Industry Coverage icon

Build a Cybersecurity Services Offering

Level up your approach to offering security-as-a-service.

Unlock a Free Sample

You want to shift the focus of your IT services toward cybersecurity. There is an appetite for this in the market, and this is a much higher-valued service than traditional IT strategy, services, and support.

You don’t want to simply resell protective technology, but would rather take a more strategic approach that ensures that there are no gaps in your offering that create a false sense of security in your customers.

You are not sure how to position your offering against what you might already have, and competitive offers.

Our Advice

Critical Insight

  • Security services are journeys, not simply solutions for resale. Don’t try to sell a turn-key solution that activates “protection” upon purchase. Rather, approach security services offered as a partnership. It is, after all, a continuous journey of improvement and course correction that evolves in accordance with the changing cyberthreat landscape as well as your customer’s shifting business proprieties.
  • Know your role. A Virtual CISO cannot govern an unmanaged process, just as an MSSP cannot enforce a policy which hasn’t been written. Between customers, providers, and any other third parties, it is critical to know who is playing what role in the information and cybersecurity protection spectrum.
  • Change the conversation from cost to risk. The question is not whether the customer can afford protection. Rather, it’s how much risk can they afford to withstand. Create service tiers aligned to these levels of risk rather than tiers aligned to affordability.
  • Deliver your services the same way every time. Customers are like snowflakes; each one is unique. Your service offering will address this uniqueness within its interactions and deliverables, but the delivery of those interactions and deliverables must remain consistent across your customer base.

Impact and Result

Customers buy services that replace or uplift a function within their organization. Your job is to clarify which function you’re serving, and specificallywhat that function will do. In this research, we help you do just that.

  • Determine the functional role your service offering will play within the customer’s organization
  • Develop the activities within that role based on a well-known cybersecurity framework.
  • Standardize the activities so that they can be performed consistently by your entire delivery team.

Build a Cybersecurity Services Offering Research & Tools

1. Develop a Cybersecurity Service Offering - This storyboard explains the methodology for creating complete, well-scoped, standardized cybersecurity service offerings that align to a well-known cybersecurity control framework.

Unite your delivery team. An undefined service offering leaves everything up to those on the front lines of delivery. Use our method and tools to gather the best of what the delivery team has to offer and cement it as your unique approach to delivering cybersecurity services.

2. Security Service Design Workbook - Standardize these activities and deliverables to scale the delivery and make it easier to sell.

Use this research to determine the specific activities and deliverables needed to refine your cybersecurity services offering, while aligning them to a well-known cybersecurity control framework.

Unlock a Free Sample

Build a Cybersecurity Services Offering

Level up your approach to offering security-as-a-service

Analyst Perspective

Cybersecurity defense is an ongoing continuous improvement process.

As providers we must stop selling “solutions” and instead offer “services”. As consultants we must engage on strategy, risk, and compliance.

Over the last decade the Managed IT Services industry has done a fantastic job at productizing IT services. They can aggregate a suite of common technology solutions from multiple distributors into a complete “tech stack” and resale it’s ongoing operation and management for combined cost-per-user.

But I see many challenges with taking this same model and shifting it squarely into the cybersecurity space. For one, there may be gaps in the service offering. Perhaps the solution bundles end-user device protection with managed firewall, email protection and backup, and security awareness training. On paper it seemed complete, and added up to a per-user price that was digestible. But perhaps it failed to include a solution for better password management, or privileged access management. Gaps in the offering mean gaps in cybersecurity defense; how does a provider know where to stop stacking on solutions?

Our approach to ensuring a complete cybersecurity offering is to clarify two items: what role you play, and what that role does against a well-known control framework. Whether you’re looking to offer Virtual CISO, or MSSP, or something of your own design – deriving what you deliver based on who you are and what controls you’re working with – your offering will be tightly scoped, scalable, and much easier to explain to your prospects.

Fred Chagnon, Principal Research Director

Fred Chagnon
Principal Research Director
Consulting & Technology Service Provider Industry
Info-Tech Research Group

Executive Summary

Your Challenge

You want to shift the focus of your business to cybersecurity. There’s an appetite for this in the market, and it’s a much higher-valued service than traditional IT strategy, services, and support.

You don’t know how to create an offering that customers will buy; with so many services and technology tools in this field, what is the right offer?

You’re not sure how to position your offering against what you might already have, and competitive offers.

Common Obstacles

Your existing customers may already believe that cybersecurity protection has been fully in scope. Your customer does not differentiate cybersecurity from broader technology problems. Ask them who they’d call if they experienced a ransomware attack; if you’re already established as their MSP or Virtual CIO, it’s probably you.

A true cybersecurity service offering goes beyond traditional network and infrastructure security, into protecting identity, shaping behavior, and addressing risk and compliance.

Info-Tech’s Approach

Customers buy services that replace or uplift a function within their organization. Your job is to clarify which function you’re serving, and what that function will do specifically. In this research, we help you do just that.

  • Determine the functional role your service offering will play within the customer’s organization
  • Develop the activities within that role based on a well-known cybersecurity framework.

Cybersecurity enhancements are an objective for most small businesses

Companies are accepting that cybersecurity is a business imperative – not an insurance policy.

Companies realize the need to enhance cyber security and focus on regulation compliance.

  • 52% of small businesses are looking to enhance cybersecurity protections.
  • 21% feel they also need to focus on security & privacy regulation compliance (ConnectWise).

IT Service Providers will fill the skill gap by increasing focus on managed cybersecurity services.

  • The number of IT service providers offering cybersecurity services is expected to increase by 70 – 80% in the next three years.
  • Partnerships with security operation centers (SOCs) are also expected to grow by 70-80% in the same amount (ConnectWise).

IT Consulting Practices will be sought out for specific cybersecurity engagements.

  • The cybersecurity consulting market is growing at a CAGR of 8.4% year over year (Douglas Insights).
  • Strategic planning, vulnerability testing, risk assessment, and audit preparation and remediation remain the most commonly sought after consulting engagements.

Technology goals for the next five years

Many organizations who make use of MSPs think “security” is all-inclusive

In truth, traditional MSPs typically cover a fraction of cybersecurity controls.

Network & Infrastructure Security (inner ring)

  • Traditional MSPs typically cover network and infrastructure security. They encompass the protection of systems and networks. This includes such perimeter security as firewalls, access management, password management, DNS protection, network traffic encryption, etc.

Cybersecurity (middle ring)

  • MSPs typically cover cybersecurity. They encompass the protection of business assets from digital threats, and assist with privacy and regulation compliance. This domain covers security policies and procedures,

Information Security (outer ring)

  • The enterprise is responsible for information security. Everyone must protect non-digital information, including hardcopy data, and the distribution of information through non-digital means.

Layers of Cybersecurity Controls

Info-Tech Insight

Separating network security controls from cybersecurity controls is a challenging thought exercise even for experts in the field, so don’t expect your customers to know the difference. Be clear on what you cover.

Build a Cybersecurity Services Offering preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research

Author

Fred Chagnon

Contributors

  • Samuel Bourgeois, vCISO, Dataprise
  • Vincent Lanzillo, CTO, Customer Success Agio
  • Michala Liavaag, Managing Director, CISO Advisor Cybility Consulting Ltd.
  • Ken Muir, CISO, LCM Security Inc.
  • Mani Padisetti, CEO & Co-Founder, Digital Armour
  • Rosy Pushkarma, CISO, Company Confidential
  • Jan Schreuder, Co-Founder, Cyber Leadership Institute
Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019