maxkabakov - Fotolia
MSP cybersecurity concerns may require a business model retune
Many managed service provider partners consider IT security an important revenue opportunity, but they may have to retool their offerings to address emerging threats.
Cyberthreats continue to proliferate and become more sophisticated by the day. Businesses recognize they need to place more attention on guarding sensitive data and that they lack the expertise and tools to keep up with the changing risk landscape -- good news for managed service providers. However, the MSP cybersecurity market now stands on the precipice of a new era, one where partners need to change their traditional sales and support approach in order to thrive.
Security threats have become more ominous in a dynamic market.
"We have been seeing more of a criminal element involved with hacking," said Charles Weaver, CEO at MSPAlliance, an industry association that now has 30,000 members. "Organized crime has moved beyond the drug trade and democratized cybersecurity. Nowadays, any business with sensitive information, especially financial services and legal firms, has something of potential value to a cyberhacker."
Many attacks have been successful. For example, in 2018, Under Armour had a breach involving more than 150 million individuals using its fitness application. In another instance, hackers accessed about 20 million records, including California voting records, at The Sacramento Bee.
Consequently, cybersecurity has become a top management problem, and the increased awareness has translated into more spending. For instance, cloud-based security service revenue is expected to reach $9 billion in 2020, up from $5.9 billion in 2017, according to market research firm Gartner.
This growth is garnering the attention of MSPs.
"A few years ago, we saw significant price pressure on traditional managed services," explained Stelios Valavanis, CEO of OnShore Security, a managed security services provider (MSSP) specializing in managed detection and response solutions. "The reductions were outpacing increased efficiency coming from automation and other best practices. Cybersecurity spending and margins were going up, so we focused on that area."
Dealing with expanding threats
But to take advantage of the growing interest in security, MSP partners need to evolve. MSP cybersecurity used to center on mundane tasks such as patching and updating virus protection. Lately, the threat landscape has expanded to new areas.
Ransomware, for instance, has been gaining momentum. This malware invades a system, encrypts computer files and blocks legitimate users from accessing their systems. Once installed, cybercriminals hold the system -- and organization -- hostage. Unless they are paid a specific sum of money, the system is rendered useless. Recently, ransomware strains have gone from basic to extremely complex, resulting in more successful attacks.
Ken Ammonchief strategy officer, OPAQ
IoT security is another burgeoning field. Technology Business Research expects that IoT spending will increase from $370.3 billion this year to more than a trillion dollars in 2023, a compound annual growth rate of 24.4%. As IoT moves from to concept to reality, billions of new types of devices will be connected to the internet, widening the attack surface.
As new threats have emerged, challenges have arisen with the old-school MSP cybersecurity approach.
Traditionally, when a new threat emerged, vendors developed a new product that MSPs purchased. One result has been growing security expenses.
Also, security management becomes more complex because MSPs receive alerts from many different systems. As a result, some MSPs have trouble scaling their services in a cost-effective way. Another challenge is accurately identifying what is happening on their networks and then developing actionable plans for any needed remediation.
The traditional approach of simply protecting the network perimeter is no longer sufficient nowadays. "The network perimeter has basically dissolved with the advent of mobility and BYOD," explained Ken Ammon, chief strategy officer at OPAQ, which sells cloud-based network security solutions through MSPs and MSSPs. "Networks became more complicated and less structured. Security managers were putting more fingers in the dike, but managing systems has become too complicated, inefficient and mistake-prone."
MSP cybersecurity undergoing change
Because of the challenges, providers are rethinking how to package and deliver managed security services. Increasingly, the MSP has to talk more in business metrics and less in bits and bytes. "The MSP has to create a business case and sell security based on the potential risk that it presents to the business," Ammon said.
They also need to retune their business models in this new phase of managed service provider security. A seismic shift is occurring.
A question of survival
For a managed services provider, security is no longer an optional feature. Indeed, some industry executives believe MSPs must become MSSPs to meet customer expectations.
The demand for cybersecurity will cause many small-business customers to look for one provider who can meet both their IT infrastructure and security needs.
"A small business is not going to go out and hire a traditional MSP and separately a managed security service provider. ... This will cause the separation for those who do and don't have it," said Michael George, CEO at Continuum, an IT management software provider.
