Discover more from Venture in Security
Explaining the complex world of channel partners in cybersecurity and looking at their past, present, and future
Simplifying the complex world of channel partners, looking at their evolving roles, as well as trends shaping the future of this market segment
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
The critical role of the channel partners in the tech ecosystem
A startup’s growth potential is often constrained by its access to capital, the ability to attract the right talent, and the systems and processes it puts in place, among many other factors. Getting from $0 to $1M ARR can be done solely because the founders are true hustlers; growing from $1M to $10M can be achieved by expanding the company’s sales force. Going to $100M and above in annual recurring revenue while only relying on internal resources is hard, often not possible, and generally unnecessary because of the presence of important market players - channel partners.
Channel partnerships are not a cybersecurity invention: they are a critical part of the distribution network for all kinds of products and services. Take Shopify, one of the world’s largest e-commerce platforms, as an example: in 2019, the company's revenue was around $1.5B whereas the partner ecosystem generated more than $6.9B. The 2021 State of the Channel Report found that the leading cloud providers - Microsoft, Google, and Amazon are moving away from direct sales and doubling down on channel partnerships. Microsoft, for instance, has been heavily relying on its partner ecosystem to deliver products and services to end customers. It has invested more than $5.2 billion in its channel partner program, and as of 2019, the partner ecosystem was responsible for 95% of Microsoft’s commercial revenue.
Types of channel partners in cybersecurity
Channel partners are critical for cybersecurity because no company can reach millions of businesses around the world on its own. Establishing and maintaining relationships spanning countries, languages, time zones, and industries is not feasible without reliance on partner networks.
The term “channel partner” is quite vague as it does not delineate the variety of players and business models that exist around the general bucket of “cybersecurity service providers”. In the context of security, the following are the typical players in the channel space:
Strategy consultancies that help companies establish & manage their security strategy
Resellers/value-added resellers (VARs) that help companies to select vendors so that the security strategy can be implemented
Integrators that decompose the strategy into separate projects, bring experienced engineers and architects to handle the technical implementation of security solutions, and tailor technical capabilities to solve customer problems
Managed security service providers (MSSPs) and managed detection & response services (MDRs) that take care of the ongoing security management, custom detection work, monitoring, and support
Channel partners in cybersecurity: a deeper look
Security strategy consultancies
“Cybersecurity consulting” captures a very broad area of services, and when used liberally, it can mean just anything - from strategy to hands-on penetration testing. What is described here focuses on the first step in securing the organization - understanding the company's needs and developing a security strategy. While it is commonly done by security leaders such as CISOs, many companies choose to involve unbiased third parties, experienced in developing and implementing effective security strategies across many organizations.
Cybersecurity is one of the fastest-growing types of services offered by the world’s largest consulting firms. Consulting companies such as Deloitte, EY, PwC, and KPMG help governments and the private sector understand where they are today in terms of security and how to get to where they want to be tomorrow. First and foremost, they add value by acting as trusted advisors to CISOs and company leadership to understand the business objectives, and the risks the company is facing, as well as its strategic focus to develop a roadmap for implementing holistic security.
From resellers to value-add resellers
After the security strategy is completed, the organization needs to select products and tools to have it implemented; this is where resellers come in. To understand the role of the resellers in the ecosystem it’s important to look at their evolution.
There was a time when security was seen as a product selection problem. In other words, a customer would come to a reseller and ask for, say, the “best-of-breed antivirus and a firewall” knowing that a reseller has a preexisting relationship with security vendors and can choose the “right” one. The customer would then deploy these “right” products in their environment, and instantly get the feeling that “all problems are behind, we are now safe”. Since with the small exception of large enterprises, most businesses couldn’t try tools and solutions before they buy, going to a reseller was the only option.
