Managed security service providers: present state, trends, and future outlook of the space
A closer look at the changing landscape of the cybersecurity services
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
Security services enable businesses to outsource their cybersecurity needs to a dedicated, specialized third-party provider. I have previously touched on the evolution of security service providers in my article about the future of cyber defense and the move from promise-based to evidence-based security. As a holistic understanding of this topic requires a bit more context, in this piece I will try to go deeper and provide that context.
A broad variety of security services
When we hear “security service provider”, we tend to have an image of what that looks like, and that image tends to differ from one person to another. The term is ambiguous as there is a broad variety of vendors who offer security as a service. The easiest way to look at this problem is to think of security services as a spectrum.
On one side of the spectrum, we have companies that see “managed security” as selling an endpoint detection product (EDR), antivirus, and a firewall, to name a few, and adding some basic support on top, such as managing the firewall. These kinds of companies are what I would call resellers: they tend to have reseller relationships with select vendors that they recommend to the customers as “solutions”. Reseller-focused service providers are not looking for threats in their customer’s environments, and even if they found one - they would often not know what to do. They hope that when something malicious happens, the product they sold “will take care of it”.
On the other side of the spectrum, we have companies that focus exclusively on security. These firms do not offer IT services, and are not trying to be the “one-stop shop” for their customers. They might not be configuring the firewall, but they will be the ones constantly looking for threats in their customers’ environments, writing custom threat detection logic, and more. Service providers that fall in this bucket tend to employ security engineers, threat detection engineers, and other security professionals that are closer “to the metal” in addition to more commonly seen security analysts. They are also commonly technology-agnostic, can add value and do their work on top of what the company already has in their environment, without having to necessarily rebuild their whole security stack.
There is not a clear line between service providers who fall under these two buckets, with many companies falling somewhere in the middle.
In terms of areas of specialization, the vast majority of security service providers are either managed security service providers (MSSPs), security operation centers (SOCs), managed detection and response firms (MDRs) focusing on defense, or red teams focused on penetration testing. Relatively few are “purple teams” - companies that do threat research, detection engineering, defense, and incident response along with penetration testing.
A growing market of security service providers
A growing number of security professionals with experience and ambitions to start their own business
While we are hearing about the cybersecurity talent shortage almost daily, what is less talked about is that the workforce in cybersecurity has grown dramatically, and continues to grow. Not too long ago security was a part of IT; today, there are educational programs, bootcamps, tens of high-quality capture the flag (CTF) competitions, and hundreds of great events around the world fully dedicated to cybersecurity. Most importantly, security is now represented at the board level with Chief Information Security Officers (CISOs) or leaders with equivalent responsibilities gaining a strong voice and a seat at the table.
Along with the growing “professionalization” of security, we see a growing number of people who have accumulated experience building security tooling across a wide variety of organizations and are now looking for ways to leverage that experience in their entrepreneurial journeys.
Lowering barriers to entry for new providers
In the past, when security professionals wanted to start a cybersecurity firm, they had two choices:
Approach security vendors, attend their mandatory demos, meet minimum spend requirements, and negotiate multi-year contracts before even getting their first customer or validating that there is a market. It was essentially a catch-22: one cannot get a customer on board without access to tooling, and cannot access security tooling without bringing a minimum number of customers.
Alternatively, they could use open source tools and build their own security stack assembling what is freely available on the Internet. While it sounds appealing, it presented aspiring entrepreneurs with several challenges: not everyone had the necessary skills, building infrastructure from the ground up required a lot of effort and had long-term maintenance costs, and lastly - not every potential customer could be convinced that open source tooling is “good enough” and secure for their environment.
Recon Infosec is a great example of a company that, having started in 2015, embraced open-source tools as there were no off-the-shelf solutions for a young managed detection and response (MDR) provider. Initially constrained by the resources, they decided to use their knowledge and open source to maintain parity with commercial products. That exposed them to the hidden costs - the need to hire phenomenal security engineers to maintain this stack, a tradeoff that can be credited as one of the key factors to their success and continuing growth.
