**Editor's Note: This is the one of two columns looking ahead at factors that will affect the managed security services market. Find the companion piece here.**
Was B.B. King having a premonition about managed services when he wrote "Let the Good Times Roll"?
You be the judge: MarketsandMarkets’ Global Forecast predicts that the managed services market will grow from roughly $152 billion in 2017 to almost $258 billion by 2022, a CAGR of more than 11 percent. The primary drivers are complexity of infrastructure and compliance requirements.
The subtext of the complexity factor is migration of workloads from on-premises systems to cloud providers – a task that is frequently contracted to a third party by businesses that are hard-pressed just to manage core IT services.
The forecast numbers for cloud adoption, if you believe Cisco, show companies “wanna spend some cash” in the cloud, as B.B. would say. By 2021, 94 percent of workloads and compute instances will be processed by cloud data centers; 6 percent will be processed by traditional data centers. Also by 2021, 75 percent of total cloud workloads and compute instances will be devoted to software as a service, up from 71 percent in 2016, and 16 percent of the total cloud workloads and compute instances will be IaaS, down from 21 percent in 2016.
What we can discern from this forecast is that service providers will be pushing their customers’ applications into cloud data centers. They will be recommending SaaS solutions for applications that can't easily and efficiently run on hosting provider infrastructure. Customer applications don’t migrate themselves, and this bodes well for providers with expertise in cloud service delivery.
Then there’s today's hot topic, compliance. In the IDC study “Western Europe GDPR Impact on Security Services and Software Forecast, 2016–2021,” some very positive growth numbers are directly attributed to adoption of the General Data Protection Regulation (GDPR). IDC says GDPR-related spending presents a $2.3 billion market opportunity in 2017, forecast to grow to $3.7 billion in 2019. The report concludes with a very interesting forecast: GDPR will drive a substantial chunk of security investment right through 2021, propelling security services and software compound annual growth in the U.K. to 20.3 and 18.8 percent, respectively.
That is almost double the 11 percent global forecast for the entire managed services industry. If U.S. companies see their peers get hit with big fines, that uptick will likely spread across the Atlantic.
Do these big growth numbers mean big changes for IT service providers? Unequivocally, yes.
For virtually all consultants, digital service providers, VARs and MSPs, your business is going to grow in a very specific direction — like it or not. Still want to resist cloud? Don’t answer the phone, don’t return emails from potential new customers and keep providing the same services you always have. But bucking the as-a-service trend is a good way to ensure your firm becomes irrelevant by 2021.
Out: On-premises data centers. Even Cisco says we will be “off-the-tin” soon. The appetite for upgrades of on-premises hardware is dwindling. In: Cloud platforms and brokering SaaS solutions, such as Microsoft Office 365, Google’s G-Suite or CRM applications like Salesforce.
The important part of an MSP “cloud first” strategy is to establish your firm’s competency in moving customers to the right cloud-based services. Properly structured projects provide a great opportunity to turn per-seat SaaS licenses (or bills for cloud services) into monthly, recurring revenue with a corresponding reduction in the support cost of on-premises infrastructure.
A Look Ahead: Skills and Services
Specialists needed: Analysis from Gartner suggests providers are in for a profound change in the security offerings they deliver. In a 2017 report, the research firm said 40 percent of all managed security service contracts by 2021 will be bundled with additional, specialized security-related services and broader IT outsourcing, compared to 20 percent today. Those “other security services” run the gamut from end-user security training to penetration testing and digital forensics to incident response.
How are you going to deliver these ancillary services? All indications are that the traditional endpoint-centric model must change.
Fear sells: In an extensive research paper titled “GDPR Compliance and Its Impact on Security and Data Protection Programs,” Osterman Research provides – at least from an IT provider or MSP perspective – the ultimate security ROI metric: “Any measures implemented in line with the GDPR may reduce the severity of any fine levied for noncompliance. For example, supervisory authorities are required to take into account the organizational and technological measures that have been implemented (Article 83(2)(d)), and adherence to ‘codes of conduct’ or ‘approved certification mechanism’ (Article 83(2)(j)).”
The “technological measure” and “approved certification mechanism” are generally seen as efforts to be compliant under the U.K.’s Cyber Security Essentials (CSE) program. Since its introduction in 2014, CSE has evolved to become a de facto minimum data protection standard in the U.K., and companies globally could do worse when it comes to a baseline set of policies and controls. In a paper, Dr. Jose M. Such provided a qualitative assessment of the controls required by CSE, suggesting that more than 69 percent of cybervulnerabilities are completely mitigated by CSE, and roughly 30 percent of cybervulnerabilities are partially mitigated.
The Osterman Research delves into precisely what technical services a business needs to implement to achieve compliance. All are easily within reach of a “compliance as a service” bundle. The top four data-protection technologies that organizations will spend more on during the next 12-18 months to specifically address GDPR are data-loss prevention (48 percent), network protection (44 percent), endpoint protection (40 percent) and encryption of data at rest (38 percent).
But tools are only part of the story. Gartner says GDPR will help drive $93 billion in global security spending in 2018. Those in the channel able to offer consulting and implementation support are best placed to reap the rewards from GDPR, SaaS and migration of customer infrastructure to the cloud.
Cloud providers up their security games: Let’s assume a massive shift away from on-premises infrastructure and toward software and security (and other needs) delivered as services. Let’s also assume (or hope) that in the next couple of years, public-cloud access controls are locked down and stopped from publicly exposing customer data. If we also accept that by 2021, 75 percent of the total cloud workloads and compute instances will be SaaS, all of a sudden, the customer data we need to protect resides inside these locked-down applications. That means access controls like multifactor authentication and certificate management might become the must-have security controls of the future.
We might be on the threshold of building a “data free" local-area network, where all the data needed by your customer resides in interconnected public-cloud applications and the majority of the security spend will be on identity and access-management controls.
Other predictions: Despite hardening, no public cloud or SaaS offering will be impenetrable; there will be an increased need for web-application firewalls and ancillary services such as penetration tests, specifically against those very SaaS vendors.
One certainty: There will be a future for MSPs willing to adapt. The question is: How are you going to grow and prosper in the cloud, SaaS and compliance-as-a-service era?