Managed services have had their heyday since the outbreak of the COVID-19 pandemic two years ago, as scores of customers sought help and support for their now-distributed environments.
In response to this, customers are also becoming heavily reliant on security providers to protect their widening perimeters and attack surfaces from an ever-menacing threat of cyber breaches.
To this end, Australia’s managed service provider (MSP) is in a prime position to capitalise on this demand, while also providing higher-margin and value services by transitioning to a managed services security provider (MSSP).
But becoming an MSSP is by no means a cheap or easy process. It is simply not just a case of investing and on-boarding a couple of security vendors and claiming to offer an end-to-end cyber security service.
Indeed, Ron Jarvis, sales director of distributor Bluechip Infotech, believes there is a “bare minimum” that an MSSP must provide in a security operations centre (SOC) such as penetration testing, compliance monitoring, managed security monitoring, vulnerability assessments, perimeter securing and application control.
“Where MSPs would have just looked after the network and the end point, customers are now looking to add security to that mix,” he said.
The Missing Link and
Speaking to ARN,
Today it operates its managed network and cyber security operations underneath the umbrella of Connect.
“Over the years, we just started to develop it. We had more customers that were buying Cisco firewalls and were using the McAfee IPS appliances and Juniper’s VPN boxes,” he explained. “We got into spam filtering early.”
However, in 2012, after selling a suite of firewall vendors, the company decided to pivot towards fewer vendors and a deeper focus on different areas of the broadening security spectrum.
“We've just incrementally bolted on new pieces of technology once they became commercially available and relevant to our customers,”
Today its suite consists of vendor partnerships spanning Checkpoint, Palo Alto Networks, CrowdStrike and Sophos.
“We always try to pick enterprise-level, the top of the Gartner quadrant of vendors,” he added. “That means we minimise as many as we can, so we can be better with fewer vendors.”
For Aaron Bailey, chief information security officer at The Missing Link, the formation of the company’s cyber security practice in 2013 came in response to a heating up landscape of cyber breaches and attacks.
It is now the largest line of business at The Missing Link, employing more than 80 people. "I used to brag about the growth in headcount, but it's got a little out of control,” he said. “But you have to with the level of demand and clients increasing.
“It feels like the ever-increasing landscape has been going on a long time. There’s ransomware, various compliance regimes, privacy legislation and the Critical Infrastructure law. The noise is great and hectic in both the vendor and provider space.”
Put a SOC in it
According to Jarvis, the key to being a successful MSSP is held in the security operations centre (SOC) offering.
Given Australia’s notorious talent shortage and its resulting upsurge in security skills salaries, putting together an in-house SOC is no easy feat for local MSPs.
“For an MSP to become an MSSP it's quite difficult, mainly due to the costs and resources,” Jarvis said. “But, what [MSPs] can do is leverage a vendor's security centre – the managed detection and response (MDR) solutions that are out there. That's becoming more prevalent.”
At The Missing Link, Bailey has managed to steadily build an in-house SOC over several years. "For us, the SOC and the escalation are all formed of security specialists,” he explained. “To go from an MSP to an MSSP, you need those skills, but those come at an expense.”
Housing all its security specialists in Australia is a significant cost, aside from two hired at its recently formed UK practice, The Missing Link follows a shift roster rather than using an on-call security specialist for its 24/7 offering.
"Our pitch is based on value,” he said. “We're often not the cheapest. Everything we do is focused on quality deliverables and the time to respond. The mean time to detect and the mean time to respond are better metrics and not just meeting the service level agreement.
"A lot of MSSPs and SOCs say they are 24/7, where someone is on-call. With us though, you come into the office and you're there for your shift. In the long-term, the UK will be perfect because that's where the time zone works. It can be the future nightshift."
The other significant expense lies within training.
“You can have the most certifications when you join, but threats change, vendors change, they acquire other vendors and bring out new products,” explained Bailey. “That’s a lot of time training, which takes staff from managing the SOC.”
For this reason, it’s perhaps understandable that many MSPs choose to leverage vendors’ own SOCs and MDR solutions.
"The availability of MDR is changing MSPs’ ability to offer that level of security, beyond just anti-virus and firewall,” Jarvis said.
"The MDR is becoming more used because even if an MSP can get somebody, the salaries are significant. There is more demand than supply."
'You need scale to be valuable’
“The reality is that the complexity of a SOC now really takes scale. Smaller MSPs have to be realistic about their abilities. It’s better to partner with a strong SOC; we have about five or six SOCs behind our Solution Suite,"
“These structured, contractual relationships are where I see the industry morphing. We're a deeply technical organisation and we're strong in technical verticals. That makes us valuable to our customers. When I look at a SOC, if you don't have 50 people in there focused on it, then it's niche and I think times are such that you need scale to be valuable.”
The networks are more complex; applications are sitting in a couple of public clouds, private clouds and on-premises and they all need to be secured,
"It creates a dispersed attack surface, so it’s a complex and challenging problem," he added.
So, is it possible for an Australian MSP today that’s dipping its toes into security to become a fully-fledged MSSP? The answer is yes but going solo is nigh on impossible today with the current talent market, both Somerville and Jarvis believe.
However, there is one alternative route emerging, according to Jarvis. “We're seeing a lot of acquisitions in this space,” he explained. “SOC providers with their own security infrastructure are increasingly buying MSP practices as a way of building that end-to-end service across IT.”
Meanwhile, for Somerville, the advice for any MSPs is simple: "Don't try to be all things to all people,” he added. “Get really good at what you do; do it well and do it often. Work out where you're strong and get good at it. If it means that you can't do everything, that's ok."