In the past five years with the proliferation of the product-led growth approach in cybersecurity, the gates have started to shatter. More and more vendors are making their products available without mandatory minimums while shifting their pricing models available to smaller customers to pay-per-use. This shift in how security capabilities are delivered dismantles the previously immovable artificial barriers to entry, allowing anyone with the right motivation to start their own security services provider on the side, or even to go all-in with little risk and upfront capital investment.
Large, established IT providers entering the security space
Traditionally, managed services providers (MSP) would focus on managing an organization’s IT needs, from users to processes and complex environments consisting of different technologies. MSPs, unlike managed security service providers (MSSPs), would generally not focus on security needs.
That has been changing in the past five years. The need for cybersecurity has increased, especially driven by the pandemic and remote work, and many of the established, decade-old MSP providers are trying to capitalize on this shift and solidify themselves as security providers - a trend that is going to continue in the coming years. A big driver for MSPs to enter the MSSP market is the continuing decline of profit margins from now-commoditized traditional IT service offerings - something they are forced to diversify away from.
Growing demand for security services
With the ever-growing number of security incidents, more and more companies are starting to realize that to protect the organization, it is not enough to check the required compliance boxes. While some choose to make long-term strategic investments and hire dedicated security teams, many realize that they are either not in the position to do so (lack of the buy-in, budgetary constraints, challenges accessing the right talent, etc), or simply that they do not need to build their own security practice. For smaller organizations, hiring a security team is often not an option given the cost and the admin overhead for maintaining it.
These factors have resulted in the growing demand for security services which is also reflected in numbers. The global managed security services market size was valued at $22.45 billion in 2020, and is projected to reach $77.01 billion by 2030, for a compound growth rate of 12.8%.
Common stories about the company’s cyber maturity & the role of service providers
There are many great frameworks to assess organizational maturity when it comes to security. If we were to take it down to the basics, many stories would look something like the following.
An organization is unaware of the importance of cybersecurity. At this stage, it’s common to hear something like “We haven’t had any issues so everything is fine”. Driven by this mindset, no security measures are implemented.
An organization understands the need for security and sees its security posture as problematic but has to deal with constraints that prevent it from taking actions. A common constraint cited by businesses in this category is funding (think early-stage startup with no sufficient investment). At this point, many companies find it sufficient to get cyber breach insurance and implement basic cyber hygiene like MFA and password managers.
An organization recognizes that cyber insurance is not enough as it does not restore lost revenues, leaked intellectual property, or damaged reputation, and feels under more pressure to find a solution. While some that reach this stage choose to involve security service providers or hire a dedicated security team right away, many start by buying security tooling. Those that take the shortcut and choose products without any human expertise to maximize the use of these products, after a year or two often realize that buying tools weren’t the right solution. They are told that they need a holistic security strategy, security engineers, security architects and security engineers, and an experienced leader in charge of security. All of this requires considerable investment to do it well. Some companies abandon their security efforts altogether, others engage security service providers, and a small number invest in building their security team internally.
An organization that has been down that route - bought expensive tooling, and tried building an in-house team but realized that they can’t hire the right security people. There could be a variety of reasons - funding, the ability to attract great security talent, or the attempt to hire a team to work from the office, to name a few. After a lot of wasted effort, companies may choose to outsource their security to an external service provider.
An organization that has the budget, understands the importance of security, has executive buy-in, and the ability to execute. A good example is Fortune 500 companies that, driven by the strong need to protect their leadership position in the market, invest in people, processes, and technologies to strengthen their security.
For organizations that can’t justify hiring a dedicated security team, security service providers such as MSSP and MDR are often a natural choice as they offer the necessary level of protection without excess cost. For those that can afford to build security expertise internally, security services can still be a good choice. As security is getting more complex with growing cloud exposure and an ever-increasing number of SaaS applications sprawling in organizations’ environments, the solutions are becoming more advanced, and require higher levels of technical expertise - something that many companies might find easier to gain through outsourcing than through hiring.
When discussing cybersecurity maturity, it is important to keep in mind the regional differences. While the US and Israel have been leading the innovation in cybersecurity, companies outside of North America appear to be lagging when it comes to the adoption of new cybersecurity technologies such as endpoint and extended detection and response (EDR/XDR) as well as security information and event management (SIEM) capabilities. This is primarily due to cost constraints as commercial cybersecurity tooling can be prohibitively expensive.
