MSP focus: How to sell risk-based vulnerability management to a skeptic

Many MSPs and MSSPs currently face a race to the bottom on price if they are to attract new clients, which means cutting corners and compromising on the quality of service. On this basis, a company looking for vulnerability management support may have been presented with many cheap offers that will tackle vulnerabilities at volume. For a CISO under pressure to improve ROI, these offers will sound tempting. Until the first breach comes of course. Then the inevitable cost of recovery, reputational damage, and increased insurance premiums will be much greater than the “value” received from cheap vulnerability management.

The best vulnerability management services that MSPs and MSSPs can offer are risk-based and this article will help you persuade your prospects of this.

For the first point in your case, let’s look at the fatal issue with remediation by volume.

Why doesn’t remediation by volume work?

If an MSP performance is measured by the number of vulnerabilities patched, then the goal will be to prioritise them in order of ease to remediate. The risk of breach and criticality to the company’s systems will be completely ignored and the team will be patching vulnerabilities that can be fixed at the least cost and effort. This means these may not be the vulnerabilities most likely to cause a breach of any kind and the efforts (and your fees) would be wasted.

In fact, hundreds of vulnerabilities could be tackled each month without improving the security posture of the organisation one little bit. There is even a risk that by applying resources in this way, it may actually make the situation worse because key vulnerabilities would be left untreated, increasing the chance of a major breach.

What is risk-based vulnerability management?

Put simply, risk-based vulnerability management requires prioritisation of a different kind. In this case, scan data is categorised according to the risk each vulnerability poses to the organisation so that remediation efforts provide maximum security benefit with minimum effort.

Read our Ultimate Guide to Vulnerability Prioritisation to find out more.

‍

Why isn’t every MSP or MSSP offering risk-based vulnerability management?

A risk-based vulnerability management approach (and effective vulnerability prioritisation) requires in-depth knowledge of a business’ systems and processes. Without this, prioritisation cannot be assumed to be carried out correctly – you may as well be using CVSS (please don’t) or relying on the secret algorithms of a massive automated vulnerability platform (again please don’t).

For a MSP or MSSP to have the required visibility of their client’s systems and data, it will require significant investment of time which of course, costs money that will have to be passed on to the client. However, this is an upfront cost that will pay for itself many times over when the security posture of the business has increased as much as it should under this method of vulnerability management.

‍

How do I offer risk-based vulnerability management without relying on CVSS or secret algorithms?

One alternative is the manual triage of vulnerabilities but this can take as many as seven hours per scan for just 250 assets. Assuming your clients have thousands of assets, you could end up spending so much time on prioritisation that no time is left for remediation, resulting in an even worse performance to report on.

RankedRight is an automated vulnerability prioritisation tool built for MSPs and MSSPs to deliver risk-based vulnerability management programs for their clients. Upon every new scan, RankedRight ingests the data, adds the latest vulnerability intelligence, and then follows rules the user has set to rank and delegate each issue ready for remediation. This saves teams hours with each scan, ensuring that remediation teams can start work more quickly, and it keeps the user in control.

What’s the benefit to my business of offering risk-based vulnerability management if it’s going to cost my clients more?

By taking a risk-based vulnerability management approach and offering this in your proposal to new clients, you can differentiate yourself from other MSPs or MSSPs in the market. A volume-based approach can only be short-term as the first breach would show the client the method is madness whereas risk-based has long-term benefits and will enable you to grow your client relationships and upsell.

What’s more, it sets the stage for future projects with which you can use RankedRight to deliver more value and better security outcomes.

‍

So what can I offer my prospects that will convince them to go with risk-based vulnerability management?

Firstly, by taking a risk-based vulnerability management approach, clients can gain a full understanding of the impact their MSP or MSSP has had on improving their security posture and protecting their business each month. This should help with reporting to the board, shareholders and for maintaining a low insurance premium.

Secondly, by taking the time to understand the systems or processes that are resulting in the most critical vulnerabilities, you could identify improvements or changes that could eradicate those risks permanently. There could also be a case for training or educating the workforce as a whole to further improve the company’s security posture.

In conclusion, risk-based vulnerability management is the most effective method of prioritising vulnerabilities to maximise remediation efforts and improve your clients’ security posture. Don’t offer cheap solutions that do more damage than good. Make your MSP or MSSP the business that makes a difference.

‍