Markets and Trends

Should Managed Service Providers (MSPs) Become the Next Managed Security Service Provider (MSSP)?

Is moving to a Managed Security Services Provider model the right way to expand your Managed Services Provider portfolio? Explore the options with IDC's Martha Vazquez.
Pinterest LinkedIn Tumblr

Growth of Managed Security Services

The security services market, specifically Managed Security Services (MSS), has been one of the fastest-growing areas, experiencing double-digit growth rates over 5 years, and for 2020 was estimated to reach $28B in 2020.  As a result, of the pandemic in 2020, security is forefront and center for many organizations. In fact, according to IDC’s Security ServicesView 2020: Worldwide Survey, 60% of respondents agreed that the accelerated public cloud adoption or migration across their organizations due to COVID-19 drove them to invest in managed security services. No doubt, this market is here to stay but has changed throughout the years. If you refer to some of my past blog posts, you can read up on the evolution of the MSS market.

More frequently, we are being asked where we see MSPs that tailor to the Small to Medium size business segments within the MSS market. To be clear, MSPs will support and manage an organization’s IT needs, the users, and processes to managing complex environments of services and technologies. MSPs will managing a broader set of IT services and do not necessarily focus on security needs such as a MSSP.

With the pandemic, there has been a rise in the number of remote workers, which has really driven the need for Managed Service Providers to expand their portfolio. In addition, with profit margins declining from commoditized offerings, the need to provide higher-margin and value services is a consideration for these MSPs.

From IDC’s Service Provider Pulse: 2Q20, 16% of a service providers’ total revenue comes from managed services, and from that, managed security services generate the highest percentage of revenue at 10%. Also, managed networks, app optimization, performance monitoring/management is increasing year over year. It’s becoming more transparent for MSPs, and more so those focused on the SMB, that developing broader areas such as security can assist their clients with their business.

But how do you do this? Is it beneficial for MSPs to become the next Managed Security Service Provider? It really depends on what end goal you have in mind and how much you are willing to invest. There are several things to consider if moving to a full MSSP model which may not always make sense for your business. 

Before you make that move to a MSSP model, consider the following:

Think Strategically

Consider what you already have in place and what the gaps are. Look at what you have today and consider what you will need today and in the next 18- 36 months. With the changing workforce, securing the perimeter within the walls of the business is no longer feasible. Therefore, the market is ripe for MSS.

Still, you must consider the liability issues as an MSSP, continue to evolve and provide security as a service offering, and area like new technologies that fit into the Zero Trust framework. From a cloud standpoint, you will also need to think about how you will support remote workers accessing data from different endpoints and cloud environments, and which of the cloud hyperscalers you will initially build a talent pool around to support your clients.

What Investments are Required?

If you are debating to offer your own MSS, investments can be steep. MSPs will have to consider building their own pool of talent and a Security operations center (SOC) that can provide 24X7 capabilities or 8X5 if regional. Then you will need to consider the technology you will want to offer, and build out a team that knows how to sell, manage, and support the services.

With so many security offerings available, the basics start with 24X7 management/ monitoring of email security, network security such as firewalls, intrusion prevention systems (IPS), patching, and endpoint protection platforms but consider that these are also regarded as commoditized services that may not bring in as much revenue. Therefore, think about the value and move to offer deeper detection and response capabilities. Finding the right services to deliver can be complex.

Consider Partnering

Finding a partner instead of doing your own build-out may make more sense for some MSPs. This may be the best economical means for the MSP. Although investments are obviously required, finding an existing MSSP or security vendor that already has the infrastructure and resources in place will make things less complex. Security providers will take the responsibility away from the MSP and take on the liability. There are many factors involved in building out your own MSSP model that goes beyond just considering the right security services and tools.

If you are considering to partner, you will need to consider how the partnership can help you differentiate yourself from the other competitors. Think about it from an operational standpoint and scalability. Is automation and API integration in place to assist you with the operations and provide easy integration into your existing workflow.

Support and training should also be considered. Review the support, training, and marketing initiatives that the partner will be assisting with. Coopetition is something that also needs to be looked at. How will the partner work with you in certain conflicting deals and who will own the customer?

A partnership is also as good as the trust you have with each other.  Building a solid relationship with a partner that has your best interest in mind is key for any successful business deal.

Use IDC’s latest Service Provider Pulse to more effectively target your markets, gain guidance for developing new solutions based on ongoing intelligence, and improve your sales strategies and messaging as business and product trends evolve. See more:

Martha Vazquez

Senior Research Analyst, Infrastructure Services