3 Milestones Every MSP Should Hit When Launching a Security Line of Business

In previous articles, I have talked about the differences between MSP and MSSP and how important it is to practice what you preach as you look to differentiate yourself in the cybersecurity space. As we quickly approach the end of the year, I’d like to provide you all with a tried-and-true strategy for successfully launching your cybersecurity offering as a new line of business in 2018 and beyond.

Before we dive in, let me highlight one thing that I know has plagued our industry in the past. We too often end up focusing on the wrong things even though this is definitely the right time, a.k.a. “right train, wrong track.” This mentality could likely be applied to launching any new line of business, but I’d like to share what I’ve learned from my own experiences and watching what other MSPs have done, through the lens of cybersecurity.


A few years ago, I was tasked with tightening up our product offerings, reducing the product lines we support, and adding value to the existing products and services that our prospects and clients would find tangible. My big mistake was when I took our cleaned-up product line and added security as a bolt-on, not as a separate line of business. The problem was we were too focused on evaluating and selecting products.  We should have been focusing on the business line delivery. I stumbled around in the dark for almost two years before I realized that my wants were becoming a higher priority than my clients’ needs.

I wish I had known the three things I am about to tell you as it would have saved me thousands of hours of time, as well as thousands of dollars. My premise is that you desire to go from a state of not having a cybersecurity line of business, to successfully launching a cybersecurity line of business. This can be done by hitting three essential milestones. If you commit to ninety days of effort and follow this roadmap, you can be in business in one of the smartest ways possible.

Milestone 1: Learn It

When it comes to cybersecurity, my goal is to take you from being uninformed and hesitant, to capable and ignited. To do so, you need to educate yourself.

One of the first things you must learn is what exactly it entails to be an MSSP. From there, you should define and determine the following key elements:

  • Your cybersecurity business model
  • Your development strategies for cybersecurity clients
  • Your cybersecurity service delivery stack

Essentially, this will help you establish the various people, processes, and technology you need to make up your cybersecurity line of business.

Milestone 2: Lock It

As mentioned in my latest post about practicing what you preach, your next move is to become your own MSSP before you can service clients. This milestone is all about understanding your current challenges (whether it be the technology or the skills gap) and how to overcome these challenges. I want to make sure that you also understand that if you don't have the know-how and experience, it is ok to seek out a strategic partner. In fact, when we first started out, we were able to succeed because we found strategic partners.

First things first, you need to figure out the right technology stack that will enable you to lock down your own business. For many, you will likely need to take a layered approach in order to protect against the ever-changing threat landscape.

From here, you need to nail down the cybersecurity management process you intend to adopt. How will you assess and identify your cyber risks? What steps will you take to reduce your risks? Questions such as these should all be outlined and answered in your cybersecurity framework and enforced (for example, I adopted NIST 800, but there are many others). It’s important to note that this framework may be affected if you operate in a specific vertical.

Lastly, the IT talent you assemble to enforce your cybersecurity and will impact your outcome. This is probably the most important—yet difficult—step to this milestone because the people, competencies, and skill sets need to be up to par. My insight here is to lean on a third-party partner, such as Continuum, if you struggle with finding the right talent. Through the support of a Security Operations Center (SOC), IT service providers can have access to world-class security talent who act as an extension of your team. This way, you won’t have to delay the launch of your cybersecurity offering due to lack of talent development or acquisition.

Milestone 3: Launch It

Similar to the previous milestone, the “Launch It” millstone requires three pillars.

1. Demand Generation

In order to bring on new cybersecurity business, you need to first generate interest and leads. If you want to successfully launch your new cybersecurity offering, you need the right market, the right media, and the right message. Be sure you have a solid plan for targeting each of these elements before your launch date.

2. Sales Process

Effectively selling cybersecurity requires a bit of a shift from selling basic IT services. Look to nail down the packaging of your cybersecurity service offering and carefully develop your pricing strategies, which will then help you when communicating with cybersecurity prospects and making the sale. Also, be sure to build out a proper framework and messaging if you’re looking to cross-sell existing clients on cybersecurity.

3. Customer Experience

Lastly, you need to take into consideration the customer journey for your new line of business. This includes their entire lifecycle. Make sure you’re setting the right expectations for new cybersecurity clients and actually deliver on those expectations once you bring them on.


There is a great need to understand these three milestones in more detail. For those interested in drilling down in to these concepts on an operational level, I am offering a FREE, three-hour workshop! Contact me to get on my early bird list today!

Handpicked for you:
Watch Cybersecurity-As-A-Service Blueprint Webinar