OML 1 (Beginning)
In OML 1, TSPs are just beginning to understand the importance of security and GRC practices and these practices, if they exist at all, are generally ad hoc and undisciplined. You may be following some recommended configuration guidelines and best practice checklists. However, that approach is not a holistic approach. It can be overwhelming to get your arms around what you should be doing. At this stage, understanding the need to choose a cybersecurity framework is key to maturing into the Emerging (OML 2) stage.
Examples of common cybersecurity frameworks include:
The specific framework matters less than the decision to follow established security practices. No need to overanalyze. If you focus on a specific customer vertical, it would be most logical to adopt a framework relevant to that industry. For instance, the Cybersecurity Maturity Model Certification (CMMC) is for organizations performing US government or defense contracting work. However, there is a significant overlap between security standards, all of which cover the essential security basics needed by all TSPs.
Another common mistake of lower OML companies is overreliance on more experienced and typically higher-cost resources. As your organization matures and builds structure, you enable scalability and move to more reliance on less experienced, lower-cost employees. Knowledgeable and experienced security and compliance resources are very expensive resources. Operational maturity regarding security and GRC practices in your business that reduces the need to rely less on those resources will be crucial to producing BIC profitability.
Finally, while regulatory compliance obligations may provide a useful source of security guidance, it is important to understand that not all regulatory obligations constitute security frameworks. For example, standards vary in the level of specific implementation guidance provided, as some provide very specific requirements.
OML 2 (Emerging)
OML 2 is where you do the bulk of your adoption for the framework you selected. At this stage, you are laying the foundation for a GRC program and introducing fundamental policies that govern your company's processes. Implementing an IT security framework will require investments of time, treasure, and talent, and it's critical to recognize that the initial implementation process is likely to be measured in months and quarters, not days and weeks. The focus should be on developing an ongoing cadence of continued progress that ultimately will underpin iterative processes needed to maintain effective GRC hygiene. As you are in the early stages of shaping and integrating your governance framework, you have yet to reach a level of maturity where formal metrics have been established to evaluate the efficacy of your company's policies.
The investment required to properly embed security-related operational and governance functions inside your business is not a marginal exercise. Building a plan that includes the time and expense in tools and people, both to adopt and maintain this new functionality, is crucial to ensuring successful implementation. While tactical guidance is easy to find, company maturity around proper pricing, staffing, management, and the ability to properly budget will dictate how quickly you can mature into the OML 3 (Scaling) stage.
OML 3 (Scaling)
At OML 3, you will have refined your processes and governance as you have matured to a point where security is embedded in the culture and operational functions of your organization. At this stage, you are also implementing controls, which are safeguards or countermeasures designed to avoid, detect, counteract, or minimize security risks to physical assets, information, computer systems, or other assets. They encompass various measures, including physical security, access controls, and administrative policies, to protect against threats and vulnerabilities that reinforce and ensure the selected framework is not simply selected but effectively adopted and working. You are measuring attainment and building good documentation practices.
You have identified and put systems in place to collect and track important metrics; however, you may not be consistently using them for management decisions.
At this stage, the leadership and management of security and GRC will begin to necessitate some form of a chief information security officer (CISO) function to oversee both internal policy management for your company and the provision of external security services to clients. Over time, it is advisable to delineate these responsibilities, with the CISO function focusing on internal policy development and external customer security policy formulation. The ongoing day-to-day management and execution of these policies can then be carried out by security engineers who are equipped to scale operations effectively.
OML 4 (Optimizing)
At OML 4, this new security framework adoption should be a cultural and operational norm. You have worked your way to full adoption of your selected framework, including the necessary checks and reports to identify any breakdowns. The focus will move towards a more mature forward budget and attainment tracking. Continually maintaining framework standards while using standardized tools, systems, and management allows you to hire fewer high-dollar resources to properly maintain quality delivery of security and GRC components within your business and to your clients. At this stage, you are actively measuring internal adherence to your selected standard and consistently making routine adjustments based on what the metrics reveal. These metrics will also help reveal when new tools or services are necessary. Compensation for key security-related staff will be variable based on budget adherence and client security revenue attainment goals.
OML 5 (Innovating)
At OML 5, you should be so comfortable enough with your processes, tools, etc., that you are building them into your services and deploying the same methodologies to your clients. You are routinely engaging outside resources to assess your adherence to standards and the methodologies you are using to collect and report metrics. Outside reviews, such as external audits, are also used to review your security posture. All employees understand their role in delivering your security and GRC outcomes. Security and GRC reporting and review of practices are a regular discussion point in weekly, monthly, and quarterly meetings as part of an overall risk conversation.
A few things that help at any stage:
- Being a part of virtual and in-person communities, such as IT Nation Evolve or Service Leadership peer groups3 , that share and collaborate to elevate performance of members is beneficial.
- Participating in an ISAO (Information and Analysis Organization).
Security and GRC in Your Solution and Service Offerings
Deliberate consideration of security and GRC should also define guardrails and inform the remaining steps of the progression plan shown in Figure 2.