Trends defining the future of managed security services
Increased competition, industry consolidation, and growing M&A activity
We are seeing active industry consolidation in several directions. Smaller MSSPs get acquired by larger MSSPs looking to solidify their position as market leaders, expand into new geographies, and access new talent. On the other side, as mentioned earlier, we are seeing managed IT service providers (MSPs) actively buying managed security service providers. This is not at all surprising as the security services market is projected to have a compound annual growth rate of 14-16% (compared to the estimated 10% for the MSP market).
MSSP alert has been tracking a list of “MSSP mergers, acquisitions, buyouts & investments involving managed security services providers (MSSPs), Managed Detection & Response (MDR) & more”. As of the time of writing of this article, there have been around 50 transactions recorded for the year 2022.
The new guys on the block contributing to the industry consolidation are cyber insurance providers. In 2022, Acrisure, a provider of cyber insurance and managed detection and response, acquired the Catalyst Technology Group and ITS Inc.
We are likely to start seeing security service providers acquire security product vendors to improve unit economics by reducing spend on external tooling and to enter the product vendor market known for higher valuations and exit multiples.
As the number of security service offerings grows, the competition is going to get steeper. Traditional services such as email security, firewalls, network security, patching, and endpoint detection and response have become commoditized and are going to start bringing less and less revenue. Service providers will be forced to look for new ways to deliver and prove value, and move to offer deeper protection, detection, and response capabilities. That, in turn, will require investments in talent and technology.
The realization that security tools alone can’t keep companies safe
Security used to be thought of as a “tool problem” with people asking “what product do I need to buy to be safe?”. That has started to change with the slow but steady move from promise-based to evidence-based security. Now, more and more security teams are looking at fundamentals, asking themselves a broad range of questions:
How can I get full visibility into what is happening in my environment?
How can I detect potentially malicious behavior?
How can I quickly and efficiently respond to threats in my organization?
What threats are unique to my organization?
This understanding that despite vendor claims so common in the industry, “installing a tool” is not enough to effectively secure the organization is going to solidify in the coming years, driving the demand for security services.
I would anticipate that eventually, vendors claiming to stop all breaches, zero days, and advanced persistent threats will go through public lawsuits. There is an upper limit to how much marketing the industry can handle.
For security service providers, reputation is key so those who sell security but don’t add value to security beyond vendor selection, are likely to see their customers look for alternatives.
Changing customer expectations
As the industry is evolving, so do customer expectations. While in the past, selecting security vendors and monitoring logs was sufficient, now it is no longer enough; security service providers are expected to bring much more to the table, including:
Their own proprietary security infrastructure designed to provide holistic monitoring, protection, detection, response, and remediation capabilities, or a set of well-known commercial security tooling
Continuous active monitoring of the customer’s environment, alerts triage, incident response capabilities, and 24/7 support
Services beyond basic recommendations and advisories, including threat intelligence, threat hunting, creating custom detection content, and breach & attack simulations
Since every organization’s environment is unique, security service providers need to become experts in the company’s business, operations, processes, and tech stack. It is no longer possible to take a one size fits all approach recommending the same solutions to all customers. Best providers will need to be technology-agnostic, allowing their customers to leverage the tooling they already have, and adding value on top of that tooling.
Impact of cyber insurance requirements
In our daily lives, the impact of insurance on rules and regulations is strong yet mostly invisible. When you are signing agreements and buying tickets, you are agreeing to the release of liability. When you are asked to keep the shoes on in the gym - you are complying with the insurance requirements. Without insurance, you cannot get a mortgage, drive a car, or rent an apartment.
The impact of insurance on cybersecurity is tremendous yet also hard to notice unless you know what you are looking for. Starting March 2023, Lloyd’s of London will require all its insurer groups to exclude liability for losses arising from state-backed or state-sponsored cyberattacks. This makes sense from the underwriting standpoint as insurance does not cover any acts of war. Attack attribution in cybersecurity is a contentious topic, and business does not generally care if an attack was sponsored by the state or financially-motivated groups; it needs to ensure a quick recovery. As organizations can no longer rely on losses being covered by insurance policies, they need to take control of the situation and be prepared, which, in turn, requires investment in cybersecurity.
