Interviews - News - Analysis: For successful growth with Managed Security Services

Every year, we check whether our baseline still meets current safety requirements.

We talk to Pieter de Bruijn, Sales Manager / MT-lid bij Féju ICT Groep, about the starting point of their MSP journey and why the security baseline is so important to him. Pieter also talks about the different customer groups and their path to more managed services.

Strategies for implementing MSS

Clear strategies and plans are essential for IT service providers who want to offer managed security services. According to Pieter de Bruijn, an experienced expert in this field, some of the key factors are Baseline for security: every organization should establish and regularly review a baseline for security standards. This baseline serves as a foundation for all further security measures and helps to ensure compliance with current security requirements. Customer segmentation: It is important to segment customers according to their specific needs and IT resources. Companies with their own IT staff may need less support than those without their own IT department.

Challenges and solutions

Although MSS offer numerous advantages, there are also challenges. One of the biggest is responding to security incidents. Pieter emphasizes that while many MSS providers offer comprehensive monitoring and notification, the actual response to incidents often incurs additional costs. It is therefore important to make clear agreements with customers about what is and is not included in the service. Another issue is the complexity of the services offered. Some customers may be reluctant to adopt new technologies for fear of jeopardizing their own IT skills or responsibilities. This is where clear communication and training is crucial.

Outlook for the future: New trends in 2024

A look into the future shows that the importance of MSS will continue to grow.

Key trends for 2024 include:

  • Penetration testing as a service:
    Instead of conducting one-off tests, more and more providers are relying on regular penetration tests to continuously identify and fix vulnerabilities.
  • Advanced Managed Security Operation Centers (SOC):
    These provide not only monitoring services, but also proactive security measures and comprehensive threat analysis.
  • Integration of sustainability and artificial intelligence:
    In addition to security, sustainability and the use of AI are also becoming increasingly important.

Solutions such as AI-based co-pilots can help companies to work more efficiently and in a more environmentally friendly way.

'We use our baseline and check annually whether it still meets the current safety requirements, and every customer must adhere to the baseline.'

MSP Journey · Managed Security Services · Sophos & Olaf Kaiser · Portraitbild Pieter de Bruijn
Pieter de Bruijn
Féju ICT Groep B.V.
Olaf Kaiser:

When was the point in your company's history when you said that we were now launching the first managed services?

Pieter de Bruijn:

We started a few years ago, I think six or seven years ago, with the first managed services. The first products were Microsoft products, Microsoft Office 365, now Microsoft 365, but also the Sophos portfolio, especially server protection and licenses for endpoint protection and things like online backup were the first products when we started. That's still growing because we're in the process of introducing MSP and CSP products.

Olaf Kaiser:

And when you have introduced these first managed services in your company, do you have a strategy or a plan for which customers you want to approach first and convince to use these new services from your side?

Pieter de Bruijn:

Well, we use our baseline and check every year whether it still meets the current safety requirements, and every customer has to comply with the baseline. Sometimes a customer does not adhere to it. Then you have to ask yourself whether that is the right customer. But most customers comply with it.

Olaf Kaiser:

What was the baseline when you set up your first managed services five years ago? In other words, a combination of selling services and consulting and integrating the first managed services into your basic structure. Right?

Pieter de Bruijn:

The basic structure includes monitoring, asset management and a range of security products. So there is a strict basic structure. And then you can add other products.

Olaf Kaiser:

What are the key factors for your sales reps or yourself to really convince customers to buy a managed service and pay a fixed monthly fee for your service?

Pieter de Bruijn:

What you currently see in the market is that the subscription-based services such as the MSP and CSP versions in most cases offer more services than the designated licenses. For example, Microsoft 365 instead of Exchange on-premises. This is of course also a big difference in terms of security, but in some cases it is better to use the MSP licenses than the temporary services. As an MSP partner, we prefer to end all renewals. Therefore, we have been quite busy renewing all temporary licenses with a renewal date and such.

It's a big administrative burden and it's better with MSP and monthly, quarterly or annual payment. There is also a lot of work for the renewals team to calculate what license is needed and to get a quote from every vendor on the market. With MSP, you work on a quote to increase the margin and can then make long-term commitments with vendors to get more margin and lower the purchase price.