As referenced earlier, BIC TSPs typically grow more rapidly, and security offerings are a significant reason why. The extent to which you create unique security offerings will generally be greatly influenced by the markets you serve. There is increased revenue to be generated through security offerings, and those offerings could come in the form of adding to your existing core offering, or they can be positioned as net new and cross-sold to existing clients.
Most TSPs carefully evaluate adding new solutions or services to their offerings on a regular cadence (typically annually); however, the BIC includes an extra step in their evaluation process to home in on the economic viability of pursuing a new solution or service. BIC TSPs understand that there are two questions that must be answered:
- How many sales of a new service or solution are needed to generate the desired level of profit?
- How many sales of a new solution/service can be done in a meaningfully short period of time?
If the answers to those two questions are not well aligned, then the new potential offering isn't worth investing time, treasure, and talent in bringing it to market. Ensuring that any new solution or service is both a win for shareholders and a win for customers is a key differentiator of BIC TSPs. You want to ensure you are both generating enough revenue and gross margin from the new service, as well as ensuring you have enough clients subscribing that you aren't in danger of a key client or two leaving, which would make the service not profitable. Line of sight to 10-15 clients is a comfortable start because the first 10 deployments will be lower margin based on the learning and documentation that your team will need to do as they get up to speed on the new service or product.
Another key BIC behavior is properly determining pricing. They perform a detailed cost analysis for the services they currently offer, including loaded labor, tools, and management expenses. They take a conservative approach as it is very common to underestimate the total costs of delivery of a given service. Once they have a detailed cost analysis, they use it to set a price to hit their targeted gross margin percentage (GM%).
The formula is: selling price = COGS/(1-targeted GM%). So, if your COGS = $1,200, and your targeted GM% = 60%, selling price = $3,000 [$1,200/(1-60%) = $3,000]. COGS stands for “Cost of Goods Sold” and it includes the cost of the tools, plus the cost of the labor to provide the services.
They also don't just set the price with their desired GM% and leave it alone; they revisit their detailed cost analysis, identifying the actual COGS for delivering services. The BIC performs this analysis periodically to ensure ongoing accuracy and uses updated COGS to identify the needed pricing to achieve the targeted gross margin.
Additionally, they move from “cost-plus margin” pricing to “value” pricing. While the cost-plus margin pricing delivers strong gross margins, the BIC does better. They can sell at a value pricing level when they understand the prospect's security needs and the costs the prospect incurs due to systems downtime, including lost productivity, missed revenue opportunities, customer satisfaction, etc. In this light, value pricing is still viewed as a great investment by their prospects, securing their services to maximize their uptime and minimize their business risk.
Most importantly, the BIC have an annual process that results in increased prices, which are uniformly applied to all new proposals and to over 95% of existing clients on non-recurring services and recurring revenue contracts.
Another important consideration is recouping the cost of necessary additional insurance for security and GRC purposes. While this cost is tracked in the general expense area of your income statement, recovering those costs requires properly pricing your offerings.
Security and GRC in Your Technology Standards
Driving technology standards is one of the critical traits to leverage in increasing OML and ultimately profitability. This concept takes on a whole new dimension when factoring in security and GRC. Any new tool, technology, or service offering needs to comply with your own internal selected security framework and risk profile. Depending on your specific situation, there could be an added need to ensure proper governance and compliance are in place as well, along with the ability to properly audit and report against those standards.
It's common for MSPs at lower OMLs to have relatively broad standards and/or a relatively relaxed attitude about them. While this can seem to provide a sales advantage over MSPs who take a stricter approach to the customer technology choices, in practice, it limits both the quality and scalability of their services (too many exceptions) and their profitability (too many skill sets needed).
Higher OML companies drive their business end-to-end to consistently work within their security and GRC requirements. They ensure that their installed base and each prospective customer are compliant without fail.
Security and GRC in Your Vendor Selection
When selecting vendors, it becomes more important to carefully assess your security and GRC requirements. It is crucial to verify that each vendor meets the necessary criteria and that regular, ongoing reviews are maintained as part of your controls. You will also likely increase the number of vendors to include those that help with insurance and possibly offloading risk management. These vendors will need to be routinely checked for their compliance against your needed standards.
Security and GRC in Your Budget and Compensation
For lower OML companies, forecasting and ultimately budgeting for added costs to properly implement your security and GRC requirements needs to become part of your process. Low OML companies will not properly account for the necessary costs needed to meet their desired requirements and struggle to be profitable, as their pricing does not factor in these additional costs.
To properly implement security and GRC practices, high OML companies will properly budget for the training, tools, reporting, and time to develop and implement, properly resource controls, and the cost for any third-party services. Managing those costs becomes vital to maintaining consistent profitability. Low OML companies will not approach the project this way and will run into higher costs and more internal disruption.
As you mature your security and GRC practices, you will likely have some high-end resources that require more sophisticated compensation strategies to align with BIC behavior. You should have a strong variable compensation model for your existing management team that addresses the necessity that their overall compensation is tied to financial performance.
Closing Thoughts
Much has been written about how security impacts MSPs and their customers. As the industry matures, so does the need to understand how OML, business valuation, and valuation creation are also impacted by security and GRC. From a shareholder perspective, managing risk and protecting share value cannot be overlooked.