In recent years, the role of resellers has been evolving. As the industry matures and moves from promise-based to evidence-based security, more and more organizations are realizing that securing a company is more nuanced than finding the best tool. Security is starting to be seen as a process rather than a feature, and therefore companies are increasingly looking for solutions to their problems rather than “the best product”. Moreover, cybersecurity vendors are actively leveraging the SaaS model to go direct, supercharged with self-serve capabilities. All this enables buyers to procure products and services directly, without any need for intermediaries, and then conduct trials and POCs with assistance from the vendors themselves.
These shifts naturally push the resellers to evolve: it is no longer enough to offer a catalog of tools featuring volume discounts. Instead, companies are expecting to have resellers understand the specific problems they are trying to solve, and informed with that understanding - help choose the best components of security infrastructure for their specific environment. This understanding and a consulting-like component of product selection are what constitutes the “value-add”. Today, in most cases when we talk about resellers, what we are actually referring to are so-called value-added resellers.
The value-add resellers (VARs) today are acting more like brokers: while they have deals with specific security vendors, they are expected to represent the customer. The goal of a VAR is to help the customer make sense of the security problems it is facing and bring the right vendors that integrate well and work well with one another, as well as help navigate the buying process both from the technical aspect (the value-add) and the deal negotiation aspect. Because resellers have established relationships with security vendors, and also because they bring a high sales volume, they possess much stronger leverage to get the best pricing arrangement than any individual customer would.
Whether or not the customer has been engaging with a consultancy will impact the scope of services a VAR is expected to provide. If there is already a security strategy in place, the reseller would often be working with both the consulting firm and the customer to support them from the product selection standpoint. If, however, the customer came to the reseller directly, the role it would play (and the VAR’s value-add) might be much broader. Sometimes, a customer would come to the VAR saying “I have a network security problem. What should I be looking at and how should I be thinking about the technology to help solve this problem?”. The reseller would be able to say “Let’s refine our understanding of the problem, look at available options, and make the decision together”.
The role of system integrators
Traditionally, in a large firm, there is a need for someone to specialize in the network, endpoint, data and cloud security, data and analytics management, orchestration, automation, and DevOps, as well as application security, to name a few. For an average cybersecurity organization, the task of assembling a diverse team of technical security professionals to configure and later - work with technologies needed to secure all facets of the complex environment is not trivial. The initial architecture and integration, in particular, can be incredibly complex.
Whether the company is trying to develop a cloud security program, re-engineer the technology that powers its SOC and have it work together, system integrators are well equipped to take this challenge on. They are the most hands-on and technical out of all the types of channel partners we’ve covered so far. Integrators roll up their sleeves and get the hard work done: systems engineering, technical architecture, fine-tuning, extending, and customizing solutions to implement the security strategy, and designing unique integration patterns to make technology do what it needs to do.
While some integrators come in when the technology has been selected, a good systems integrator is typically a part of the technology selection process. Today, we see a growing number of cases, when the customer would have already acquired technology or established methods through which it wants to acquire it long before engaging with the system integrator.
System integrators assemble teams of engineers looking to get exposure to hard problems across different types of organizations. This provides them with the unique advantage of being able to offer diverse experiences and perspectives on how security is done across different kinds of enterprises, and what works and what doesn’t. While a typical security professional would be able to tap into their experiences from two-three of their past employers, often operating in different industries and business contexts, system integrators similar to security consultancies draw on their experiences with tens and even hundreds of similar enterprises. The value of having an unbiased third party take a broader look and share different perspectives with the enterprise security team which has been laser-focused on how their own company does security is immense. For cybersecurity professionals, system integrators offer a unique opportunity to get exposure to different kinds of problems, and continuously expand their skill sets across a variety of security domains.
System integrators don’t just connect security tools but integrate different pieces into a pattern that works for this particular customer and its specific set of problems. Every client, every vertical, and every domain has different needs, so while different firms might be using the same technology stack, what constitutes an effective integration pattern between these tools is often different.
Aside from the technical, hands-on work, system integrators also focus on education. Integrators help customers understand how they can secure their organization, learn how to establish an ongoing process of security assessments, and how to ensure that their security frameworks are aligned with the ever-evolving IT infrastructure and operations.
