If Only SMBs Can Use A Managed Service…
Demystifying Cybersecurity Services for Small and Medium Businesses.
Hello
This week, I am continuing the SMB series by examining the services that these companies can consume, such as Managed Security Services Providers (MSSP). I also look at the MSSP market, highlighting some key statistics.
Drawing comparisons to mature industries such as the legal and automotive industries, I argue that SMBs should have access to managed security services that are easy to consume and do not require them to be cybersecurity experts. This week's edition also highlights the limited impact of current MSSP services on improving the overall cybersecurity posture of SMBs.
Before we dive in, please help me. I spend hours writing Cyber Builders weekly and would love to get more readers and feedback. You can make it happen: forward this email to two friends or share it on LinkedIn. Thanks!
How Mature Industries Services SMB
Cyber Builders should not be obsessed with their industry and its specificity. They must take a step back and look around them at how other domains are building and providing services. They must be modest: cybersecurity requires knowledge, but being a doctor and designing a car or a plane is also.
For instance, mature industries, such as the legal and automotive industries, provide specialized services to their clients. The cybersecurity industry can learn from these examples to make cybersecurity services more accessible and easier for small and medium-sized businesses.
Let's look at these sectors where expertise is required and technology and know-how evolve rapidly.
When I need to establish a contract, if it is relatively simple: I have an average level that allows me to write on two pages the essential conditions and then implement them. But back then, I had a daunting Intellectual Property contract to be signed with a large enterprise. As an SMB owner, I was fuzzy on the details of IP laws across Europe and the US, so I asked for help from an expert – my lawyer. Just like how he took care of the intricate procedures of IP rights, our cybersecurity needs similar expert handling too.
When settling intellectual property, digital rights, corporate structure, taxation, fundraising, and M&A issues, I turn to specialized lawyers who are experts in their field and on their subjects. In legal departments, people are used to working with these advisers; they rely on their expertise. In SMBs, CEOs and business owners also leverage lawyers’ services.
Back in the day - longer ago, businesses had in-house mechanics on speed dial to fix their vehicles, whether cars or motorcycles, while wearing oil-stained overalls and wielding a wrench. These mechanics had a magical knack for fixing even the most complicated issues, from a punky carburetor to a wacky transmission.
Today, outsourcing auto imperfections to specialized service centers are the norm, making the thought of in-house specialists quite laughable. Similarly, in the early days of digital business, companies fortified themselves with an IT team, much like the in-house mechanics of the past. However, with the evolution of cybersecurity, outsourcing to specialized service centers would become the norm, rendering the need for an in-house IT team outdated and unnecessary.
Going to the garage to get your car fixed is an easy and accessible service that everyone can consume. You don't need to be an expert in mechanics to get your vehicle repaired; you need to find a trusted mechanic with the skills and tools necessary to fix your car. In the same way, small and medium-sized businesses should have access to managed security services that are easy to consume and don't require them to be cybersecurity experts. Just as you don't need a Ph.D. in mechanics to get your car fixed, you shouldn't need to be a cybersecurity expert to protect your business from cyber threats.
The Importance of Managed Security Services
The goal of the cybersecurity industry should be to make cybersecurity services more accessible and easier for small and medium-sized businesses. By doing so, these businesses can focus on running their operations and leave cybersecurity to the experts.
Today, MSSPs can deliver some of these services. An MSSP, or Managed Security Service Provider, is a third-party company that provides managed security services to organizations. These services include network and endpoint monitoring, threat detection and response, vulnerability management, and compliance management. MSSPs typically offer these services on a subscription basis, allowing organizations to outsource their security needs to a team of experts rather than trying to maintain an in-house security team.
The global Managed Security Services Market size in terms of revenue was worth approximately $27.7 billion in 2022 and is poised to generate revenue of around $49.6 billion by the end of 2027, projecting a CAGR of 12.3%
Managed security service market size - From Markets and Markets
You can find a comprehensive list of this market here (Cybersecurity Ventures) or there (MSSP Watch).
I am using in the table below the ranking established by MSSP Watch, a website dedicated to MSSP.
I encourage you to scan through the list.
You will see that no MSSP advertise specific service for small or medium companies. The market motto « Managed Service is good for SMB » is not a reality. It is still to come. The MSSP presentation is focused on a list of vertical services:
Security Event Monitoring
XDR (including EDR, EPP, XDR, and even MDR)
Firewall Management
Etc.
These services often contain technical jargon, buzzwords, and new technologies. It feels more like a way to extend existing mature security teams that have difficulty hiring experts than to help smaller organizations with no security teams looking for a service to level up their security posture.
See below for another extract of the MSSP Watch services.
