Today’s article is going to be a little different than usual. While I’ve worked for a few MSPs and actively consult on a weekly basis, I think its important to hear strategies and struggles from MSPs who are in the weeds looking to develop a better security practice that involves Microsoft 365 tools.
So for that reason, today’s blog is going to showcase a progressive MSP we interviewed down in Austin, Texas, GCS Technologies. We unpack a ton of great topics including adopting the Microsoft 365 security stack such as replacing traditional RMM tools with tools like Intune, building a practice around a client engagement model and education, shifting from a reactive to proactive mindset in security, monetization strategies around continuous security improvement and much more. I’ve taken the interview and condensed it down to five steps to follow.
Step 1: Embrace the Microsoft 365 Security Stack
GCS Technologies made a bold shift from using point solutions to fully adopting the Microsoft 365 security stack. This approach helped streamline their operations, reduce overhead, and take advantage of built-in security features that many clients weren’t fully utilizing. For MSPs looking to follow this path:
- Adopt Microsoft Security Tools: Begin by integrating Microsoft’s security tools like Defender for Office 365, Microsoft Intune, and Entra ID (Azure AD). These tools are designed to provide comprehensive protection, from endpoint security to identity management and compliance.
- Focus on Security, Not Just IT Support: Shift the mindset from just providing IT support (help desk, network maintenance) to managing security outcomes. Clients need more than just uptime—they need their systems to be secure and compliant with industry standards.
- Utilize Existing Microsoft 365 Subscriptions: Most organizations are already using Microsoft 365. By optimizing the security tools within these subscriptions, you can provide enhanced protection without adding new third-party solutions.
Step 2: Build a Strong Client Engagement Model
Client engagement is critical for ongoing security improvements. Rather than simply managing IT tasks, ensure you are actively educating and involving your clients in their security posture:
- Executive-Level Engagement: Encourage clients to involve executive leadership in security discussions. This helps prioritize security investments and ensures that decision-makers understand the risks and value of the security services you’re providing.
- Regular Security Calls: Schedule monthly or quarterly meetings with clients to review their security posture. Use these meetings to discuss secure scores, device compliance, threat detections, and potential vulnerabilities. Make these meetings educational, ensuring clients understand the tools being used and the steps being taken to secure their environment.
- Visualize Security Outcomes: Clients need to see how their security measures are performing. Use dashboards and visual reports to showcase progress, identify areas for improvement, and demonstrate the value you’re delivering. Avoid technical jargon and focus on showing tangible results.
Step 3: Transition from Reactive to Proactive Security Management
Move from a reactive to a proactive security management model. Rather than simply responding to alerts, focus on continuously improving the security environment.
- Continuous Audits and Risk Assessments: Perform regular audits of your clients’ environments to assess risks and security gaps. Use this data to generate prioritized work tickets and take proactive steps to mitigate vulnerabilities before they become incidents.
- Security Improvement Plans: Start with the basics—ensure clients have MFA enabled, secure scores in the 80s or 90s, and common threats like phishing are mitigated. As clients progress, move them toward more advanced security configurations, such as device compliance enforcement and mobile device management (MDM).
- Ongoing Monitoring and Alerts: Use Microsoft’s security tools to continuously monitor your clients’ environments. Ensure that alerts are not only reactive but also part of a broader strategy to improve security over time.
Step 4: Implement a Continuous Improvement Process
Security is an ongoing effort, and MSPs must ensure they are continuously evolving their security practices in response to new threats and changes in the Microsoft 365 environment.
- Establish a Continuous Improvement Cycle: Implement a system where security audits, vulnerability scans, and client reviews are conducted regularly. Create a process for re-prioritizing security tasks based on emerging risks or incidents.
- Stay Ahead of the Threat Landscape: Monitor industry trends, attend relevant security webinars, and leverage platforms like Cloud Capsule to stay up to date on new security features and best practices. Being proactive means constantly evaluating your tools and adapting to changes.
- Adapt to New Challenges: As threats evolve, ensure your team is continuously trained and prepared to handle new attack vectors. Whether it’s AI-driven threats or new forms of social engineering, make sure your services remain relevant and effective.
Step 5: Position Yourself as a Trusted Security Partner and Monetize Security Services
Finally, don’t just be a vendor—position yourself as a strategic partner in your clients’ security journey.
- Build Trust Through Education: Take the time to educate clients on security best practices, the tools you’re using, and the steps they can take to improve their security posture. Clients will trust you more if they understand why you’re making certain recommendations.
- Bundle security services into your core offerings: GCS Technologies incorporates a fixed fee that includes proactive security services, ensuring continuous improvements like vulnerability management, introduction of new policies as well as the governance that needs to occur with natural drift in tenants over time.
- Be Transparent About Costs: Help clients understand the value of your security services by explaining the total cost of ownership (TCO) and how bundling Microsoft 365 security features can save them money by eliminating the need for third-party solutions.