The ideal scenario of engaging a system integrator is to have it configure the technology, train the security team and help it develop new skills required to effectively secure the company environment, and transition the day-to-day responsibility to the in-house SOC or an external service provider while making itself available for hard problems that arise post-deployment (major upgrades of the core systems, scaling, etc.).
Managed security service providers (MSSPs)
Once the system integration is complete, a customer has two choices: to do the ongoing security work in-house or to outsource it to a third-party provider. For those that do not find it feasible to hire a leader of the security operations center (SOC) who would build a team of security analysts and security engineers, managed security service providers (MSSPs) can be a viable alternative.
MSSPs are selling security as the outcome of their work. The MSSP’s role is to understand the business needs, become an expert on the company’s operations and environment, implement protective measures and logic to detect malicious behavior, and continuously monitor the customer’s security posture, working through escalations and addressing new risks as they are identified.
A good MSSP provides the ability for customers to entirely outsource the tasks critical for security. In practice, however, instead of outsourcing all IT, infrastructure management, and security as a whole, most companies today are looking for ways to co-source and/or outsource select parts of IT and security responsibilities that they do not see as feasible or do not have the talent to manage in-house.
I have previously written a comprehensive deep dive into the types and the evolution of managed security service providers, as well as about unique aspects of VC investing in MSSPs.
Managed service providers (MSPs)
While technically, managed service providers (MSPs) are focused on providing services around the management of IT infrastructure and do not offer security, they deserve an honorary mention here as we see a large number of MSPs trying to move into the MSSP space. This happens as a result of two realizations:
the realization that an MSP cannot manage the IT stack for a customer without having security at the core in how it is done, and
the realization that as IT has become commoditized, and a lot of infrastructure has moved to the cloud, for managed security providers to grow or even to simply preserve their margins, they must expand beyond IT
Managed security providers see that cybersecurity is becoming table stakes. Today, if two MSPs are competing for the customer, and one offers cybersecurity as a part of the package, while another treats security as a second-class citizen and outsources it to a third party, the first one will win most of the time. It’s worth noting that MSPs who are not building and maintaining IT in the cloud with security at the core of how they are thinking about it, won’t be viable in the next decade, suffering from cyber breaches and losing customer trust.
Managed service providers interested in expanding their offerings and bundling security are faced with the problem of attracting the right talent. Acquisitions become one of the most viable ways to enter the new market: if an MSP can’t hire the right talent, it can buy a strong boutique cybersecurity firm or even a mid-market MSSP player that already assembled a winning team. This is one of the key reasons why in 2022, the services space was one of the most active when it comes to M&A activity, but we are jumping ahead of ourselves.
How all of this comes together & where it is going: the real picture
While for ease of explanation, I made it look like the process of implementing a cybersecurity practice in an organization is sequential, where a customer develops a strategy with the help of a consultancy, purchases security solutions with assistance from a VAR, hires an integrator to get it all together, and chooses to engage an MSSP for the ongoing monitoring, this could not be further away from the truth.
Each channel player wants to own the full customer journey. And, since not every organization is the right fit for every kind of player in the channel, but everyone needs some help with security, security providers know that they can increase their total addressable market (TAM) by diversifying the kind of services they offer.
While some enterprises develop their security strategy in-house, without involving a consultancy, they might still need help selecting and integrating technical solutions to implement it. Naturally, security consultancies do not want to lose the opportunity to generate revenue, and aside from being readily available to help with strategy, they are now playing the role of a reseller, an integrator, and even a security service provider. All of the Big Four now offer managed security services: Deloitte has its Cyber Intelligence Centres, KPMG offers Cyber Defense and Cyber Response, EY calls it Threat detection and response (TDR), and PwC provides Cyber Managed Services. These are just some examples as most large consulting firms now offer hands-on managed detection and response capabilities. The integrator divisions of large consultancies have many technical and engineering specialists equally comfortable navigating the presentation layer of the new technologies, as well as the command line side, and capable of extending the technology and integrating it in a specific way to solve customer problems.
