How MSPs Can Get a Foothold in the Gigantic Managed Security Market

It’s become abundantly clear in the last 18-24 months that cyberattackers have turned their attention toward small and midmarket businesses. In 2016, more than 60 percent of breach victims were SMBs, and half of those that were hit shut their doors within six months of the attack, according to the 2017 Verizon Data Breach Investigations Report. Business owners have had to admit that cybersecurity isn’t just an enterprise-level concern any longer.

“The conversation has moved from ‘that will never happen to me’ to ‘it happened to my friend or to us already,’” says Jason Graf, director of managed security services at Sword and Shield. “They’re telling us they don’t have a clue what they’re doing.”

A full 80 percent of SMB owners recognize that today’s cybersecurity solutions have to go beyond basic antivirus, anti-malware and firewall solutions. A report by G Data Security says there were nearly 2 million new malware specimens in the first quarter of 2017 alone, more than 70 percent higher year over year. That equates to an average of 858 per hour.

Jason Graf

Jason Graf

But the astronomical cost of building a cyberdefense in house is prohibitive for most small business owners. All of this together has created a perfect storm of opportunity for partners that provide threat detection, incident response and compliance, says Mike LaPeters, VP of global channel sales at security solution provider AlienVault.

“It’s an incredible time. We’re sitting in an inflection point where security is becoming so hard to stay ahead of that the average user just isn’t capable,” says LaPeters. “They don’t have the infrastructure, resources or capabilities to respond to what’s going on.”

Most SMB IT professionals are generalists just trying to keep the lights on and network running. While they have to defend against millions of variants, malicious actors only have to find one that works to cripple an organization, sometimes beyond saving. The impossibility of that challenge is a huge market driver. Allied Market Research projects managed security services to be a $40 billion space by 2022.

Six years ago, Terra Verde was a pure play IT consulting service provider that was increasingly fielding requests from customers to provide cybersecurity, governance, risk and compliance-consulting offerings. CMO/CSO Mark Dallmeier says Terra Verde’s story isn’t all that dissimilar from other providers that have made the shift into managed security services. The company saw a market opportunity, received pressure from customers, and made the pivot. Today, Terra Verde provides cybersecurity program design, policy procedure and development, and robust governance and regulatory compliancy services.

The governance and compliance part of that equation is critical. Cybercriminals have easy access to next-gen tools and technology. No matter how fast security solution vendors can release technology, the criminal elements operating on the dark web will be two steps ahead of MSSPs and consulting companies in reverse-engineering and exploiting those solutions. End users have to be taught proper behavior to supplement technology.

“We need to think about how to create balance and a blend between next-gen technology; optimizing and enhancing or transforming cybersecurity policies and programs: regulatory compliance policies and procedures; and those underlying services that each one of those programs are providing,” says Dallmeier.

Graf says a lot of Sword and Shield customers signed on because regulatory compliance initiatives like PCI or HIPAA say they have to. But these compliancy initiatives are not only healthy for an organization, they can also serve as the only thing that make users sit up and act right when they’re connected to the network.

“In a perfect world, we could do mere prevention, a lot of education on best practices, patching systems and security-awareness training,” says Graf, “but 80 or 90 percent of the time, the end user takes a phone call and gives out too much information or takes a thumb drive and uses it, not understanding the risk.”

LaPeters says one of AlienVault’s customers uses the thumb-drive test as a way to benchmark clients’ security awareness. The MSSP drops a few cool-looking USB drives in the parking lot and waits to see how many people pop it in their computer. The results make customers hyperaware of where their security practices fall short. A few months later, after training and program implementation, the partner conducts the test again to see if the client has made progress.

Mike LaPeters

Mike LaPeters

“We’re never going to solve security issues until people stop being so boneheaded, but I don’t think that’s ever going to be fully resolvable,” says LaPeters. “If you want to protect yourself from bad things on the internet, then turn of your computer. There’s no such thing as 100 percent secure.”

The cybersecurity conversation has therefore shifted from prevention to response and remediation, which requires a technical expertise beyond most SMB IT professionals. This opens the doors for MSSPs, which today don’t need to engage in heavy-handed sales pushes to convince customers they need managed security. Customers are coming to them.

For traditional MSPs that want to get a foot in the door in the MSSP market, Graf, Mark and LaPeters all say that most partners already have a lot of the foundational capabilities necessary for a successful practice.

“We were a traditional MSP for 20 years, and only got into managed security services five or six years ago,” says Graf. “We just leveraged the same relationships, and the idea that we can be your trusted partner for security needs. If it’s attainable in the budget, you can’t give them enough assistance.”

Ransomware, says Graf, is so successful because malicious actors can use the same attack method to extract different levels of value out of different victims. Ironically, that same value cybercriminals get out of these data breaches is the exact value proposition MSSPs offer their clients. Once a user loses data they can’t get back, it’s easy to sell them on the need for supplemental security services. Since MSPs already have a foot in the door providing managed IT services, it’s easy to elevate the conversation to managed security.

Over at AlienVault, LaPeters says that the transition from managed services to managed security services is foundational to everything his team is focusing on. He says nearly everyone wants to make that evolution because they don’t want to be left behind.

“If you don’t do it as an MSP, then someone else will. And if you lose that security piece, odds are the other company is going to take your other services as well.”

Moving into managed security doesn’t have to mean an overhaul to an entire business structure and offerings portfolio. LaPeters says MSPs can dip their toes in the water with something like security monitoring, or go all the way through managed detection and response where they’re actually mediating cyberthreats. AlienVault is hard at work putting together a smooth evolution for partners wanting to transition to an MSSP model without having to build an entire research and development team.

“There [are] probably only a couple thousand true MSSPs,” he says, “but there [are] more than a hundred thousand MSPs wanting to make that move because if you just do managed services, you’re going to be in a really tough spot three years from now.”

Dallmeier says it doesn’t have to be as complicated as a lot of partners think. If an MSP is successful in the infrastructure space and proficient at handling moves, adds, changes and deletes, they can apply those same methodologies and best practices to cybercompliance. Managed IT services is all about constant evolution, anyway. MSPs build their businesses on modernizing underlying technology, infrastructure, appliances and software stacks, so evolving to include managed security should be nothing all that different.

“It’s standard operating procedure that comes with the job and has for over 30 years,” Dallmeier says. “Organizations get into trouble when they stop thinking about cybersecurity and compliance in that manner and start thinking it’s so unique and different they can’t apply or modify existing best practices they might already have in place to cyber and regulatory compliance.”