Adding AI: Why MSSPs Now Need to Expand, Not Consolidate

MSSPs look to be one of the few to benefit from the current state of flux in the economy, the cybersecurity sector and the digital realm. Cash-strapped businesses are suspending investment, cutting staff and choosing not to renew software licences, according to the ISC2. They’re also facing unprecedented cybersecurity skills shortages with 4m needed globally − almost equivalent to the number employed (5.5 million) − resulting in a dearth of available talent. Both these factors have contributed to an increased demand for outsourcing, with Canalys predicting managed cybersecurity services and solutions will grow by 12.9% and 9.9%, respectively, this year.

But those figures pale into comparison to the market potential of another disrupting force: artificial intelligence (AI). The Mission Critical: Unlocking the UK AI Opportunity Through Cybersecurity report predicts the global AI cybersecurity market will be worth $135 billion by 2030. To put that into perspective, the MSSP market is currently estimated to be worth $35 billion and is expected to reach $62 billion by 2029, according to a report from Mordor Intelligence. And MSSPs are uniquely placed to be able to take advantage of this by integrating AI and generative AI into their offerings and to offering assurances, alleviating concerns and taking much of the risk out of the process on behalf of their customers. Yet, in line with the rest of the market, most MSSPs are still caught in a conservative stance.

A Reversal of Mindset

The key focus for the channel over recent years has been to consolidate the cyber stack to reduce complexity. In fact, 92% of MSSPs were consolidating their offerings and 70% were intent on consolidating more just over two years ago. This made a lot of sense at the time as it enabled the MSSP to eliminate duplicated functionality, minimise management demands and reduce swivel chair operations, which saw the analyst switch between dashboards. But with the advent of AI, the pendulum has swung back. Now MSSPs need to switch into a different mode and look at how they can expand their offerings or risk being left behind.

It's undoubtedly worth taking the plunge, with the Integration of AI in Cybersecurity Operations: The Future-Ready MSSP paper from IDC revealing that the adoption of AI in security information and event management (SIEM), security orchestration, automation and response (SOAR), and the security operations centre (SOC) can improve threat detection accuracy, reduce response times and provide greater operational efficiency. The report goes on to suggest that forward-thinking MSSPs should develop strategic road maps which show how AI will be accommodated.

AI has, of course, been with us for some time in the form of machine learning, such as in behavior analytics, which uncovers anomalies and suspicious behavior. However, gen AI advances the potential for customisation significantly. Large language models can, for example, be used to provide automated summaries for reporting or compliance purposes, dramatically reducing workloads. But the danger is that MSSPs won’t make the most of this personalisation and in doing so, miss a trick.

Learning from Past Mistakes

We’ve seen this happen in the past when SOAR was first adopted in the channel. Many MSSPs chose to restrict their use of the technology to just data consolidation, enrichment and normalisation, and didn’t fully exploit its functionality by utilising playbooks to automate incident response. In doing so, customers saw very little benefit and MSSPs didn’t use it to address alert fatigue and alleviate SOC workloads. Automation can be a real differentiator for an MSSP but only if it’s allowed to live up to its potential. 

Similarly, gen AI has the power to transform aspects of existing solutions. If we look at the SIEM, which can suffer from high numbers of false positives in terms of alerts, these can now be qualified by using contextual threat prioritisation. Currently this sees the SIEM use observation meta data like tactics, techniques and procedures from the MITRE ATT&CK framework to add context to observations and group them into incidents to decrease the number of false positives, but generative AI will also see more parameters applied by referencing other sources such as threat intelligence reports, for example, resulting in faster and more accurate threat detection and incident response (TDIR).

Adding AI will therefore greatly enhance the existing MSSP portfolio and allow them to accelerate and customise service delivery over a multi-tenanted SOC. But to get to this point they need to work closely with vendors to realise suitable ways of integrating the technology, build out a strategy that prioritises AI, machine learning and automation, and bring their customers with them on the journey by showing how the technology can aid service delivery rather than keeping it from view.

Bear in mind, too, that while the market may now seem in a state of flux, that’s nothing as to what’s coming. Once AI begins to augment and even take over some workflows, threat actors begin to leverage it to create code, phishing emails and deep fake attacks, and enterprises realise its fast becoming a "must" rather than a "nice to have," the flood gates will truly open. And we’re not talking years here. Gartner estimates that 80% of enterprises will be using the technology by 2026, which means MSSPs can either ride the wave or get washed away.