Value-added resellers, on the other hand, are realizing that for them to remain relevant, they need to lean heavily on the value-added side of the equation. We see more and more customers looking to make their own decisions about what products are most appropriate for their environment. Additionally, more and more vendors are implementing some elements of the product-led approach, making it easier to evaluate and buy their products without having to involve third parties. All of this forces value-added resellers to develop both strategic capabilities, challenging the consulting forms, as well as technical capabilities to play the role traditionally performed by system integrators. This transformation enables savvy VARs to become holistic security consultancies capable of managing the entire strategy, not just solving one or two problems. A trend that I think VARs should see as a wake-up call is the advent of cloud marketplaces - AWS, Azure, and Google. I have written a separate deep dive that touches on this topic; what is relevant for this discussion is that the pressure from marketplaces will continue forcing value-added resellers to accept even smaller margins than they are already dealing with.
Integrators are continuously looking to find ways to earn revenue from selling the technology as well as move up the stack to be more strategic, helping CISOs decide how their organizations should approach security. Many are also trying to establish managed security services (MSSPs) or managed detection and response (MDR) offerings so that they can build a long-term relationship with their customers and substantially increase the customer lifetime value (CLV).
The nature of the managed security services providers is also changing. It used to be that they were able to onboard customers in their own, proprietary platforms, and provide ongoing security services such as monitoring and triaging alerts, adjusting tool configurations, and working through escalations. Today, as I’ve explained before, instead of outsourcing all IT and infrastructure management, and security as a whole, companies are looking for ways to co-source and/or outsource select parts of IT and security responsibilities. Managed security service providers want to be seen as trusted partners and get a seat at the table in strategic conversation, gaining the ability to influence decisions, be a part of product selection, and so on.
Note that the picture below was created for illustrative purposes only as there is much more overlap than shown, with some players such as the Big Four matching multiple (or all) criteria.
The evolution of channel partners and the emergence of “full-stack security providers”
As we have seen, channel partners want to own the full customer journey. Consultancy firms that have previously focused on strategy, have now built deep technical capabilities enabling them to play the role of integrators and service providers. As consulting firms, system integrators, value-add resellers, and MSSPs are all trying to do everything at once, the lines between their areas of expertise continue to blur. A natural conclusion is that the consolidation we have been seeing in the past few years will keep progressing, and a decade from now there will be no such thing as VARs or system integrators - only security service providers capable of helping customers with all of their needs in one place.
As we are moving from promise-based to evidence-based security, there is the growing realization that “compliance” is not at all the same as “security”. Cybersecurity is becoming increasingly more complex and increasingly more technical, making it not realistic that someone with only a theoretical understanding of security can develop a comprehensive cyberdefense strategy. This is one of the reasons why we are seeing the formerly PowerPoint-obsessed consulting firms turning into powerhouses of technical security talent.
While some applications will continue to remain on-prem, more and more software transitions to SaaS. Following this transition, tools and configurations that previously required many months of development will be provisioned and deployed in a relatively short amount of time. The adoption of everything-as-code is making it even easier to transfer configurations from one environment to another. As the integration work that would previously take two to three years to complete can be done within four months, system integrators are starting to be forced to either increase volume or diversify their services. Acquiring more customers in today’s competitive environment is harder than retaining existing ones, hence systems integrators are actively turning into holistic security providers as well.
The VAR model is being threatened the most. The rise of SaaS, direct sales, marketplaces, and product-led growth have shaken the dominance of this once-important player in the market. Now, the effects of data gravity are reshaping the distribution channels entirely, turning platforms of Google, Microsoft, Amazon, and Snowflake, to name a few, into main sellers of security solutions. With the ever-decreasing number of stand-alone security vendors for VARs to sell, those that want to remain in the game five to ten years from now, need to pivot their business models from selling somebody else’s products to selling security expertise.
