Should an MSP become an MSSP?
Hello, Habr! Today we want to share an interesting opinion of the TAG Cyber portal on the prospects for expanding the business of service providers (MSPs) in the field of cyber security, which should make them MSSP (Managed Security Service Providers). Under the cut – an analysis of the opinions of experts from the last quarterly report, including 5 main obstacles that prevent MSP from successfully developing expertise in the field of information security. If you work for a service provider company or would like to see such services in your MSP portfolio, we invite you to take part in the survey and discuss the issue of transforming an MSP into an MSSP in the comments.
Business relies on service providers – MSPs. And today this is an indisputable fact, because the size of the MSP market is estimated at about $ 200 billion. Most companies find it more convenient to outsource at least some of their IT. But if we get rid of IT functions, it’s logical to hand over information security issues along with them. To take on this task, security providers (MSSPs – Managed security service providers) should have already proven practices and, according to contracts (if they were drawn up by the customer’s lawyers), take responsibility for breaches in information security systems, if they lead to some real incidents.
Today we will tell you how the experts of the TAG Cyber portal see the process of emergence of cyber security services, who every quarter prepare a huge 100-page research report on the information security market. This is a truly respected publication (it is worth noting at least the fact that TAG Cyber considers Acronis a “Distinguished Vendor” :), and on the pages 2021 2nd Quarter Report you can find a lot of interesting things, including interviews, expert assessments, comparison of information security solutions, analytics and even some technical materials. However, the position of the editors on the transformation of MSP into MSSP and practical recommendations for its implementation deserves special attention.
What does a small business need?
Although the MSSP is only a fraction of the larger MSP market, its capacity is already estimated at $ 30 billion. On the one hand, TAG Cyber experts are confident that it could have been larger if many representatives of small and medium-sized businesses did not simply refuse information security funds due to lack of budgets. But on the other hand, it is this deferred need that creates the preconditions for the implementation of security services by providers around the world. After all, they could bring additional income to MSP by providing the business with the protection it needs.
It is worth noting that in addition to quarterly research and reports, the TAG Cyber portal also develops the Cyber Corps program, which helps small businesses understand information security issues. Interestingly, based on the feedback from its participants, entrepreneurs are well aware of the need for cyber protection, but often cannot decide what they need in general from the point of view of information security. There are not enough resources, competence or just time for this.
Therefore, many business representatives are inclined to leave IS as a whole at the mercy of MSSP and “live in peace”. And in fact, there are three ways of development of events here – the customer can decide that everything is very difficult and simply push the information security problem out of his mind (before the first serious incident), find his MSSP provider and ask the service provider to integrate with him (which is difficult and not always obtained) or receive information security services from the same provider with which he already works. Therefore, it will be easier for everyone if cyber security services are offered from the same hands as other IT services.
Transformation from MSP to MSSP
According to TAG Cyber, such a transformation has begun to take place and has been gaining momentum in recent years (of course, first of all in Western markets). An examination of the main problems faced by providers along the way became the basis for basic recommendations. Perhaps they really need to be observed in order for the project to introduce new services to become a profitable business, and not a problematic hole in the budget. So, TAG Cyber recommends 5 basic steps that providers need to take before rolling out MSSP expertise to the market.
one. Strategy: Most service providers fail to add the full range of security services to their portfolio at once. The reason is the lack of funds. Indeed, in order to implement the entire range of solutions for the entire life cycle, you need to implement several solutions at once, develop expertise, organize their promotion – in general, spend a lot of money. Therefore, it is best to first select those areas in which the needs of existing customers lie. For some, this will be endpoint protection, for others – organizing backup with recovery from the cloud, and so on.
2. Technologies: If the direction for the development of security expertise is chosen, you need to decide what will be easier and more profitable – create it yourself, buy it or rent it (for example, by concluding an agreement with an MSSP provider). Before making a choice, providers need to carefully weigh the financial impact of each model over the long term. For example, TAG experts note that partnership agreements are easier to conclude, but often they lead to a higher cost of services for end customers, which means a loss of competitive advantage.
3. Preparation staff and training: Let’s say the best way to implement new solutions has been found. But before they start paying off, you need to provide technical support in 24x7x365 mode (and it is advisable to develop methods for responding to the detection of incidents). Can the provider hire enough information security experts? Will trainings and trainings be organized to keep staff up to date with all the innovations in the field of cyber security? If a partner solution was chosen to provide services, will the vendor be able to provide timely briefing, support updates and upgrades? All these questions need to be answered before the announcement of new proposals.
four. Integration: As KO would say, “Information security cannot exist separately from IT. But if you look deeper into the issue of integration, you can find a lot of optimizations for simplified management and monitoring simply due to the interaction of different management systems at the API level. However, some outdated systems do not integrate with anything at all without modification with a file. And modern products sometimes just do not work very well with some specific other solutions. So providers also need to make sure that new services will work normally, without creating a zoo of systems and additional workload on staff.
five. PricingA: If all the basic issues are resolved, service providers can make a good profit from security services simply at the expense of scale – if the same solutions and employees serve different customers. At the same time, TAG experts note that providers can set quite high prices for truly expert support, but in the field of basic services, the maximum demand should be expected from small businesses that simply cannot afford expensive services, as well as the independent development of expertise in the field of information security.
So should we expect MSPs to become MSSPs?
Globally, adding MSSP services to the MSP is a great business opportunity. However, not all providers are taking this path yet, because to provide security services it is not enough just to buy some new solutions or conclude agreements with existing MSSPs. The transition requires a phased plan, a sound strategy, and customer support. Therefore, it is really worth expecting the transformation of MSP into MSSP, but it is likely that it will take place gradually and will end in success only for those companies that will introduce new services gradually and in full accordance with customer expectations.