03 Oct Is It Time to Step Up Your Managed Security Services Game?
Most MSPs are missing out on advanced security revenue areas line incident response and remediation, SIEM, secure web access & more.
End users of all sizes are faced with a myriad of digital threats that can cause problems ranging from business disruption to reputation damage — or worse. In fact, last year there were so many breaches, ranging from the IRS to Wendy’s, that it was difficult to keep track of them, and this year’s breaches will likely eclipse 2016’s results. Earlier this year, for instance, the worldwide cyberattack by the WannaCry ransomware cryptoworm infected more than 230,000 computers in more than 150 countries in just one day. If that’s not bad enough, security experts predict that nearly one million new threats are released into the wild each day.
Confirmed: End Users Want Managed Security Services
Several industry sources show an explosion in security spending. Cybersecurity research and market intelligence firm Cybersecurity Ventures, for example, reports that the market has exploded from $3.5 billion in 2004 to an anticipated $120 billion this year. The firm predicts that over the next four year spending will exceed $1 trillion, driven by the increase in cybercrime.
This increase in IT security spending has set the stage for new growth opportunities in MSP businesses. Recent Gartnerresearch reveals that the largest expenditures in IT security are earmarked for consulting and outsourcing. The research also lists significant opportunities in detection and response as well as in preventive security such as security information and event management (SIEM) and secure web gateways (SWGs).
Most MSPs Are Missing Out on Advanced Security Revenue
The stage is set: Cybersecurity threats are increasing, and end users are committed to spending more money on solutions and services that can protect them. But, so far, the IT channel’s been missing out on this opportunity. A special research project conducted earlier this year by Barracuda MSP and The 2112 Group focusing on the North America managed services market revealed several surprises. Only 15 percent of the surveyed channel companies offer some form of security services today. Few service providers are offering comprehensive suites of security technologies, and most appear to provide point solutions that are tangential to their core managed services or product offerings.
Furthermore, the most common security technologies in service providers’ portfolios, based on the survey, are firewall and perimeter security, security helpdesk, data loss prevention, backup services, and endpoint security/antivirus. While these are all good foundational technologies, none of these offerings are considered advanced or sophisticated.
More sophisticated services, such as security policy management, incident response and remediation, SIEM, and cloud access services, are currently being offered by less than 10 percent of service providers.
Crossing the IT Security Chasm
Let’s face it: There’s a big difference — in labor and capital investment — between selling managed antivirus and offering an advanced security service like SIEM. Unlike the former, which requires little formalized training, the latter has traditionally involved an investment in a SOC (security operation center) along with a staff dedicated to the ongoing care and maintenance of the system. While that may be right for some MSPs, the statistics sited earlier suggest it’s too much of an undertaking for most.
Fortunately, SIEM vendors are paying attention to the IT security chasm, and some are now marketing their technology as a managed service. In other words, an MSP could use a subscription-based SIEM service, which eliminates the need for a SOC investment and technicians to manage the SOC.
As with other options that entail integrating complex technology and processes with sensitive data (e.g., security logs and events), the MSP will need to develop a high level of trust with the SIEM provider. Performing due diligence to ensure that security measures, limits of liabilities, and compliance requirements are met is a must.
However, if you’re worried end users are simply going to hire IT security specialists to provide advanced security services like SIEM internally, think again. Several studies show that there is a growing IT security skills gap. Plus, an MSSP (managed security services provider) is much better positioned to attract and recruit IT security talent because it can frame its security-as-a-service offering in such a way that supports qualified candidates’ salaries and allows the company to work as the outsourced IT security service provider for several customers.
When you think about it, there may be lots of excuses to avoid ramping up your security services offerings and selling advanced security solutions and services, but it’s hard to come up with a viable reason to put it off any longer.
Chris Crellin is senior director of product management for Barracuda MSP.