Olaf Kaiser:

If some customers experience a threat or something is discovered in their IT, the efforts to eliminate this threat are usually not included in the monthly fee. I assume this is also the case with Féju?

Pieter de Bruijn:

At the moment, for each product, we choose the one that works best for us. The MSP security products are the hardest part because every customer has a security breach once in their life. And with some products, like online backup products, you can say, okay, that's an all-inclusive service because we're responsible for the backup solution.

And if there's a problem, or if it doesn't work, or if a customer writes a ticket, they can solve the problem, including a price. But especially the server or endpoint security, threats or ransomware and pentest results and things like that. It's quite difficult for us to include all of that because it's too risky for us.

Olaf Kaiser:

You probably include updating and managing what you have, but not responding to all those alerts that could be critical to the customer.

Pieter de Bruijn:

Yes, we look at the Managed SOC solution that we use. If something happens at the customer's site at night, we get a call from the extended Managed SOC. Well, it's four o'clock in the morning, the consultant is asleep, of course, I hope. And when we get the call, everything is covered up to that point. But if we have to call the customer because there's a security breach or an unauthorized login or something like that, that's not covered.

Olaf Kaiser:

When I look at your customers, you say that Féju is aimed at the mid-market segment. So you probably have customers with internal IT equipment and customers without. Does that make a difference in the provision of managed security services?

Pieter de Bruijn:

When I look at our customers, I estimate that 40 percent of them have their own IT staff. And we are in second or third place. Around 60% of customers don't have their own IT staff, maybe an IT manager, but that's it, then we can report problems or similar. But of course there is a difference, because the IT managers in the company are more eager to use new products.

But sometimes they are also more difficult because they are not always willing to use the latest products because they are afraid of their own responsibility and position in the company. But all the products in the baseline are just as suitable for small companies with five employees as they are for companies with 300 or 500 employees. That's the good thing about it. Only the larger companies get better prices in most cases because they increase their workforce and then you can offer better prices.

Olaf Kaiser:

Last question, Pieter, thank you very much for your insights. We are only a few days away from the turn of the year. And this is especially a time when we take a fresh look at what new things we can tackle and evaluate as an MSP in the new year. So are there any security-related ideas you have at Féju that we want to sell again next year in 2024?

Pieter de Bruijn:

A highlight for 2024 for us is of course security, including with the term NIS2. We have a whole range of NIS2 customers in our customer base. So they need to take a critical look at their security needs. We are doing more pentests than ever before, but we offer pentests as a service. That means we don't just offer one-off pentests, we do multiple pentests throughout the year. So that's an important point for us. And we are expanding our Managed SOC, i.e. our Managed Security Services. And yes, other highlights that have nothing to do with security are talking to customers about sustainability and AI, things like Co-Pilot and things like that. So, some highlights are security, sustainability and AI.

MSP Journey · Managed Security Services · Sophos & Olaf Kaiser · Portraitbild Pieter de Bruijn

Profile

Féju ICT Group B.V. offers you complete solutions for all your automation and telecommunication needs. Our services develop together with your company: Solutions tailored to your situation, with flexible contracts and contacts. Our expertise is confirmed by the various certifications of our partners and suppliers.
Pieter de Bruijn
Sales Manager / MT-lid
Féju ICT Groep B.V.
Nijverheidsweg 21
5071 NL Udenhout

Related articles

MDR is not a technology, but a service

From the customer's point of view, it is about how Managed Detection and Response (MDR) is used to test and introduce stronger security performance and, from the MSP's point of view, how a central MDR service is linked to important systems via APIs through to the establishment of alarm chains.

Managed firewall in focus – from service definition to reporting

What services - both planned and unplanned - are included in your managed firewall packages? How can the customer purchase the whole bundle of hardware, software and services? All as one fixed monthly price? Are there really helpful reports for customers from the firewall? Which services are not included and are provided on demand or on request at the firewall? How do you deal with customers who already have another firewall in use?

Ongoing development as a model for success with managed security services

Everything you need to know about setting up Managed Security Services: How is the security model structured? How do customers decide between the three modules for endpoint protection and what tips the scales in favor of the higher variants? What is the customer response to your managed approach? Does the monthly notice period play an important role for you? Which automations are most important to you?