Cyber insurance today is not mandatory, but that may change in the near future as the number of cyber attacks and loss amounts continue to grow. The enforcement is likely to happen organically, through market self-enforcement with companies looking to transfer risk and require their vendors to be insured. This is no different than, say, concert venues requiring liability insurance from anyone looking to rent a place for an event.
There is also a larger question about the future of cyber insurance I have briefly touched on before. Cyber insurers are motivated to reduce loss ratios, especially skyrocketing losses from ransomware, and they are quickly learning what protective measures work and what don’t. Today, insurers are starting to require companies to have endpoint detection and response (EDR) and antivirus capabilities, while the absence of a password manager and an MFA can make a business uninsurable. In the coming years, when it will become more apparent that just “having a tool” does not guarantee security, we are likely to see cyber insurance firms working closely with security service providers to reduce risk.
Importance of detection engineering
In the coming years, I anticipate the rising importance of detection engineering for managed security service providers focused on defensive capabilities. Historically, companies have relied on detection capabilities offered by security vendors. While that trend is likely to stay, more and more security leaders are realizing that the business model of these vendors dictates that they only build detection content for generic solutions applicable to 99% of their customers. As every company’s crown jewels are different, and many complement their use of the mainstream SaaS applications with custom-built tooling, there is a strong need to layer custom-built detections on top of the generic solution provided by vendors (or open source rulesets such as Sigma).
We have seen this before: when it became apparent that traditional, signature-based antivirus (AV) products are not enough and endpoint detection and response (EDR) capabilities started to emerge, EDR did not replace AV but became a layer on top of it. Similarly, we can see EDR and XDR (extended detection and response) capabilities provided by security vendors become a basic layer on top of which security service providers can build custom detection and response logic tailored to customers’ environments. This is where MSSPs and MDRs can shine: filling in the gaps, and identifying cases when a specific behavior, while generally normal, is a cause for concern when observed inside the particular organization.
Today, most customers don’t look for tailored detection content and instead focus on penetration testing and security product selection/configuration. As the industry matures, that is inevitably going to change, and detection engineering is very likely to become an important component of security services.
Advanced detection content services by FalconForce. Source: FalconForce
How new & smaller security service providers can win
Because security services are in the business of serving their customers - the quality of service is paramount. Many parameters fall under this definition, including the speed of response, the quality of the relationship, and the clarity around the value proposition.
As service providers grow, they acquire more and more customers, and their resources get stretched too thin making it hard to maintain the same quality of service. To put it simply, as companies get too big too quickly, they start to drop the ball. This is where new and smaller security service providers come in.
Smaller-scale security service providers have an advantage - the ability to be nimble and agile and to build genuine relationships with their customers. Some of the tactical ways to capitalize on these advantages include:
Being quick to react and respond to the customers’ questions, asks, and complaints.
Always looking for additional ways to add value, beyond upselling customers on new products and services. Packaging more value in what the company is already paying for will always be met with gratitude and respect.
Making it easy to see what they do and how they add value - regularly (once a month or once every quarter), holding a call with their customers and having a recap of the past period - what happened, what are some of the common trends, what else the company can be doing to harden their defenses. Most importantly, this is the place to ask questions and listen to identify ways to improve services and strengthen relationships with the customer.
Build a reputation for being a great team and adding great value and do not be afraid to ask for referrals and introductions - if a customer is happy with your work, they will often want you to stay in business and grow.
While there are times when being a small business can be seen as a disadvantage, the opposite is often true as well. Companies that can recognize this and take the right steps, can set themselves up for continuing growth.
This article would not have been possible without the bits of insights picked up from great conversations with Tom Schuurmans, a co-founder and managing director of FalconForce, Eric Capuano, a co-founder and CTO at Recon Infosec, and Yochai Greenberg, a founder and CTO at Nano Cyber Solutions. As always, opinions and conclusions are my own.