At a glance: Tips and experiences from coretress
How did you introduce lywand to your customers?
We informed them about the solution and then rolled it out to almost all of our customers as part of a price increase that was planned anyway. There are a few exceptions for whom we only complete the onboarding after certain internal issues have been clarified and we have the green light.
What added value does lywand have for your customers?
They benefit from regular, record-based auditing and thus receive a comprehensive assessment of their security situation. Even security laymen can understand the value of our work and have a better basis for certification processes or cyber insurance policies.
How can you position lywand in your offering?
The best way for us is to integrate lywand into our managed services, into the "standard" and "premium" packages, as lywand is an important factor for our service quality. In the premium package, only the scope of services for processing scan results is higher.
How do you deal with a negative evaluation?
We contractually agree with our clients to bring any rating worse than 'C' back to C. We also set an entry period of two months, during which we first determine the security situation.
The success story: an interview with coretress
"Does lywand make sense for us?" André Schiller, Managing Director of coretress GmbH, did not have to think about that for long. In the interview, he explains as to why this was the case, how he uses the solution to optimise his managed services and what value it adds for customers.
Introduction
Who are you and what do you do? Can you tell us more about coretress?
We are a managed services provider from Cologne located in the Rhineland and mainly serve regional customers within a radius of 50 km around Cologne. Exceptions also occur, but in principle we have opted for a regional area of activity, which is beautifully provided by the conurbation of North Rhine-Westphalia. We aim to be a direct contact for our customers and place great value on personal communication.
Our company was founded in 1990, it started as a project during my studies. Back then, I had already discovered the area of security, with UTM firewalls, antivirus software and also patch management, which already seemed very important to me at the time. These then formed the areas on which we built our Managed Services. Later, managed services for firewalls and infrastructure were added.
Customer structure and service offer
Which customers do you serve?
Usually, our customers have in common that they mostly use Microsoft networks and have a desire for new topics such as cloudification, hybrid environments or digital transformation, and their demand for IT security is comparatively high. Either due to regulatory requirements, such as ISAAC and ISO certifications, or due to a high awareness of their infrastructure's need for protection. We focus on this and align our offer accordingly.
How big are your customers' companies and what services do you offer them?
We have two concepts in which we support our customers: On one hand, we act - classically for a system house - as an external IT department. The way we offer this works quite well for about 20-150 workstations. Active sales are carried out for about 30 workstations.
On the other hand, we work as a "trusted advisor" for IT departments in larger companies, i.e. 150 and more employees. In this role, we help the companies with issues that rarely occur in their day-to-day business, such as server migration. However, first level support for companies with several hundred employees would be out of the question for us. We seek close cooperation with the internal IT department to relieve them of their work and provide advice at a high level. We have only been pursuing this approach for about a year, but with increasing success.
Search for an automated security audit solution
How have you implemented auditing so far?
Last year, in the course of process consulting and digitalisation, we realised that we needed a tool that audits our processes - i.e. the services we provide. We do have in-house pentesting expertise, but it is not arbitrarily scalable and therefore not widely applicable. All in all, pentests have also always been very time-consuming, so they are more suitable as a tool for in-depth investigation, but less for regular auditing.
Therefore, I started looking for tools that could solve this problem through automation. So far, we have been completely blank in this area, apart from working with a Nessus scanner. This is undoubtedly a powerful tool, but it produces reports that are incredibly long, which technicians like but hardly anyone else can read. For the discussion with a managing director, these reports of the size of a book were simply not useful: far too detailed and neither readable nor assessable for people who are not IT security experts. All in all, not very convincing for the customer's contact persons.
How did you discover lywand?
I have tested various tools and they certainly have their justification for existence. But they were not suitable for the purpose I had in mind, that is, relief. Finally, chance came into play: Niklas from Fokus MSP called me and introduced me to lywand. Increased IT security, workload reduction, immediate onboarding and readable reports even for the top management were the points that made me curious. I watched the product demo, which was around August 2022, and two months later, in October, we rolled out the solution internally on a test basis. The first feedback from my technicians was "this is too easy" (laughs).
Decision for lywand
What finally convinced you - and also your technical team 😉 - of lywand?
The deciding factor for us was an aha experience: As lywands security scans showed us, the patch management we were running was not working as well as we thought. All the green ticks were set in our patch management dashboard. But misconfigurations in the software can cause a patch to be rejected. And then, of course, the thought occurred to us, "If this is the case internally for us, could our customers also have these kinds of policy errors?" So the compelling benefit of lywand for us was initially an internal benefit: We now had a tool that allowed us to audit extremely efficiently how well we were delivering on our value proposition to clients.
The clients, in turn, benefit from the fact that we can easily clean up and optimise their IT environment with lywand. For example, we discover risks from outdated WordPress versions, insufficient firewall hardening or unnecessary additional browser instances. The use of lywand was simply a no-brainer for us.
Positioning of lywand in the solution portfolio
How have you integrated lywand into your portfolio?
