MSSP Survey Reveals Some Unexpected Ransomware, Cybersecurity Sales Numbers
Channel Futures' MSSP Insider study reveals security pros' strategies and characteristics.
![Young woman looks at word Survey on desktop computer. Young woman looks at word Survey on desktop computer.](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltfcb6232e1c4d65ee/65245ae6f66dd93e98a7c8b4/Survey-2.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
As you might imagine, nearly every one of your rivals offers basic antivirus protection. In fact, 86% of partners offer it. (Talk about table stakes.)
When viewed as a whole, the top security products and services offered by partners are, after antivirus, managed firewall (82%), email security and protection (80%), malware protection (80%) and BDR and business continuity (BC) (79%). Nearly three in four partners who offer security solutions provide proactive monitoring and threat prevention. The same is true for intrusion detection and prevention, and secure remote access.
What jumps out from the report is the number of channel companies that offer ransomware prevention, which has grown to 71%. The reason why so many channel providers offer the service is obvious: Ransomware prevention is expected to grow into a $20 billion market. Ransomware has, in fact, grown into one of the more common threats. A late 2018 Datto study revealed that ransomware is now seen as the most significant cybersecurity threat to SMBs. These numbers help explain why: The average number of length of time that a ransomware attack last has risen to 7.3 days, according to Coveware’s Q1 Ransomware Marketplace Report. What’s more, the average cost to end customers affected has risen to almost $65,000.
In addition to ransomware prevention, channel partners offer a raft of additional services. Advanced services such as log management and penetration testing are offered by 45% of survey respondents, for example.
As for which security service will provide the best growth opportunities this year, survey respondents identified “management of security systems” as their top growth prospect. Solution implementation, not surprisingly, also rated high, but so did higher-value services such as “risk assessment and gap analysis” and “reporting, auditing and compliance,” which were indicated by 37% and 32% of partners as top three growth opportunities, respectively.
Just 2% of partners that offer managed services collect no revenue from security services. That said, nearly a quarter of partners generate less that 5% of their business from security.
At the other end of the spectrum, 11% of channel partners generate more than half their sales from security services. Across the board, 31% of managed services providers generate between 10% and 24% of their sales from security services.
Of those not offering security services and/or considering becoming an MSSP, nearly one-third expect security to grow to become 10-24% of their annual sales. Another 22% expect security sales to account for 25-49% of their revenue while 15% expect security to be more than half of their business.
Security services are literally transforming all kinds of companies. Take Rehmann, a 75-year old accounting and consulting firm based in Troy, Michigan. The company’s core business is accounting, auditing, succession planning and wealth advisory services. But one of the fastest growing parts of the company is technology services, managed security services, especially. In May 2019, WatchGuard named the company its North American Partner of the Year.
Then there’s Secuvant, a West Jordan, Utah, MSSP. After years of working at top IT integration and consulting companies including Anixter and Forsythe Solutions, Secuvant founders Ryan Layton and Todd Neilson saw an opportunity to lauch an MSSP devoted to the needs of SMBs that required the same level of cybersecurity as enterprise organizations.
When it comes to go-to-market strategies, 80% of channel companies offer managed security services through their core business, while 15% prefer to sell these services through a specialized subsidiary.
As for how security providers refer to themselves, four in 10 channel managed services companies consider themselves to be an “MSSP” today. That said, only 6% are “pure-play” companies that offer managed security services exclusively.
Of those who don’t consider themselves to be an MSSP, fully one-third of partners are looking to become one. Of those that are not currently an MSSP or considering becoming one, 19% work with a third-party MSSP such as Secuvant or Ingalls Information Security to provide managed security services to their clients. In all, nearly 40% of Channel Futures readers offer security services to fellow channel companies. Of those that don’t, 15% plan to do so in the future.
The reason for all the partnering is simple: In today’s environment, no one wants to turn away a customer who asks about security. This is especially true when you consider that studies from The Conference Board and others reveal that “cybersecurity” is the No. 1 external concern for CEOs today.