To summarize, the more cybersecurity matures as an industry, the more different types of the so-called “channel” are blending into one. I call these “full-stack security providers”.
One of the factors accelerating the emergence of full-stack security providers is that customers do not want to deal with handoffs. If Deloitte developed the security strategy, WWT handled the integration of tools, and Orange Cyberdefense is taking on the managed services part, handoffs between parties become unnecessarily complex. Customers are looking for one-stop solutions, offered by providers that are both strategic and deeply technical, capable of operating with them across the entire security lifecycle. As I have discussed before, “In the future, security service providers that will survive the competitive market, will be seen as trusted advisors and will have to add value on top of tooling they didn’t choose by understanding the business, the risks in the customer’s environment, and establishing systems and processes, including custom threat detections logic, to address unique risks of the organizations they serve.”
A separate topic that I find rather interesting is that resellers, integrators, consultancies, and MSSPs do not typically invest in companies the products of which they resell. In my opinion, there is a missed opportunity here. If a reseller sees that the product is successful, and the VAR itself greatly contributes to that success, I think it would make sense for it to also invest and place bets on the companies with potential in the channel.
The future of security is human
Before all types of players in the channel started merging into one, the cornerstones for success for each were different: consultancies needed a continuous flow of business talent, capable of producing compelling presentations; integrators relied on technical talent, resellers saw access to vendors as their competitive advantage, while for service providers it was also typically the ability to operate the best-of-breed tools. Now that all of them become one of the same, the one ingredient that will define winners in the future of the channel is their ability to attract, develop and retain top cybersecurity talent.
As we go into the future, technology will continue to advance and get much better than it is today; it always has. However, as defenders are trying to win against intelligent, well-motivated, and well-funded adversaries, technology alone cannot solve all security problems. In the past few years, we have seen that the world’s leading tech companies understand this too well. While a decade ago, security products were seen as superior compared to services, we are seeing that organizations today focus on the outcome, and care less about how that outcome was achieved - by relying on product, or people. Some of the largest security providers today are expanding into services, understanding that technology alone won’t keep them competitive. CrowdStrike, for example, sees security services as a core component of its offering. Rapid7 is seeing services become one of the largest revenue generators for the company. Even Google, looking to strengthen its presence in the security market, acquired Mandiant, most certainly seeing access to talent as one of the reasons for this transaction. We see that while automation and advances in AI (take ChatGPT as an example) will get more sophisticated, the attackers will continue to use the same tech to find ways to be disruptive and achieve their goals.
I have previously discussed how in the future, cloud providers will be able to provide basic security protection for people and organizations. While I am seeing strong signs that that indeed will be the case, I am equally convinced that it won’t be enough, similar to how today having an antivirus doesn’t protect one from all threats. We will need smart technical people dedicated to safeguarding their organizations.
Whether it will be Amazon, Google, Microsoft, Palo Alto, CrowdStrike, or someone else dominating the security market of tomorrow, there will be a continuous need for talented security professionals. The cloud still has a long way to go to make all the different services work with one another seamlessly, and while some cloud providers do it better than others, the configuration will still be required for the foreseeable future. When an organization needs to configure, say, a Microsoft security ecosystem and make it work for its business, the work needed to make it happen is non-trivial. There is a lot that goes into correctly deploying the E5 licensing model, using the Sentinel ecosystem, Entra, Microsoft’s identity platform, its data protection solutions, and so on. Microsoft will continue improving the way different pieces work together, thus reducing the barriers to the adoption of its offerings, but there will always be new components that require human intervention. The threat actors will continue to drive the sophistication of cybersecurity and find new ways to penetrate organizations’ environments.
The future of security, and therefore the future of what we think of today as “channel”, is human.
This piece would not have been possible without the help and insights generously shared by Greg Baker, CEO of Balance Theory and a former managing partner at Optiv. As always, all opinions and conclusions are my own.