1.0 - Introduction
Security services are the building blocks for your security packages. They include the actual security components themselves, are linked to the tools in your security stack and include all of the costs you incur in the licensing and provisioning of the security service. Each service you create will be aligned to the NIST Cybersecurity Framework 2.0 so your clients can easily visualise what your security offerings 'look like' and how they will enhance their security.
Security services are extremely flexible. They can be as complex as a full security package or as simple as a single security feature such as Email Protection.
We have deliberately engineered security services so you can design and build your security services independently from how you sell them. This ensures your technical team can engineer the security capabilities of your security services and ensure stack alignment whilst your sales team can close sales without worrying about overpromising or under-pricing solutions.
Regardless of how you decide to build your security services, you must add them to a security package in order to sell them to a client.
2.0 - Service Features
Features of your security service should closely mirror the technologies (e.g. endpoint protection) and practices (e.g. incident response handling) that the service provide, although you can be much more specific if the service has particularly important technical features or benefits that want to highlight.
The features you add are not linked to the security capabilities of the security services and therefore will have no impact on the NIST CSF Alignment of the security service or 'predicted scores' of any security packages that you add the service to.
Feature functionality includes:
Add a feature by clicking add and hitting enter
Edit a feature by clicking on the row and editing
Delete a feature by cling the 'x' at the end of the row
Re-order features by hovering your mouse over the far left of the row - the 'grippers' will appear, at which point you can click and drag the row into a new position.
Coming soon: when our new Storefront feature is launched in Q2 2025, you will be able to include your security service in your Storefront for clients to see.
3.0 - Aligning your Security Service to the NIST Cybersecurity Framework 2.0
To ensure your security services are aligned to international security standards and are easy for your clients to understand and trust, HighGround aligns all security services to the NIST Cybersecurity Framework 2.0 (NIST CSF). This alignment has been achieved by converting the NIST CSF subcategories (aka security controls) in the following way:
For those that relate to technologies that an MSP will sell to their clients, or provide as a managed service, these are available for selection as NIST service questions (these are what we refer to in this section of this article)
For those that relate to how the MSP operates (and therefore the client has no control over), these are included in the SecOps module.
All NIST questions are aligned with Security components, which are easily recognisable as the technologies and practices you deliver to your clients.
As part of building your security services, you must answer the NIST service questions. Since these are linked to security components (and thus the scoring engine - read more below), answering these questions will give your security service it's security posture.
To get started, click on any of the sections on the left to load the NIST security questions:
Across the top is a tab for the following NIST CSF Functions: Identify, Protect, Detect, Respond and Recover. The Service questions are grouped into these sections, although you may find it much easier to use the search at the top (when searching, the NIST Function will be shown as a tag on each question for ease).
Simply click 'Yes' to the the functionality that your security service will provide and you will see the NIST CSF chart on the right hand side dynamically change. When done, click 'Save'.
Tip: don't worry if the NIST CSF chart looks unimpressive as you build your service. Most security services have little effect on their own. When you add multiple services to a security package, all of your security services will combine to create an aggregate security posture.
Note: HighGround covers the Governance Function with the CyberResilience KPI, Governance & Resilience module and overlaps with the Identify Function.
4.0 - Security components
Security components are likely to be more recognisable to you - these are the core technologies and practices you are likely already delivering to your service, and the things you likely refer to by the tool name rather than the technology itself.