That’s no surprise to Mike LaPeters, vice president of global channels at AT&T Cybersecurity, who says, “security is collaborative.”
“If you try to go it alone, you are putting yourself and your organization in jeopardy. One of the things I love about our MSSPs is how engaged they are in the ‘security community.’ When you choose to work with one of these organizations, you are engaging with purpose-built, highly skilled experts in this rapidly evolving security landscape. What makes you more secure today is not the same as tomorrow and utilizing some of these experts can be your ticket to staying current and informed,” he adds.
What separates an MSSP from an MSP? It’s more than a single “S.”
Talk to experts and most agree that the difference comes down to talent, capabilities and investment, especially. Take infrastructure.
In the 2019 MSSP Insider study, we found that among those that consider themselves to be an MSSP, just 44% have built their own SOC. Another 42% leverage a third-party SOC, while 15% who consider themselves to be an MSSP have no SOC or access to one at all.
That rankles some purists who believe MSSPs are a breed apart.
“Unless you have a security operations center (SOC), a SIEM, a relationship with the likes of a Cisco or Palo Alto Networks, a team of white-hat and black-hat hackers, you have to realize your limits in security,” says Drew Lydecker, president and co-founder of Avant Communications. “If you don’t have these capabilities, you will need help, in other words, to provide customers the security that they need to feel safe and secure. Customers want to hear from MSSPs one way or another.”
Recognizing this, many companies such as Critical Start, a Plano, Texas, MSSP, have made significant investment to distinguish themselves in the market. Critical Start, for one, developed its own managed detection and response (MDR) capability internally rather than rely on a vendor as many others do. To do this, it had to achieve the Service Organization Control (SOC) 2 Type II compliance certification.
“We built a platform that could deal with massive amounts of false positives,” says Rob Davis, CEO of Critical Path. “As a defender, you never want to call something good that is actually bad. You won’t be in business very long if you do that frequently. What vendors do, however, is err on the side of caution. They will call something ‘bad’ even if there’s only a slight chance that it is. This, of course ,leads to a lot of false positives. What’s interesting is as you add customer after customer, the number of those false positives becomes the biggest impediment to providing quality service. To overcome this, we built our own platform.”
Let’s face facts: There is effectively zero unemployment in cybersecurity today. This makes staffing an MSP and MSSP organization extremely difficult.
A year ago, the trade association CompTIA raised the alarm that the U.S. cybersecurity worker shortage is growing. It has continued to do so since.
Depending on whom you speak to, there are anywhere between 50,000 and 300,000 open jobs for cybersecurity experts today. Matthew Sigelman, CEO of Burning Glass Technologies, a Boston-based software analytics firm, has been widely quoted as saying the cybersecurity workforce would have to grow by more than 50% to meet the “market average supply and demand ratio” in all 50 states.
MSSPs can already feel the pain. Many say today they are paying a premium for talent — 20% or more in many instances for individuals with less experience and fewer credentials than some of the employees already on their staffs. (This will obviously cause some morale issues down the road, but what can a business owner do?)
One of the jobs that is the hardest to fill is that of the chief information security officer (CISO). According to our MSSP Insider study, 44% of channel partners say they employ a full-time CISO. Another 20% are considering adding one to their payrolls. But nearly one-third of channel companies have no plans to put a CISO on the payroll.
When it comes to top security certifications held by professionals working at channel companies today, the top ones are: CISSP (held by engineers at 43% of companies), CompTIA Security+ (31%), CEH (26%) and CISM (23%).
If you haven’t already, be sure to check out the online tool from Cyberseek, which provides a wealth of perspective on the IT security jobs market.
When asked, 27% of partners who sell managed services said they also sell emerging technologies such as AI, IoT, AR/VR and other emerging innovations. It makes sense that those getting in deep with security are also pushing boundaries with other tech innovations.
