TechSci Research estimates the Australian managed security services (MSS) market will grow at a CAGR of more than 15 percent from 2018-23 as a result of the increased uptake of cloud computing and the popularity of bring-your-own-device (BYOD).
That’s a decent growth rate, enough to pique the interest of managed IT services providers looking to grow their business.
They already have established client relationships and those clients, like all businesses, face constant challenges keeping secure in the face of an every evolving threat landscape and a shortage of cyber skills.
Many managed IT services providers (MSPs) already offer some elements of security, such as antivirus, intrusion detection and managed firewall, but there’s a huge gap between these and offering a fully fledged managed security service via a 24x7 security operations centre (SOC) and security information and event management (SIEM) software to provide real-time analysis of threats, generate alerts and advice on remedial action.
Technical competence is one challenge faced by any MSP contemplating becoming an MSSP.
According to James Turner, managing director of CISO Lens, and until recently an IT security analyst with IBRS, being an MSSP requires a completely different relationship with the customer.
“MSSP is not technical service delivery, it is business risk management and most people working in IT outsourcing probably have not thought that one fully through,” he told CRN.
“Then you have the agreement between the organisation and the MSSP: who is going to be accountable; how responsive do you want them to be. There is a lot of sophistication in that conversation that many organisations are not ready for, and certainly a lot of IT service providers are not ready for.”
Claire Pales, security and risk advisor with IBRS, said organisations might be reluctant to give their IT service provider responsibility for security.
“Using a single vendor might make some sense from a management perspective, but there is no independence between those operating the infrastructure and those monitoring in relation to threats,” she said.
However, Phil Kernick, CTO of security consultancy CQR, suggests that having security and IT services from different vendors can also bring problems.
“If you have a managed security service provider and a managed IT services provider they will point the finger at one another. Having one throat to choke is a better approach.”
Nevertheless, he’s scathing of any suggestion that a managed IT service provider getting into security is a good move.
“I think it is a terrible idea," he said. "They don’t have the skills. They should be partners with MSSPs so they are not eating each other’s lunch. And that stops the finger pointing, even if one is the prime contractor.”
Nick Savvides, Asia-Pacific chief technology officer with Symantec, also counsels against IT services providers moving into security, and says gathering the requisite skills would be a huge challenge for a newcomer.
“Security analysts are hard to find. And when we do recruit a new analyst, it is six months of intensive on-the-job training before we will put them in front of a customer," he said.
He advocates IT service providers partnering with specialists like Symantec and said Symantec had built APIs to enable effective partnering.
“Our APIs enable our customers to do what we call SOC augmentation. We act as an extension of a customer’s SOC, whether it is their own or an IT service provider’s.”
While evolving to becoming a fully-fledged managed security service provider might represent a massive challenge and a massive risk, there appears to be plenty of scope for offering specific security solutions, such as firewall, antivirus, VPN, intrusion detection.
Fortinet provides a wide range of such products and, according to Jon McGettigan, ANZ regional director, about half of Fortinet’s revenue in Australia comes from managed service providers. He suggests IT providers can lower the risk of getting into security by progressively expanding their security offerings.
“People don't go from providing IT services to running a SoC. It is generally a progression where they start securing a service and then moving into adding another layer," he said. "There is always a progression.”
And there appears to be plenty of demand for those basic security tools. Mark Gluckman, director of Cylance partner, Regal IT, said there was plenty of demand in the SMB space.
“We have converted all our managed services customers across to Cylance on an opex model and that has worked really well,” he said.
“None of our customers require a full SoC. We offer a couple of point solutions around Cylance, Fortinet and Barracuda. … There are certain high-risk customers but many low risk customer that just need technology that works as advertised.”
He said the company had no intention of developing full MSSP capabilities. “It is a very unique and specialised part of the market where customers are looking for a CSO type service and board level advice.”
One organisation that has made the transition to a fully-fledged MSSP is The Missing Link. Founded in 1997, it opened a separate security business in 2013 and in April 2018 opened a SOC in North Sydney, also announcing plans for one in Melbourne. The Missing Link Security won the 2016 CRN Fast 50.
CISO Aaron Bailey said the journey was not an easy one.
“There are many different services based on many different platforms and some carry relatively low risk for service providers…For anyone trying to move into managed security services today the basic building blocks of firewall and antivirus is a good first step but [becoming a MSSP] is a journey of a thousand miles. There are many more things that need specialist skills," he said.