Security components is the central cog in HighGround and are interconnected to almost every part, most notably: . Not only are they linked to the NIST CSF service questions when building your security service, they are also directly connected to:
NIST CSF Service Questions
NIST CSF chart
Your Security Stack
HighGround security engine
CyberScore KPI (actual and predicted)
CyberResilience KPI (actual and predicted)
Security Pillars
You can see the security components included in a security service in the security component block:
Whilst the primary way for a security component to be added to a security service is through answering the NIST CSF service questions, they can also be added manually by clicking 'Add' at the bottom of the Security component block, triggering a dropdown:
After you have added the security components to your security service, you need to map the following:
Security Pillar: this is used to provide an alternative view for your clients when presenting your security packages, adding depth and augmenting the default NIST CSF Function view. Select from:
Device Security
User Security
Network Security
Cloud Security
Data Protection
Business Resilience
Compliance
Products: link the security component to a product (via your stack or directly to a product). Alternatively you can link it to 'labour' if it is a practice (i.e. a service you provide):
for technologies, you will be prompted to select a tool from your security stack or an existing product
for practices, you will be promoted to select an existing product or add labour for delivering this practice as a service
When linking a technology to a tool in your security stack, you will be prompted to select the exact product(s) you want to use. If no product has been linked, you will be presented with all products, enabling you to search, select and link a product to your tool.
Once you click add, the product will be linked to the security component and also added to your costs section below to ensure you price your security service correctly and have visibility on your profitability.
Now you are ready to complete the pricing part of your service!
5.0 - Service Billing
Security services have their own billing models, which are then aggregated when added to a security package. There are several billing parameters you must define:
Billing period: the period the service will bill on a recurring basis.
Snap to unit: the unit the service will be billed by, for example 'per user, or 'per device'. There is a standard set of units provided, and a feature to add custom units types for maximum flexibility.
Price: set the price of the service and the currency you will bill it in.
Note: the currency used for the price will be used as the home currency for currency conversions.
Tax: set the tax rate to be used for the service.
Price On-Demand: for service which have a variable cost, select this option. When using this feature, all Pricing options are disabled and a banner will be displayed in all security packages this security service is used stating 'this security package includes services with variable pricing'.
Warning: you cannot change the billing period or snap-to-unit after it has been created.
6.0 - Service Costs
Add your service costs to ensure you are billing your security services profitably. There are 2 types of costs you can add:
Product costs: any products associated with security components will be automatically added. You can manually add product costs as well.
Labour costs: almost every service you provide has a service cost attached. Even if its 2 minutes - capture it - it's better to account for something and manage your cost base, rather than let it eat into your margins.
Pricing changes
Since pricing is always changing, HighGround continuously monitors for changes in pricing as follows:
change detected in currency conversion rate used
change detected in the product cost
When a pricing change is detected, HighGround will add a label beside these costs to notify you, and a blue 'Update' button to update the pricing of your service.
If you select 'Update', you will be notified of all Security Packages this security service has been used in and therefore which security packaged will be affected by the pricing update.
Note: choosing to update the security packages with the changes in the costs of a security service will not have an adverse effect on any clients you have applied the security package to. It will just affect the margin of the security package, which you may want to then adjust to ensure you retain your margins.
7.0 - Service Pricing Summary
A summary of the security service pricing is provided at the bottom. When doing the complex work of building security services, it is easy to lose sight of the most important part for your MSP - making an adequate profit to make the effort worthwhile!
To help with this, HighGround will display the sell price, aggregate your total product and labour costs, and calculate your margin and margin %.
8.0 - Managing your Security Services
You can return to edit your security service at any time. If you change anything that will affect a security package that the security service has been included in, HighGround will prompt you about this, giving you an opportunity to change your mind.
Below are some additional security service management features you may find useful:
Duplicating a Security service:
To duplicate a security service, start by finding the service you wish to duplicate. From here, select the three dots at the end of the service and choose 'Duplicate'.
Your duplicated service will now automatically show in your lost of services.
Deleting a Security service
If at any time you decide you no longer need one of your services you can delete this from your list of services. Find the service you are looking to delete and from the three dots at the end of the service select 'Delete'.
You will see a prompt asking if you are sure - click yes and your service will be removed from the list.
Note: If a service is being used in a security package, you will not be able to delete it. HighGround will list the security packages the security service is actively in use in, and any clients it has been applied to. You will need to undo these actions before deleting.