Offering cybersecurity services is not a new concept for OPAQ Networks Inc.
The startup has known for a while that managed security in the cloud would become "a pretty significant sea change in how security would be delivered," said Ken Ammon, OPAQ's chief strategy and technology officer.
In fact, the security-as-a-service (SECaaS) provider has been aggressively seeking acquisition targets to build its security arsenal. In May, OPAQ acquired Drawbridge Networks, a provider of microsegmentation technology, to integrate into its security-as-a-service platform. In January, OPAQ launched with the acquisition of network security-as-a-service company Bat Blue Networks.
The Bat Blue acquisition "will allow us to deliver security policy from the data center to [software as a service]-based apps ... as a service," Ammon said. "That's a significant difference from what characterizes managed security service providers [MSSPs] today, where [MSSPs] basically work with customers to install hardware and software or take control over what's been installed by the customer already."
He added that MSSPs then try to add a value proposition by looking for a network anomaly that might be of interest to the customer.
Industry observers say that description is pretty accurate, and while cybersecurity services is fast becoming one of the hottest areas for channel firms to pursue, many are not. In the meantime, there is high demand for managed security services.
Understanding cybersecurity services needs
A study conducted by 451 Research and OPAQ revealed that 72% of respondents had a preference for security as a service over on-site technology or outsourcing security to a third party, like a managed security service provider.
Additionally, 90% of the respondents said they intend to migrate to security as a service in the next year, according to the study, which was based on responses from 301 IT executives at U.S.-based businesses with 501 to 2,500 employees. The study was conducted during the first quarter of 2017.
"I would say more needs to be done in terms of managed service providers [MSPs] adding security and doing more for their customers in security," said Charles Weaver, CEO and co-founder of the MSPAlliance. At the same time, Weaver added, "MSPs may not be calling what they're doing managed security, but it's still security."
For example, doing backups for customers is often classified as storage, but Weaver said he would classify business continuity as security work. It is also very common for an MSP to offer a service authenticating how users get onto a company's network.
"Authentication of user access to a network or system is at the heart of, or at the beginning of, looking at security for a system," Weaver said.
He also said he believes MSPs may be providing other services, like firewall management, and "are doing it pretty widespread, but have classified security in a very narrow way," since they don't have a security operations center and are not analyzing network data.
"I think it's work they've been doing traditionally, [but] it's just getting the attention now it never had," Weaver said. "I honestly think it's as simple an explanation as that. A lot of MSPs don't think of themselves as a security firm ... and don't have certified security people in their firm, but that doesn't mean they're not dealing with security in a real way. They're dealing with it every day."
Why channel partners need to do more
Dan Cummins, a senior security analyst at 451 Research, said another interesting finding from the study was that organizations want "products that are easy enough for lower-level IT generalists to be able to use.
"The problem is [so] acute and broad that IT managers want to recruit anybody and everybody to focus on these risks," Cummins said.
When it comes to offering more complex, cloud-based cybersecurity services, Ammon said MSPs may be daunted by the fact that every customer has a unique environment and set of apps they use to enforce security.
"A big part of getting a successful security program together is linking [these] technologies," he said.
Charles WeaverCEO, MSPAlliance
For example, if a company has a firewall and active directory, and they aren't linked together, there won't be visibility into the network. But integrating security services is becoming a business imperative for channel firms, Ammon said.
"They have to pivot their business to be able to show value around integrating cloud services and being a solutions provider rather than just a software provider," Ammon said. That way, "they'll become much more of a one-stop shop, and it's a stickier service. The broader the value proposition, the more difficult it is for a competitor to dislodge you from the relationship, and there is more opportunity to provide value for the customer."
Weaver concurred: MSPs need to be doing more because "most end users today have no clue what is facing them in terms of security threats."
How MSPs can start offering cybersecurity services
In terms of how MSPs should start the process, Weaver said they need to participate in security training -- and soon.
"They better get there," he said. "My belief is any operational MSP today must have basic security-level knowledge and awareness and training."
Without an understanding of security, MSPs cannot have conversations with their customers about security threats, as well as the importance of backing up data.
"[MSPAlliance represents] 30,000-plus members around the world," Weaver said. "I don't know what they're saying, but I know there [are] a lot of MSPs that haven't had this conversation yet."
Customers tend to be more focused on other things, and Weaver said MSPs are fighting for time to talk about security issues. When they do, the customer is instead telling them they need to cut IT costs.
Another reason channel firms may be reluctant to embrace cybersecurity services is an obvious one: There is a well-documented shortage of security expertise in the marketplace -- but at the same time, it's not easy to just spin up a security program.
"If you have to find and retain security resources, and, on top of that, deploy and build out some sort of infrastructure to solve problems ... there's a lot of risk, and it's very difficult," Ammon said.
A good option for MSPs that want to offer cybersecurity services is to deploy a ready-made platform, which will help them meet the market demand and offer what Ammon called "a more moderate level of security expertise, without the risk of building out a platform to provide that service."
Get tips for developing a cybersecurity program