your profit will be. Focus on creating a security stack that minimizes incidents and, by doing so, brings more predictability to the service offering.
  • Focus on Automation – While most IT professionals associate automation with productivity, the MSP should look at automation through the lens of predictability. By leveraging automation, tasks related to prevention, maintenance, and incident response – regardless of the service offering in question – will all be executed in the exact same way every time. This leads to lowered costs, improved productivity, and better margins.
  • Rely on Solutions – Beyond the automation, you need solutions in place that simplify the task at hand. If it’s patching, they need to patch every part of an endpoint (and not just, say, the operating system). Otherwise, you’ll be doing a lot of unaccounted for manual work, increasing your labor costs and reducing your profits.

Profitability in Security: A Bit More Work to Accomplish

Most services, like maintaining the customers data, systems, and applications revolve around addressing unforeseen problems (like a server crashing).  But services like security are based on the premise that there is someone with malicious intent working directly against you. This makes a service like security more difficult to be predictable.

Will a ransomware attack only impact 1 user? 5? Will it encrypt data that only affects a few people? The entire company? This extreme unpredictability makes profitability in a security service a challenge. Note we said challenge and not impossible.

You can address the unpredictable nature of an attack in two ways:

First, you can make the recurring revenue a “best effort” service, providing the solutions and services necessary to create an appropriate security stance.Incident response can be billed as a separate hourly option. Some MSPs even provide varying tiers of response time, different scopes of systems and applications covered, etc.

The other way to address the unpredictability of attacks is for MSPs to educate themselves on how attacks occur, what methods attackers use, and what gaps in security they take advantage of. Then build a layered security offering that actually provides protection. A great example of this is found in the world of evasive malware. This malware avoids detection by email gateways, virtual sandboxes, AV, and even endpoint protection solutions, and finds its way onto your customers’ endpoints. Those MSPs that are aware of these malware methods have gone beyond using just AV-type solutions and have layered on solutions that focus on anti-evasion tactics – in essence solutions that are specifically working against the evasive malware. MSPs using both types of solutions provide far greater automated protection, keeping all forms of malware out of their networks.

Profitable Security

Without profit, you don’t stay in business. And, in the case of security services, your customer faces the same possibility should “the big one” hit.  So, your interests are aligned; provide solid security with minimal incidents. If you can accomplish that, you’re both happy.

By following the 3 steps above and building a layered security strategy that addresses every form of threat, you minimize the risk of a successful attack, limit the necessity for incident response, and improve profitability.

To learn more about how MSPs can build a cost-effective IT Security practice, watch our webinar.