Becoming An MSSP Is Hard. Partnering With One Could Be A Better Answer
Solution providers looking to bring managed security services to their customers -- without having to offer the services themselves --are finding growing options to do so through partnerships within the channel community.
For solution provider Alacrinet, its portfolio of specialized cybersecurity services has been a strong source of growth in recent years. The Palo Alto, Calif.-based company’s offerings range from implementation services for a full array of cyberdefense tools to risk assessment services such as penetration testing.
What the company is not, however, is an MSSP. And it doesn’t want to be.
“When we were looking at the MSP market, we saw that we could either build out another business unit around MSP—which in some cases might make sense—or we could partner,” said Daniel Duhaime, vice president of sales at Alacrinet. “We decided to partner.”
Amid the massive cybersecurity talent shortage, intensifying threat environment and relentless complexity of running a cyberdefense operation in 2023, many customers are asking their trusted advisers for help with security. Countless organizations are looking to outsource more of their cybersecurity management to a third party, and for many in the channel, building an MSSP practice would seem to be a huge opportunity.
But becoming an MSSP is far easier said than done due to a high barrier to entry, increased liability and a host of other factors, MSSP executives told CRN.
How can solution providers bring much-needed managed security services to their customers without actually having to offer the services themselves? A growing number of solution providers are finding that partnerships—within the channel community they know so well—may be the answer.
Alacrinet partners with 10 different MSSPs in total, a strategy that allows the solution provider to match the ideal service provider to each customer situation, Duhaime said.
One of those MSSP partners is Cyderes, a 900-person cybersecurity services powerhouse formed through the merger of Herjavec Group and Fishtech Group in 2022.
Within its six Security Operations Center (SOC) locations around the globe, Cyderes analysts do the critical work of monitoring and responding to security threats around the clock, every day of the year.
For Cyderes, partnering with other solution providers on deals is increasingly proving to be a smarter growth strategy than competing with them, according to Anthony Aurigemma, CRO of the Kansas City, Mo.-based company.
The model is so promising, in fact, that Cyderes launched a partner program of its own in March. The new program serves as a way to formalize the process and build trust between the company and its expanding set of collaborators within the channel, Aurigemma said.
Case in point: Cyderes recently won two new customers within the retail industry and state, local government and education (SLED) market by teaming up with another solution provider. The solution provider partner handled the closing of the deals, which included managed security services from Cyderes as part of the packages.
The arrangement has increased Cyderes’ reach, Aurigemma said, while enabling the solution provider partner to meet customer needs and generate margin.
But that’s not all. The deals came together faster than usual “because we didn’t compete with each other,” he said. “The client got everything that they wanted, and the process was much cleaner and speedier.”
The new Cyderes partner program underscores a movement toward greater collaboration between solution providers and MSSPs, sparked by the rising demand for managed security.
And it’s not just VARs that could benefit from exploring these types of in-channel partnerships to meet customer needs for managed security services, channel executives said. Even for an MSP that is adept at delivering managed IT services, expanding into the managed security side can be a major undertaking.
“We have seen MSPs, both large and small, say, ‘We’re going to take some of that on ourselves.’ And it’s a big lift,” said Ben Masino, CRO of Avertium, a Phoenix-based MSSP.
And so, while it might seem like a natural progression for MSPs to evolve into MSSPs over time, that’s not realistic in many cases, according to channel executives.
“Doing security operations 24x7 is a significant investment of time, money and resources. You need a lot of expertise to build it and then to scale it, maybe even more so to scale it. And it’s not the same as running a Network Operations Center. It’s a very different business,” Masino said.
The bottom line is that “for MSPs out there that are trying and struggling [on managed security], or don’t want to try, or have tried and failed, I think the partner model really works well,” he said. “As long as everybody’s very clear and you build trust in how you engage, I think it can be incredibly successful.”
Focus On Enablement
For Avertium, which formed in 2019 through the merger of three MSSPs, collaboration within the channel would seem to be in its DNA. All three of the pre-existing companies already had partnerships with other solution providers prior to the merger, Masino said.
Masino joined Avertium the following year and said he brought an emphasis on in-channel partnerships as a “core part” of his growth strategy for the company. Since then, “we’ve built on that and made it better, made it more formal,” he said.
That included the 2021 hire of cybersecurity sales veteran Randy Rosenbaum to head up Avertium’s channel partner program. The program puts a major emphasis on partner enablement, which can be one of the biggest challenges when two solution providers decide to work together, Masino said.
“How do you teach sales teams, partner teams what each partner does and how it fits together?” he said. “That doesn’t happen by accident. It really needs to be a concerted effort between the two partners to make sure that everybody’s up to date on how we work together, why we work together, what value the customer has. It sounds basic, but it is actually the thing that differentiates a good partnership from a bad one.”
One solution provider that has turned to Avertium to deliver managed security services to its end customers is Towerwall, a longtime provider of solutions and professional services for security.