MSSPs - a fragmented market
Let’s zoom in on the MSSPs market. Manage Security Service Providers are a growing market. It is also an extremely fragmented market with hundreds of specialized local players in a given area and taking advantage of a regional network.
The average revenue is around 20 million US$, which is relatively modest. Some prominent players are making hundreds of millions, but most are either small companies or outsourcing IT businesses doing a small fraction of their revenue in cyber.
Moreover, from a small business owner's point of view, the market is hard to read. To stay with the garage analogy, while there are garage chains, which the average consumer can use everywhere in a territory in his country, there is no such brand label for security services.
MSSPs focus - be break-even.
It is essential to consider that profit is the primary expectation of MSSP leaders, which can sometimes be viewed as contradictory to delivering high-value security services. Small and medium-sized businesses do not have the means to pay for a complex service requiring cyber experts to analyze detection probe logs for IDS or EDR endpoint analysis. Detection tools are technical and regularly generate false positives or false alarms due to legitimate software that updates its behavior closely resembling malware behavior.
While MSSPs have analysts trained to differentiate these alerts, it is still time-consuming, and there is always the possibility of a sophisticated attacker impersonating legitimate software close to malware behavior yet still posing a genuine threat. So security experts always advocate carefully inspecting the logs, making it hard to grow the MSSP bottom line.
Moreover, MSSPs also have the constraint of inheriting the existing security stack, making them mandatory to navigate across many tools. MDR (Managed Detection Response) companies do not have this issue as they install their security software stack, master it, and build services. Those doing Detection Engineering, assembling building blocks, are also trying to integrate and automate more, improving their productivity, overall security service level, and eventually company economics.
MSSPs have a problematic role in balancing profitability and delivering effective security services, particularly in the SMB market, where customers may not be willing to pay a premium.
MSSPs’ impact is too limited.
While MSSPs play a part, they barely scratch the surface of fortifying the security measures for small and medium-sized businesses. Most of their services revolve around monitoring systems, focusing on IDR, IDS, and XDR solutions. Simply put, it's equivalent to stationing security guards in front of a grocery store for its protection. It may deter thieves, sure, but it wouldn't prevent a motivated robber from making that attempt. A proficient professional, however, would promptly catch sight of any suspicious activity.
But is detection all that an SMB needs? Absolutely not! As I've highlighted in prior posts, these establishments have minimal resources and sparse time to dedicate to their security. Drawing upon industry lingo, their security posture barely makes the mark. Their workstations may be outdated; remote connections aren't fortified with robust multi-factor authentication or modern remote access software.
Moreover, it is common for employees to lack the necessary training to spot fishy attempts. Boiling it down, managed services honing exclusively on detection and threat intelligence do offer substantial value. But their influence can only stretch so far when it comes to strengthening the overall security posture of SMBs.
Skills need to decrease, even for security service professionals.
Our field of cyber mechanics needs to work harder to improve the current situation. We must focus on finding simple and effective ways to improve cybersecurity for small and medium-sized businesses. The challenge is to create affordable solutions that work well.
The solution? Creating products that anyone can use, with easy-to-understand interfaces that provide automatic analysis.
Let’s go back to my garage analogy. Who in a garage will repair your car?
An operator or mechanic is a professional with practical expertise in using multiple tools, although they may not hold a Ph.D. in mechanics. They typically do not design engines nor work with Formula 1 teams. Instead, they provide honest and valuable services by repairing and maintaining cars for individuals and companies. These professionals take pride in their noble work.
As for garages, I argue that the average level of expertise needs to decrease within security service centers (either MSSP or internal SOC). We need to invent new practices that will scale:
Increase the security posture of businesses, especially SMBs
Decrease costs
Decrease the skills required to deliver the services.
It might look as unworkable for many security practitioners reading. It is still the only way to scale security for SMBs. I think we have not yet invented these services, nor the product that goes with them. The cybersecurity industry is still an industry of experts, combating a threat landscape that is changing fast with sophisticated tools like EDR, IDS, or XDR. We need to invent more specific products and services. We need to help SMBs prepare to suffer the next attack and remediate it.
Conclusion
Just as you wouldn't expect every car owner to be an expert mechanic, we can't expect every SMB to be a cybersecurity specialist. But suppose we can make cybersecurity services as accessible and easy-to-use as visiting a trusted mechanic. In that case, we'd be on our way to creating a cyber-safe space for big and small businesses.
As we navigate this fast-changing landscape of cyber threats together, let's continue demystifying cybersecurity. It's time to shift gears and drive towards solutions that improve security while lowering costs and the need for specialized expertise.
I hope you enjoy my perspective on Cybersecurity and SMBs. Stay tuned for the next post of the series. Don’t hesitate to transfer this email to your friends. :)
If you enjoyed this edition, please give it a little love by clicking on the heart. Have a wonderful day.
Laurent. ❤️