How to Calculate ROI of MSSPs Services

Cybersecurity investment is up over the past five years, and most indicators suggest that the sector will continue to grow rapidly. As a managed security service provider (MSSP), you are in a competitive industry with excellent potential.

But, industry-wide spending doesn’t always translate into direct revenue increases for every MSSP. To manage your own bottom line, you have to increase your clientele, retain clients, and expand services to existing clients. How do you stand out to potential new customers?

One of the most powerful tools at your disposal is the return-on-investment (ROI) metric. When you can show exactly how much your services improve the bottom line for your clients, you can build lasting relationships that ensure that your growth will match (if not exceed) the industry as a whole.

While that sounds nice, it leaves a gaping question. How do you calculate MSSP ROI?

Cybersecurity ROI Basics

In cybersecurity, ROI is primarily based on money saved by preventing disasters. It’s not always an easy concept to demonstrate, but businesses invest in MSSPs to prevent problems. As a result, the basic ROI calculation is easy to understand, even if it’s not always easy to calculate.

The calculation looks like this:

(Cost of failure X probability of failure with current approach) — (cost of failure X probability of failure with MSSP approach)

Cost of MSSP services 

MSSPs generally have very positive ROI when they can show risk reduction and lower costs. The trick is showing that with automated cybersecurity assessments.

Running Risk Assessments

As an MSSP, you already know how to run risk assessments. The real question is, how detailed should your assessment be? What’s the scope of a risk assessment when applied specifically to ROI calculations? How can you do more assessments cost-effectively?

The answer depends on the scenario. For example, if you’re trying to sell a single managed detection service, then you’ll need to be very specific. The service should be addressing exact threats on a list, and you should provide clear risk values before and after the implementation of your service. It makes for a clear, concise ROI value applied to the specific service.

To sell a bundled service, or maybe as part of a quarterly progress update, you have a lot more wiggle room. As a general rule, though, more detail is better. You can provide an overarching risk assessment that shows how the general strategy is mitigating risk, but you can include detailed risk assessments that evaluate each tool and technique within the strategy.

That allows you to provide quarterly updates to your clients, and it enables you to do high-level analyses that show the value of your services. This is important for two reasons. First, it shows the client exactly how you deliver value from your services. Second, it shows the most obvious places where you can deliver additional value, and by being transparent about that, you help build trust and a long-term partnership with your clients.

Simplify With ROI Tools

You can do all of this by hand, or you can invest in an ROI calculator. SightGain makes a calculator that is designed specifically for MSSPs to analyze and express exactly how their services are generating value for clients. It simplifies calculations on your end, allows you to provide custom data for each client, and produces easy-to-read materials that are presentation ready.


Calculating ROI is important, but there’s another element that also matters:

How should you present this information to your clients in a way that demonstrates value?

Demonstrating value is one of the primary goals of this entire exercise. You’re showing prospective clients how you can improve their risk exposure, and you’re proving to existing clients exactly what you are doing for them.

The best practice is to build your presentation around objective metrics. Key metrics typically include emulated threats blocked, actual threats automatically responded to, threats tested, response times, the percent of threats detected, how many alerts require a human response, and which alerts are handled by an automated threat response.

Each of these metrics can demonstrate how managed threat detection services are preventing downtime and other threat-related costs in order to inform the ROI. These metrics also open the door to demonstrate ROI for future recommendations. 

No matter the MSSP package, there will be some threats that are not accounted for, and a quarterly ROI presentation can show the value of investments that address those gaps.