This content is part of the Essential Guide: MSP security essentials for every IT service provider
News Stay informed about the latest enterprise technology news and product updates.

How can MSPs evolve into cybersecurity companies?

Channel executives discussed the realities of the cybersecurity market at CompTIA's 2017 ChannelCon event, revealing key considerations for making the business transition.

AUSTIN, Texas -- Cybersecurity has become a crucial business area that channel companies are trying to wrap their heads around, especially as their customers grow more wary of the emerging threats.

That theme was brought up again and again at CompTIA Inc.'s ChannelCon 2017 event, held this week in Austin, where channel partners discussed their ongoing evolutions as cybersecurity companies. Conference sessions demonstrated many channel executives remained in the very early stages of their transition to cybersecurity and were still thinking out their first steps. More established players in the cybersecurity market revealed the disparate paths to evolve their security businesses. The vendors crowded the exhibition areas, meanwhile, looking to push channel firms deeper into the underpenetrated market.

The security journey for MSPs

Explaining their successful security practices, managed services providers (MSPs) pointed to a few key considerations before transitioning into cybersecurity companies. One of those considerations is that MSPs must either establish security capabilities internally or partner up to provide security to their customers.

In a ChannelCon 2017 panel discussion, MJ Shoer, CTO at Internet and Telephone, a company based in North Andover, Mass., said his journey to security has "been an interesting ride." About a year ago, Internet and Telephone, which was recently acquired by Onepath, built out a security platform based on the National Institute of Standards and Technology cybersecurity framework and Open Systems Interconnection reference model, he said. The company then developed a model where, under the Onepath umbrella of business units, it owns a security division as well as a MSP business unit. The company keeps a "firewall" between the two to parts of the business, he said, so when the security division provides customers with assessments and recommendations, customers can be ensured "integrity of objectivity."

If a [penetration] test reveals there are ports open that shouldn't be, we throw ourselves under the bus, just as we would any other MSP.
Matt ShoerCTO, Internet and Telephone

"If a [penetration] test reveals there are ports open that shouldn't be, we throw ourselves under the bus, just as we would any other MSP. … We'll point out where the deficiencies are, and we've got to turn around quickly and remediate those for the customer's benefit," Shoer said.

Despite the buzz in the market that MSPs need to become managed security services providers (MSSPs), he said he doesn't think "you can truly be both unless you can set up the kind of division" that his company has. However, he acknowledged that this security business model isn't feasible for every MSP. Internet and Telephone could do it because of "our size and scale," he said.

Jim Turner, president of Hilltop Consultants Inc., an MSP based in Washington, D.C., said that while Hilltop has developed security capabilities, it doesn't call itself an MSSP. The company, which focuses on the legal vertical, takes an approach to security similar to vendor management, he said.

"What I have are people who are on the inside, who are knowledgeable on security, and they're managing the different vendors that we have partnered with to provide the [security] services," Turner said.

"We are having a lot of success in generating revenue by providing services for our clients with our partners. We're able to keep out the competitors that are claiming that they're MSSPs, even though I know that they're not really MSSPs," he added.

Working with law firms, he noted Hilltop has to grapple with unique security concerns. Hackers, for example, would relish the chance to break into MSPs because they aggregate data for accessing their law firm clients, which in turn aggregate sensitive data, including contracts and intellectual property, of all their business clients.

"Hackers want to get in," he said.

Statosphere Networks, an MSP based in Evanston, Ill., built in-house security capabilities after deciding to pivot its business to cybersecurity several years ago. "A lot of things need to be internally done before you add security solutions and services into your portfolio," said Kevin Rubin, Stratosphere's president.

"The challenge that you'll have in the managed services environment is we have IT leaders versus security professionals," he noted. "It is very challenging when you go to your engineering staff and say, 'I have this great idea about services and solutions from a security standpoint that I'd like to roll out,' because it's kind of an unknown turf for them. … So, you have to build your own set of internal team [members] to focus on security if you're going to do something in house."

Dmitry Bezrukov, a ChannelCon attendee and CEO of ITsecura, a three-person MSP based in Oregon House, Calif., said his company places a lot of emphasis on cybersecurity and continues to develop its security practice.

"Even though I think we're doing very good … there is always [something] you can do better," Bezrukov said. "We are striving for that unreachable excellence, and security … is not straightforward."

Educating people on security has become one of his top missions, he added.

Vendors urge partners to embrace cybersecurity

Intronis MSP Solutions by Barracuda, a security and data protection provider, was one of many vendors at the ChannelCon 2017 event with insight to offer channel companies.

According to Neal Bradbury, co-founder and vice president of channel development at Intronis, the advanced security market is underpenetrated by MSPs. Citing findings from the company's latest study of the managed services market, he said that while MSPs commonly have foundational security offerings like antivirus, only about 15% of MSPs were offering advanced security services such as security information and event management, advanced threat protection and compliance services.

Sean Sykes, managing director at Avast Software, said the biggest issue that MSPs are faced with today is business transformation. "For [MSPs] to continue to be relevant … they need to be finding ways to evolve their business. What they need are tools that are going to allow them to serve that need to be not only an IT consultant, but a security consultant at the same time," he said.

"The reality is this: In the market today, there is an increase in the number of attacks targeting the SMB, and there is an incredible shortage of cybersecurity professionals here in the U.S.," Sykes added. Customers will turn to their providers for cybersecurity support, and those that can support them as cybersecurity companies will do well, while those who can't might find themselves in a position to be replaced by a competitor.

Paraphrasing a quote that has resonated with him, he said, "Every individual in an IT job today is [in] a cybersecurity role, whether they know it or not.'"

Next Steps

CompTIA sheds light on IT services spending for SMBs

Learn about the emerging cloud access security broker market

Partners predict more ransomware attacks after WannaCry

Dig Deeper on MSPs and cybersecurity