Ransomware as a Service: What MSPs Need to Know

Welcome to the Beyond the Horizons Podcast, in this episode we’re breaking from our usual format to bring you one of the key sessions from our Business of Security event in Texas last year (2024) where N-able Chief Security Officer Dave MacKinnon explains why selling security isn’t enough—and instead how MSPs need to focus on selling business resilience as an outcome.

Here Dave is being interviewed by Think Purple’s Alex Stanton.

Key Themes Discussed

1. Selling Resilience, Not Security

o Dave emphasizes the importance of moving away from “selling security products” and instead focusing on building business resiliency.

o Resiliency ensures that organizations can minimize disruption when, not if, a cyber event occurs.

2. The Role of Risk

o Risk is not bad; it’s healthy when acknowledged and managed.

o Businesses that ignore risk often face larger repercussions when incidents occur.

o It's essential to educate clients on identifying and understanding their business risks rather than avoiding or downplaying them.

3. Understanding Business Goals

o Start with business objectives, not security tools.

o Engage leadership with terms they understand: focus on outcomes like protecting revenue streams or minimizing operational downtime.

o Example: Discussed board-level alignment on risk tolerance and strategic investments.

4. The MSP Opportunity: Selling Outcomes, Not Products

o MSPs should present their services as enablers of business continuity and success, not just technical solutions.

o Dave encourages framing MSP offerings around risk mitigation and business continuity planning.

Key Insights

· Risk Management as a Conversation:

o MSPs should discuss tangible impacts of downtime, such as revenue loss or missed deadlines, to convey the value of investing in risk management.

o Example: A $30M office supply company loses $40,000 per half-day of downtime—a stark reminder of the cost of inaction.

· SaaS and Identity as Critical Responsibilities:

o MSPs must take responsibility for managing SaaS applications and client identity systems.

o Include identity management, provisioning, and securing integrations into service offerings.

o Highlighted the risk of lost or inaccessible data in SaaS environments without proper backups and vendor accountability.

· Tabletop Exercises and Incident Planning:

o Use tabletop exercises to identify gaps in processes, tools, or training.

o Avoid overly complex scenarios that discourage participation; start simple and build on successes.

· Tool and Vendor Selection:

o MSPs should evaluate and re-evaluate tools regularly to ensure they align with changing threats and business needs.

o Avoid tool sprawl: focus on leveraging a smaller set of tools effectively.
Disclaimer: This podcast provides educational information about issues that may be relevant to information technolog

Disclaimer: This podcast provides educational information about issues that may be relevant to information technology service providers. Nothing in the podcast should be construed as any recommendation or endorsement by N-able, or as legal or any other advice. The views expressed by guests are their own and their appearance on the podcast does not imply an endorsement of them or any entity they represent. Views and opinions expressed by N-able employees are those of the employees and do not necessarily reflect the view of N-able or its officers and directors. The podcast may also contain forward-looking statements regarding future product plans, functionality, or development efforts that should not be interpreted as a commitment from N-able related to any deliverables or timeframe. All content is based on information available at the time of recording, and N-able has no obligation to update any forward-looking statements. https://www.n-able.com