The MSSP landscape faces big changes in the months ahead from widespread consolidation that likely will lead to standardization of services.

That’s according to Mike LaPeters, AlienVault’s vice president of global channel sales. He and Paul Barnes, Webroot’s senior director of product strategy, spoke with Channel Futures’ MSSP Insider about the challenges MSSPs face and why there likely will be fewer and fewer good MSSPs despite the booming market.

The global managed security services market was valued at $16.6 billion in 2016 and is projected to reach $56.4 billion by 2024, with a compound annual growth rate (CAGR) of 16.6 percent, according to Esticast Research and Consulting. With the surge in cybercriminals and cyberattacks, organizations are compelled to either enhance their in-house security systems or outsource the managed security services from the best MSSPs, it said.

The MSSPs that are doing “really well” are being acquired or consolidated into other organizations, LaPeters said.

“There’s a big consolidation that’s going on right now that will probably be announced in the next four weeks or so, and that’s going to be significant because it will be consolidation of probably four or five different midsize MSSPs into one organization,” he said. “I think that’s the type of stuff that we’re seeing across the market right now.”

One of the benefits of consolidation will be less niche and more standardized services, LaPeters said.

AlienVault’s Mike LaPeters

“There [are] more of them that are just saying, ‘We’ve worked with hundreds of customers or thousands of customers, and we’ve determined that these three steps of service offerings fit 90 percent of the customers, so pick your offering and then we’ll go from there,’” he said.

One potential drawback that could result from consolidation could be a “slowing of the ‘evolution of ability,’” Barnes said.

“I hope we don’t see that in this space because, with the fact that security is evolving so quickly, you need those crazy, fringe people to go out there and really dive deep into solving problems,” he said. “So my hope is that with this consolidation, we’ll still have the ability to continue to solve really tough problems in really kind of unique situations. My hope for the future is that we take advantage of what consolidation brings, but we don’t let it lead us to complacency.”

There are three major challenges that MSSPs are facing, LaPeters said.

“First off, there is this rapid or super-accelerated proliferation of threats,” he said. “MSSPs, while it’s a huge opportunity for them to offer services to help customers react and respond to this, it’s really challenging to be prepared to respond to that. Challenge No. 2 is hiring and retaining a staff that can help address these problems. And when they do get somebody who’s really good, their competitors, other vendors, the customers, are tapping those experts on the shoulder and trying to recruit them away.”

The third challenge is …

… knowing the right mix of services that will appeal to customers, LaPeters said.

Webroot’s Paul Barnes

A common mistake MSSPs make is sticking to a single product or service, Barnes said. Also, MSSP scalability and growth will be impacted by not employing automation within operations. Predictive analytics/machine learning/artificial intelligence (AI) can help identify the most important events, and security orchestration can help automate response/prevention, he said.

“The MSSP is as only as good as its staff, not having the right expertise will be detrimental to the success of the business,” he said.

The MSSPs that stand out above others understand how to assign value to the service they’re delivering, LaPeters said.

“The second thing that makes them stand out and separates them is the quality of their people,” he said. “They’re pretty consistent on how they go about recruitment, but the ones who really knock it out of the park are the ones that view security talent as a long game. It’s not about how I recruit the most amazing security person that’s out there in the field today. They’re recruiting, in some cases, starting at the middle school level, going into schools and educating on the challenges of security and how technology helps offset that, and it starts that dialogue super young. They cater to that group when they get into high school, and then when they get into college, they put programs in place to get these kids to go through interning, and then their No. 1 source of employees [is] directly out of college.”

You can build loyalty from a very young age as opposed to just “hiring the guy for the highest amount of money, and then you can lose that guy just because somebody else offers more dollars,” LaPeters said.

There’s “extreme interest and everyone wants to be a MSSP,” it’s just that at the end of the day it’s really hard, he said.

“And what I’ve found is there are a lot of MSPs, they won’t dip their toe in the water, they’ll just go right into the deep end, and they’ll realize it’s pretty deep and they’ll sink immediately,” LaPeters said.

Barnes said he’s seeing MSPs that are not so much transitioning into a MSSP, but instead “still want to manage the IT, the ISP, the telephony side and all the standard IT services, but they spin up an arm to that business, maybe a rebranded arm perhaps to offer more of that MSSP service capabilities, typically offered at a different price point and a different package.”

“MSPs that are laser-focused on the IT services side of things and less so on security services, they will often partner with an established MSSP,” he said. “The less sophisticated guys are struggling with the security services … they can’t look beyond the endpoint, but they’re definitely getting pressures from their customers to offer more broader services.”