In this article, sponsored by SolarWinds MSP, we examine the key ways managed security firms get it wrong - and what they could do differently
With global annual sales predicted to double in the space of half a decade, the managed security services sector is set to be one of the biggest growth hotspots the IT market has to offer in the coming years. A study from Technavio last year predicted that, between 2016 and 2020, the worldwide market would enjoy a compound annual growth rate (CAGR) of 12 per cent. Data from another analyst, MarketsAndMarkets, points to an even more upbeat future, with a five-year CAGR of 14.6 per cent in the period up to 2021. This would see the market's worth expand pretty much twofold during that time, from $17.02bn last year to $33.68bn in 2021.
This growth dovetails nicely with Channelnomics Europe's own research, conducted last year, that found that a little less than half - 47.5 per cent - of end users we surveyed are currently using managed security services. Which adds up to plenty of room to grow into and, for the channel, a lot of business out there to be won.
But, then again, there are factors which have prevented the other half of the end-user landscape from adopting managed security services. And before VARs and MSPs can reap the benefits of operating in this high-growth market, they must make sure they are able to lead their clients over these barriers. And to do so, they must avoid these five - sadly still all-too-common - mistakes made by wannabe MSSPs.
You may be a hugely experienced security VAR, or an MSP that has been offering its customers the likes of communications, productivity tools, and enterprise software as a managed service for years. And, if you are either of those things, branching into managed security services offers huge opportunities, to be sure. But, if you think generating sales will be no more difficult than going to your client base and telling them about your latest offering, you are sorely mistaken. Cost and productivity benefits make a compelling case for end users to move many parts of their IT estate to a managed services model. But security is too important to skimp on.
Our research last year found that about seven in ten of those CIOs who have yet to adopt managed security services - who themselves are in the majority -have declined to do so simply because they prefer to keep security in house, regardless of whether doing so costs them money or time. And, among those who do work with one or more MSSPs, cost is not a major determining factor in picking which IT security providers to give their business to. Of far more relevance are technical certification and water-tight SLAs. Managed security services is not just an extra tab on your website, or another pitch to get your cold-callers to add to their script. It requires a consultative sell, in which prospective MSSPs must demonstrate comprehensive technical skills and rigorous attention to detail - as well as clear business benefits.
Promising the earth
Ten to fifteen years ago the IT security space was like a cowboy movie: there were good guys, and bad guys, and the difference between the two was obvious and easy to understand. Vendors and their reseller partners were the sheriff, keeping the bandits at bay and the townsfolk protected. Nowadays, the sector is more like the real-life Wild West - a dark and lawless place, where no-one is ever truly safe.
We live in a world where even the biggest multinational companies and the governments of global superpowers can be the victims - or, indeed, the perpetrators - of a breach. Everyone can, and will be hacked - it is simply a matter of time. This means that those that create and sell security solutions need to change tack in terms of how they position and market their offering.
Promising that you can rebuff all threats, and keep the bad guys out without exception, is a falsehood and a folly that will not only be easily seen through by any IT leader worth their salt, but is doing no more than creating bad will for you in the future. The focus needs to change to a strategy that centres on detection and mitigation - catching breaches as swiftly as possible, proactively combating them and limiting their damage and, crucially, trapping and isolating the source of each successful attack and gathering as much intelligence from it as possible.
Not automating enough
When it comes to managed services, the clue is in the name. A true MSP, or MSSP, has a business that is built on software and automation. As much as many break-fix providers would like to believe that becoming a managed services player requires nothing more than a little touch-up of their branding and marketing message, you are managing precisely nothing if the only intelligence at your disposal has been gained from emails and phone calls from your customers. Managed services, by its very nature, is inherently proactive - not reactive.
And an MSP's offering only becomes compelling for end users - from both a technical and a cost perspective - once it is truly automated. Anyone offering a managed security service needs to know about every threat and every breach as it happens, which cannot be accomplished without investment in software platforms and automated processes. Only then can you achieve the necessary real-time insights and economies of scale needed to make the MSSP model work.
Automating too much
But, while the bedrock of a successful managed security service is a solid technological foundation, the human element is crucial - from both an MSP and an end-user perspective. Our research last year found that, aside from shifting away from a CapEx model, by far the most attractive reason for adopting managed security services - as identified by CIOs - was gaining access to a much greater level of security expertise than was available to them in house. And, in terms of what security services they obtained from their IT partners, consultancy was easily the most popular, having been adopted by about one in three end users. This compares with about one in six for perimeter network management, and one in ten for compliance monitoring.
For channel players moving into managed security services, maintaining a wealth of high-end consultancy and engineering skills is crucial. Every threat and every breach is different, and fighting each one and learning from it requires not just advanced technology, but human insight and expertise.
What is more, the biggest and most vulnerable attack surface is not any part of a company's infrastructure, or software stack. It is, and will always be, its people. The source of so many breaches is human error - especially in an age when such a large proportion of the workforce is introducing their own, often unsecure mobile devices into their employer's client estate. You cannot automate, nor predict, nor often even effectively analyse human behaviour. But MSSPs can play a key role in helping their end-user customers educate their workforce on security risks and how to avoid them, and perhaps even implement official guidelines and codes of best practice. All of which requires a bespoke, human-centric approach.
Any security channel player who has been around for a couple of decades or more has likely built their business on the technology offered by product vendors who manufacture content or network security tools. Partnerships with familiar names from the firewall and/or anti-virus space have, no doubt, proven very fruitful for many security VARs over the years, providing healthy sales margins, and juicy rebates. It can be hard to turn your back on such a long and profitable history.
But, if you want to continue to prosper in the world of managed services, turn your back you must. Moving away from product or break-fix sales is daunting, and - make no mistake - comes with a threat of short-term expense and reduced cashflow, as you invest in the necessary technical platforms and skills, and move toward a business model predicated on piecemeal OpEx revenue, rather than big chunks of CapEx. But failing to make this move comes with the mid- to long-term certainty of irrelevance and extinction.
Your loyalty to brand-name product vendors may have served you well and rewarded you richly over the years, but right now it is holding you back. However, even in a managed services world, you still need to identify and team up with the right technology partners. If they want to evolve into MSSPs, resellers and managed services partners need to find an IT service management or monitoring platform whose technology they can rely on. It is imperative that you do your research, talk to your employees and customers, and find a platform and a vendor partner that is right for you.
For more information about how SolarWinds MSP can help managed services providers, click here