But securing new ideas isn’t the same as securing old ones, says Seth Robinson, senior director of technology research and analysis at CompTIA.
As Robinson explains it, digital technologies are turning out to be less reliable than physical ones — something he concedes is counterintuitive to many.
“We all know you can play a digital music file 1,000 times over and every play will be as good as the first, whereas a vinyl record will degrade over time. But digital technology isn’t as foolproof as that,” he says.
“Your call over a POTS line never drops, but your VoIP one does all the time. This is just one of many examples where digital innovation can disappoint,” he adds.
“Now view this through the lens of the IoT, which brings the physical realm into the digital one. Not only are there new business models and use cases to consider, there are new cyberthreats that were never planned for. Many IoT-enabled devices, for example, are closed and cannot be updated. Most have no built-in security. So it will take significant effort to secure emerging technologies — and not just in the ways people think,” he adds.
Securing IoT devices, Robinson says, isn’t exactly rocket science as long as you know what you are doing. The rocket science is getting customers to understand that adequately securing emerging innovations such as the IoT, AI and more requires an order of magnitude more of care and money than traditional computational devices that have been connected to the internet for years.
When polled, 58% of those who consider themselves to be MSSPs (or are considering becoming one) said less than 5% of their customers have experienced a security breach in the past 24 months.
That’s the good news, of course. The bad news is 21% of MSSPs say that at least 10% of their customers have experienced a breach in the past 24 months. (Four percent say more than 50% of their customers have been breached.)
When hacked, 14% of MSSPs say they offer basic notification and documentation services but expect others to resolve the issue. Another 18% escalate a breach to a trusted third party. The overwhelming majority (64%), however, provide complete remediation assistance.
When looking at the market as a whole, top MSSPs see change among their customers. More, for example, are becoming comfortable with handing over their security needs to a trusted third-party adviser. So says Rob Davis, CEO of Critical Start, a Plano, Texas, MSSP.
“Outsourcing is a lot more accepted now that it was just three, four and five years ago,” Davis says. “Today, customers are looking for those who can detect and respond to threats versus just monitoring and managing their security tools.”
As customers have become more comfortable with outsourcing, their expectations have grown. Customers, Davis says, will no longer tolerate being left in the dark by their service providers. Nor will they accept being bombarded with warnings. For MSSPs to thrive, they have to find the balance of communications and protection for their customers.
As for those customers, they must accept the fact that they are woefully prepared for the worst, says Drew Lydecker, co-founder and president of Avant Communications. Many, including the owner of a steel company Lydecker recently met with, don’t understand that they are a target of cybercriminals. Even those who do recognize their vulnerability don’t seem to be able to do much about it, a recent Avant study on the state of technology disruption found. In a study of 300 U.S.-based end-user decision makers, Avant learned that fewer than half of business leaders said they are fully prepared to handle a cyberattack or mitigate its aftermath.
Little wonder MSSPs have more business than they can handle today.
When polled, 58% of those who consider themselves to be MSSPs (or are considering becoming one) said less than 5% of their customers have experienced a security breach in the past 24 months.
That’s the good news, of course. The bad news is 21% of MSSPs say that at least 10% of their customers have experienced a breach in the past 24 months. (Four percent say more than 50% of their customers have been breached.)
When hacked, 14% of MSSPs say they offer basic notification and documentation services but expect others to resolve the issue. Another 18% escalate a breach to a trusted third party. The overwhelming majority (64%), however, provide complete remediation assistance.
When looking at the market as a whole, top MSSPs see change among their customers. More, for example, are becoming comfortable with handing over their security needs to a trusted third-party adviser. So says Rob Davis, CEO of Critical Start, a Plano, Texas, MSSP.
“Outsourcing is a lot more accepted now that it was just three, four and five years ago,” Davis says. “Today, customers are looking for those who can detect and respond to threats versus just monitoring and managing their security tools.”
