Small CSPs: Up Your Security, Specialization Game or Risk Being Crushed

Darren Anstee

By Darren Anstee, Chief Technology Officer at Arbor Networks

Cloud adoption is growing across enterprise and small and midsize businesses alike, but SMB customers are moving faster, say analysts. One driving factor is agility — the ability to introduce new business processes, applications, products and services quickly while minimizing overall business risk. The enabling factor, to some degree, is the flexibility of cloud from a resourcing perspective. SMBs don’t need to make long-term capital investments in their own IT resources, they can simply use services to get the capabilities they need when they need them.

Resourcing flexibility and business agility are certainly benefits of the cloud, but they don’t wholly explain why SMBs appear, in some studies, to be adopting cloud more quickly. Another reason, based on anecdotal feedback, is again resourcing — but this time to address cyber risk.

Businesses today are well aware of the problems they face in scaling their internal security resources and expertise to manage risk. They’re concerned about a data breach and the damage a loss of customer or employee personal identifiable information could do to the business. Distributed Denial-of-Service (DDoS) is also top-of-mind, given the attacks seen last year against Dyn and increasing reliance on connectivity for virtually everything.

The risks posed by these threats have to be managed, but the skills needed to do this – including deploying and managing the required technology – are scarce and expensive, putting them out of reach of many businesses and partners alike.

That skills shortage represents an opportunity for cloud operators, and one on which the larger operators are already capitalizing. While partners need to remind customers that moving data and applications to the cloud doesn’t abrogate responsibility for their own security, utilizing the services and resources of cloud operators can help significantly. The larger cloud operators have emphasized their core competence and secure facilities but have also layered on security services and add-ons to differentiate themselves.

According to Synergy Research’s February 2017 cloud marketshare report, Amazon Web Services, Microsoft Azure, Google Cloud Platform and IBM Cloud continue to show momentum and lead the cloud service provider (CSP) market, while smaller CSPs are losing ground. The small-to-midsize CSPs’ collective market share has now dropped to just 18 percent, according to Synergy.

Does this mean small cloud providers will be pushed out of the market? Not necessarily. They may just need to change their approach.

Smaller enterprises and SMBs looking at cloud will gravitate toward CSPs that are perceived to have the specialized capabilities they need. Many smaller cloud providers offer benefits that the large ones cannot, such as a deeper understanding of their clients’ business and region, and the ability to …

… provide more customized solutions. But, in many cases, they have not focused on security – or risk management – as a core message. That’s a mistake, because risk management is key to the business agility requirement that is driving cloud adoption.

Make The Case To Go Small

Boutique CSPs need to address this by offering security services that are better tailored to local regulatory frameworks, allowing their customers to both better defend themselves and more easily address compliance requirements. In many cases, these CSPs will need to deploy technology and implement processes to secure themselves and their own data. By selecting the right vendors and partners, CSPs can capitalize on investments so that they can be leveraged to offer “sticky” managed security services to their customers.

Smaller CSPs can also offer better local language skills and services that store data and applications within nation/state/union borders, both of which could be desirable and differentiating to potential customers.

The big problem that smaller CSPs have, though, is lack of awareness. Smaller operators can’t compete with the marketing budgets and branding of the larger CSPs, but there are lower-cost alternatives that can be very effective. For example, most countries and regions have CERTs (Computer Emergency Readiness Teams) as well as various forums and groups that meet regularly to exchange security best practices, intelligence and trends. These forums are an ideal way of making potential customers aware of the expertise and knowledge operators have at their disposal through sponsorship and educational content (direct sales messages are frowned upon at these events).

It can be difficult to get started implementing some of these ideas, but some security technology vendors have regionalized data that they are prepared to share with their customers to aid in the provision (and sell-through) of services based around their technologies.

Smaller CSPs do not need to be pushed out of the market. They can survive and flourish — but only if they focus their efforts on the some of the key pain points that end-customers currently have. Security, resourcing and skills are problems today, and smaller CSPs could play a key part in solving them for a range of businesses.

As chief technology officer at Arbor Networks, Darren Anstee is responsible for the technology strategy of products and services that help customers see and understand network traffic in order to solve their most complex security challenges.