"I don't think this MSP [and] MSSP nomenclature is going to survive," added David Murphy, senior operating partner at Thoma Bravo, a private equity investment firm based in Chicago. "You need both to do what you are trying to provide: business insurance and business continuity. And you need both to do them well."
Murphy's company acquired Continuum from Summit Partners in 2017.
"The idea that you can be an MSP and not have contemplated how you provide some set of [security] services, I think, is an antiquated thought," Murphy said.
Murphy and George spoke at the Continuum Navigate 2018 Conference in Boston. -- Spencer Smith and John Moore
"The security industry is moving away from a product focus to developing security architectures," said Jawahar Sivasankaran, senior director, managed security business at Cisco.
"Of the four basic security fundaments -- policy, process, people and product -- product is the least important," added Larry Walsh, CEO and chief analyst at The 2112 Group, a channel market research firm.
In response, leading MSP partners are emphasizing process, policy and services more and products less.
"I've been in situations where the customer bought a [security information and event management tool] and after six months of implementation they realize they can't handle the data with current staff," OnShore Security's Valavanis explained. "Now, we try to lead with policy. Regardless of what solutions the customer asks for, we identify where it satisfies their policy -- and, of course, work with them to develop policy if they don't have it. This approach offers probably 10 times more bang for the buck than there is in buying any solution."
A focus on frameworks
To deliver such services, MSPs need to craft a comprehensive security framework and rely on it to help them ward off the bad guys. A good place to start is with blueprints from organizations such as the Center for Internet Security and National Institute of Standards and Technology. Their best practices include checklists that help MSPs identify how to help customers build strong security policies.
But moving from the old MSP cybersecurity approaches to the new methods can prove challenging. As noted, the security attack surface is growing. In addition, software is being updated more frequently. Consequently, managing the complexity of the system configurations has become more time-consuming.
How do automation, AI and machine learning ease security requirements?
Networks are expanding, the variety of application endpoints is growing and the type of attack is becoming more sophisticated.
The end result is more security alerts are being generated. Since MSPs typically do not have the financial resources needed to add staff, they want to use automation, AI and machine learning to offload security requirements.
Automation is the simplest form of computer intelligence. Here, a computer system completes one specific task, such as automatically sending an alert when network response times surpass a predefined limit. With orchestration, the system completes a series of tasks autonomously, such as configuring a new server.
With AI, computers demonstrate some degree of reasoning, for instance, image classification on a service like Pinterest. Machine learning gives computers the ability to learn without being explicitly programmed. Here, input shifts from people teaching computers via code to teaching with examples. Computers now are experts in areas like chess and Jeopardy.
Through the years, computers have been able to take on more tasks that had been done by people. With the volume of security alerts rising, the focus is now on using AI and machine learning to help MSPs respond to the growing number of security threats. -- Paul Korzeniowski
"We have been adding and replacing security tools on a regular basis," Valavanis said. "There is no such thing as 'it just works' in the security space, and there never will be. The challenge is first in the time it takes to evaluate the various solutions and then second in integration."
Once the connections are made, the emphasis shifts from digging into the bits and bytes of system security to a focus on higher-level issues. Security analytics are emerging to help in this area. Rather than bounce from system to system, these solutions use automation, artificial intelligence and machine learning to sift through the growing volumes of alerts that flood technicians' screens, cast routine alerts aside, highlight anomalies that may be problematic, and present MSPs with possible solutions (see "How do automation, AI and machine learning ease security requirements?").
This transformation requires not only a change in mindset but also a change in personnel. Finding skilled security technicians to staff an MSP cybersecurity operation is a vexing task nowadays. "The labor is tight everywhere today and in IT is even more competitive," MSPAlliance's Weaver said.
Rather than raid someone else, channel partners may try to develop their own experts to build their MSP cybersecurity expertise. They can work with local high schools, colleges and the military to find potential candidates and partner with third parties to train those individuals.
The growing cybersecurity threat offers MSP partners a way to prop up revenue and profits. However, the changing security landscape means that they need to revamp their business model and move from a product to a service focus.