Accelerating the Path to Managed Cybersecurity with M&A
MSPs operate in a challenging and competitive marketplace. Small and medium-sized business (SMB) customers increasingly view the core IT infrastructure support services MSPs have long provided as commodities. At the same time, competitors are growing larger and more sophisticated as industry consolidation continues. Private equity investments have created more than 80 MSP platforms that are aggressively pursuing add-on acquisition opportunities.
Against this backdrop, the security requirements of MSP customers have undeniably expanded.
According to N‑able’s State of the Market: The New Threat Landscape Report, which surveyed 500 senior decision makers at MSPs and was conducted by Coleman Parkes Research, MSPs report that 82% of customers have seen an increase in attempted cyberattacks. And where attempted cyberattacks have increased, the average number prevented since the pandemic is now 14 per month, compared with eight per month before it.
One reason why MSPs continue to be seen as an attack vector is that far too many attacks are successful. The report also found that almost all MSPs had suffered a successful cyberattack in the previous 18 months. And 90% had seen an increase in the number of attacks since the start of the pandemic. On top of this, a third had been successfully attacked in the previous quarter alone. (Of course, it’s also important to note that the number of attacks these MSPs are preventing has almost doubled, from 6 to 11.)
While these attacks may not grab headlines like those on Colonial Pipeline and JBS Meat Packing, they can be devastating to a small business in terms of the costs of remediation and recovery, not to mention reputational damage.
Growing Managed Security Market
Developing a robust managed security offering is a natural way for an MSP to respond to these challenges. In addition to being a differentiator and one-stop shop for both support and security in the eyes of customers and prospective clients alike, tapping into the managed security market provides access to new, fast-growing revenue streams. Indeed, N‑able’s research also found that 81% of MSPs have increased their security budget (by an average of 7%) in the past year compared to 70% of customers who have done the same.
Yet the question remains as to whether that is enough provide the full managed security services that companies need. Most MSPs already provide a baseline level of cybersecurity services, such as patch management, antivirus, and firewalls, but they often don’t offer the comprehensive set of managed security services that MSSPs deliver.
A robust managed security offering typically includes:
- 24/7 security monitoring with SIEM (security information and event management), MDR (managed detection and response), or similar tools
- identity and access management
- threat and vulnerability management
- security awareness training
- penetration testing
Depending on the MSP or MSSP’s customer base, industry-specific compliance solutions (e.g., CMMC/NIST SP 800-171, HIPAA, and GDPR) that readily map managed security services back to regulatory requirements may also be part of the solution.
Moving From MSP to MSSP
While it’s possible to organically develop the capabilities necessary to deliver managed security services, the transition from traditional MSP to full-fledged MSSP is neither quick nor easy and requires changes to almost every facet of an organization’s operations.
As a starting point, new security-focused capabilities and offerings must be developed. This requires hiring experienced cybersecurity talent that is expensive and in short supply in the current labor market, then putting them in a position to drive both strategic and day-to-day operational change. Similarly, sales and marketing, customer support, and hiring and training practices must be retooled to focus on cybersecurity.
In other words, the company’s cultural mindset must be directed towards cybersecurity to be a successful managed security provider. An extensive organizational shift of this scale takes time and significant investment and is frankly too much for most traditional MSPs to undertake organically.
For MSPs that want to own the managed security service provider capability given its mission-critical nature, M&A can accelerate the development of internal capabilities and dramatically enhance speed to market with managed security offerings. At our practice at FOCUS, we are seeing growing interest in this approach from both existing MSP platforms that need to enhance their cybersecurity capabilities and from private equity investors looking to create managed security-focused platforms.
Data from the broader market also bear out this trend. Through the end of 2021, MSSP Alert has reported on 85 managed security transactions, including acquisitions completed by well-known MSP platforms. At FOCUS we expect another busy year of deal-making, as the drivers of cybersecurity demand are not going away.
April Taylor is managing director of FOCUS Investment Banking, LLC
© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.
Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.
N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.