As customers have become more comfortable with outsourcing, their expectations have grown. Customers, Davis says, will no longer tolerate being left in the dark by their service providers. Nor will they accept being bombarded with warnings. For MSSPs to thrive, they have to find the balance of communications and protection for their customers.
As for those customers, they must accept the fact that they are woefully prepared for the worst, says Drew Lydecker, co-founder and president of Avant Communications. Many, including the owner of a steel company Lydecker recently met with, don’t understand that they are a target of cybercriminals. Even those who do recognize their vulnerability don’t seem to be able to do much about it, a recent Avant study on the state of technology disruption found. In a study of 300 U.S.-based end-user decision makers, Avant learned that fewer than half of business leaders said they are fully prepared to handle a cyberattack or mitigate its aftermath.
Little wonder MSSPs have more business than they can handle today.
Ransomware attacks can strike at any time. Just ask Oli Thordarson, founder and CEO of Alvaka Networks of Irvine, California. One quiet Christmas holiday night, Alvaka’s website received a chat inquiry from an unknown but obviously distraught CEO.
“Can you help me?” the CEO pleaded.
The CEO’s problem: His company’s digital files were locked up by a cybercriminal who had breached the company’s defenses. What made the situation worse was that the CEO’s organization had just been acquired by a much larger company.
“Suffice to say, it was a serious problem,” Thordarson recalls.
Though it was the holidays, Alvaka sprang into action. Having dealt with threats to their aerospace and defense customers, Alvaka’s cybersecurity professionals knew what to do. Though it took time and effort, they unlocked the executive’s files and got the company back on its feet.
Unfortunately, stories like this are becoming more common in the ICT channel, where MSPs, VARs and consultants make diving catches every day. Many saves involve existing customers, but some involve companies that are complete strangers to managed security professionals. In addition to Alvaka, Networking Results, a Dallas-Fort Worth ICT services and solutions provider, has been contacted by strangers desperate for immediate security support.
While cybersecurity has turned into a lucrative field for many channel practitioners, it’s also evolving into a mixed blessing. While there’s money to be made, the sheer level of risk and work can be daunting. Just ask MSSP professionals how many hours they sleep at night.
For insights on how cybersecurity is reshaping the technology channel – and managed service providers (MSPs) and managed security service providers (MSSPs), especially – Channel Futures and Channel Partners joined forces on the “2019 MSSP Insider Cybersecurity Study.”
Among the results, we found that 85% of Channel Futures readers offer security services as part of their managed services offerings, while 75% of Channel Partners readers do. Of those that don’t offer security services as part of their managed services today, 7% of Channel Futures readers plan to do so in the future. Same with 8% of Channel Partners readers. This means that 92% of Channel Futures readers and 83% of Channel Partners readers will offer some security services to customers.
These are remarkable findings when you consider that these figures are higher than the percentage of channel companies that still resell hardware and software or who offer web development, according to various studies. No matter how you describe it, security is becoming a mainstay of the channel. But not all channel companies approach security in the same way.
While 80 percent of the channel offers some security services, only four in 10 channel companies consider themselves to be full-fledged MSSPs. (But that too is changing.)
In the slideshow above, we present our findings. Before we get to them, here’s a word about the study’s methodology: For the study, Channel Futures and Channel Partners polled more than 250 partners. The overwhelming majority (70%) offer managed services. Most offer IT solutions that combine hardware, software and services (63%), plus network and cloud integration capabilities (60%). As you might expect, more than half offer telecom-related services (59%), software and SaaS (55%), and IT support and/or help desk support (51%).
Survey respondents reported that they work in companies ranging in size from small businesses with between two and nine employees ,all the way to global enterprises with more than 1,000 employees. (More than half of survey respondents said they work for companies with between two and 49 employees.)
While more than 70% of respondents work at companies that are 10 years old or more, 12% work for organizations that are less than four years old.
Now for the findings of our 2019 MSSP Insider study. The first slide (see slideshow above) starts with services offered.
Read more about:
MSPsAbout the Author(s)
You May Also Like