We initially offered it as a stand-alone solution in various packages, e.g. for website and firewall, but quickly realised that it would be too costly for us to look after if we were to offer it to all our customers. Even though it offers a high benefit for ourselves, it is just a side product in our portfolio.
The key to success was to integrate the product into managed services - it is now part of our managed services client server. In doing so, we took advantage of the momentum of the Microsoft price increase, which was planned anyway, and raised our prices a little more than we had originally intended. We have communicated to our customers that an additional security package is now necessary for us to be able to do our work reliably according to the requirements of IT baseline protection. For the majority of our customers, we could simply implement the roll-out, as we have the corresponding agreements. For some exceptions, we are still in discussion, for example with companies where compliance issues still need to be clarified and additional approvals are required.
In any case, we went from 150 to over 500 clients in the course of a single morning. The "catching up" of additional clients is also still taking place at the moment.
You originally planned to include lywand exclusively in your premium service package. Why did you finally decide against it?
We offer our managed services in three levels: basic, standard and premium, with about 95 percent of our customers using standard and 5 percent using premium. Initially, I was convinced that lywand should be exclusively in our premium line. However, there were two reasons against this:
Everything I integrate into the premium package does not automatically increase sales of the premium package, as the latter is considerably more expensive after all.
Furthermore, in consultation with my team it became clear that lywand is simply too important for the quality assurance of our work.
Therefore, we now offer lywand in both the standard and premium segments. We have only adjusted the scope of services linked to it: the quarterly discussion of a lywand renovation plan is already included in the premium package.
Advantages through lywand
Which benefits does lywand offer you?
The advantages for me are that I can reliably evaluate our work and present a clear, comprehensible summary to the client. It shows the value of our performance and offers a resilient basis for argumentation for further measures. In addition, the solution is absolutely MSP-capable and the effort for us is low: every technician who looks at lywand knows everything he needs to know after half an hour. No training or advanced training is necessary. In addition, we rolled out the agent to our customers in no time at all, quite simply via our RMM tool. All in all, we have a quick benefit for us and our clients with little effort, in the form of improved security and control of results. Moreover, it is now easier for us to offer additional measures and sell them successfully.
Can you give us an example of the benefits?
As already mentioned, our focus is on patch management. We now first look at every single customer for whom we use lywand to see whether the patch management runs as we imagine it. If you do not have the latest Windows 22H2 installed, you get an F rating with lywand. This is a good argument against customers who only use our standard package, which does not include feature updates (the premium package does). We can then offer the customer to either pay for this update service twice a year in addition or we transfer them to the premium service.
In most cases, the installation of 22H2 is low on the customer's list of priorities, i.e. " we will do it sometime". With the lywand assessment, they now realise the necessity of the matter. It can be made visible why the update is needed. Microsoft has discontinued support for all Windows 10 versions until 22 June, which on the one hand shows the customer the urgency, but on the other hand you can also point out "look, vulnerabilities 1-500 will be fixed with this update". lywand is therefore also a wonderful sales tool when people have a hard time getting an hour of service approved by the customer.
Dealing with a negative rating
How do you handle negative evaluations in front of your customer
I have it in my contract with the client that I will bring everything that slips below the grade "C" back to at least a C again. In addition, we have a contractual " run-up phase" of two months for our services, in which we first look at what might not fit with the customer. So I am not afraid of an F rating - after all, it is not something we make up, but a realistic representation. If there is an F rating, I am happy to point it out to the customer. If he refuses to remedy the weakness, I would ask him to confirm this, if necessary even by registered letter with return receipt. Because I want to be sure that this releases us from liability. In this aspect, lywand is also a very good argumentation aid.
After all, we see ourselves as a "trusted advisor", as the customer's partner, and our mission is to provide him with the best possible IT infrastructure. In my opinion, this also includes making "white spots" on the map visible.
lywands benefits for cyber insurance
Speaking of contracts: Many customers have cyber insurance. To what extent does this play a role in working with lywand?
In most cases, many clients have taken out such insurance without consulting us. In return, they receive an audit sheet from the insurance company, which in many cases is signed blindly. Clients usually assume that all the requirements for insurance cover have been met - but if it is not possible to check or document whether this is the case, there may be difficulties. With lywand, we have regular record-based auditing. This gives you an overview that you can present to an insurance company to get the best possible rate. Of course, this is also helpful for clients who are seeking certain certifications. Also with regard to NIS-2, which is currently causing headaches for many clients, we as a service provider can already offer support by providing regular auditing in a very simple and cost-effective way.
Perspective on the MSP market
If you could look into a crystal ball: How do you see the development of the MSP market?
I think managed services will continue to grow. The classic "time for money" business model is simply no longer scalable and hardly lucrative for us as a system house. Therefore, I am convinced that we need automated services that take work off our hands and allow us to concentrate on performing profitable services. In the long run, I think it will be necessary to think about operating concepts that offer IT at a fixed price.
Dear André, thank you very much for this interesting insight, we wish you ongoing success with lywand!