The Framingham, Mass.-based company’s offerings span proactive services such as penetration testing, which entails using hacking techniques to assess security weaknesses, to reactive services such as incident response and remediation. But Michelle Drolet, founder and CEO of Towerwall, said the company has steered clear of offering its own managed services in order to avoid a conflict of interest with the other services the company provides, she said.
“What’s happening is you have these managed service providers [that are] adding information security arms. And so it’s not church and state anymore. Now it’s, ‘I’m monitoring your endpoints, I’m managing your firewalls. And hey, I could do penetration testing—on myself,’” Drolet said. “It’s getting really muddy now. The same thing goes with managed security service providers.”
Still, in cases where Towerwall resells a tool that a customer needs to have managed—such as a security information and event management (SIEM) or endpoint detection and response (EDR) product—customers are often looking to bundle in management of those tools. That’s when Towerwall’s partnership with Avertium comes into play.
Avertium operates two “cyber fusion” operations centers in the U.S. that are staffed 24x7 by security analysts, providing the continuous monitoring that is increasingly a must-have for many businesses for compliance reasons.
Providers of managed security services usually offer a lot more than just managed detection and response (MDR), a fast-growing cybersecurity category often focused on management of endpoint detection tools.
Many solution providers and MSPs partner with MDR vendors to bring essential threat detection capabilities to their customers, though managed security services offers a more comprehensive approach that many organizations are looking for.
“[Managed security services] is like the department store of security,” said Pete Shoard, vice president and analyst at research firm Gartner. “MDR is a much smaller slice. MDR is like one of the boutique retailers in the department store.”
While managed security services can comprise a range of offerings and levels of involvement, it typically requires operating a SOC that offers around-theclock security monitoring. That usually entails SIEM and EDR administration, threat intelligence, automation and advisory services, said Eron Howard, COO of Novacoast, a large MSSP based in Wichita, Kan.
“Running a good MSSP that’s actually doing 24x7 SOC coverage is not trivial. It’s taken us years to learn to get it right. And it’s super nuanced,” Howard said.
Compared with professional services around security, with managed security services, “you can’t just jump into it as easily,” he said.
Even for well-resourced organizations, getting a SOC up and running—and hiring the necessary talent from a coveted pool of professionals—can pose massive hurdles, MSSP executives told CRN.
For instance, management consulting firm MorganFranklin Consulting launched its line of managed security services about a year ago. A few months in, the McLean, Va.-based company hired SOC veteran Justin Klein Keane from Meta, where he was the manager of internal detection and response.
“I think they learned very quickly how challenging it is, which is part of the reason they hired me, because I’ve done this before,” Klein Keane said. “Standing up these services is not just logistically challenging, but providing a compelling value proposition to potential customers is also really hard.”
For example, articulating what a customer will get at different price points for managed security services can be particularly tricky for those who haven’t done it before, according to Klein Keane, who is director of MorganFranklin Consulting’s SOC.
The actual day-to-day work of serving as an outsourced security operations team for customers is notoriously difficult as well.
“In security operations, you are responding to alerts of anomalous activity and then having staff actually conduct investigations to make determinations, whether that is a malicious anomaly or a benign anomaly. Or if it’s just an outlier, maybe the detection needs to be tuned,” Klein Keane said. “Whenever you make those judgment calls, there is risk that you get it wrong. And there’s risk of impact for getting that wrong. I would advise any MSP to think very carefully about that risk.”
An MSP might be convinced to add a managed security line of business on account of the revenue opportunity, but there’s a lot that needs to be thought through first, he said.
“You need to think about, ‘How am I going to be able to staff this and provide the expertise in a way that I’m comfortable and confident that my team is making the right calls? And where I’m going to have the assurance that, if I faced a situation where someone made the wrong call and there was a calamitous business impact, that my position would be somehow defensible?’” Klein Keane said.
Liability considerations should be top of mind for any solution provider or MSP that’s entertaining the idea of adding an MSSP practice, channel executives said.
“There’s a lot of liability just from putting yourself out there and saying you do it,” said Seth Kilander, founder and CEO of Denver-based Ki Security and Compliance Group. “That liability could be exponential, especially when it comes to insurance.”
Without a doubt, when it comes to a service provider’s liability, “they’re essentially signing up for a lot more” by making the leap into MSSP work, said Andy Anderson, founder and CEO of cyber insurance broker DataStream.
If an MSP is considering such a move, Anderson said, “I think they really want to make sure that they are not making that decision lightly and that they actually are going to take on the responsibility and have the expertise to do it.”
Ki Security and Compliance Group has intentionally stayed away from describing itself as an MSSP even though the company is “close to one” in terms of capabilities, Kilander said. For instance, the company doesn’t operate its own SOC or offer SIEM capabilities, “which an MSSP definitely should,” he said.
All in all, “we’re covering some of the MSSP [capabilities], and then we’re outsourcing the rest” to a trusted partner, Kilander said. “We work with them very closely so that all of our stuff is tying through theirs. [We want to] have that relationship where they are an extension of us.”
There’s a widespread mentality in the MSP community that prevents many solution providers from taking a similar approach, however, he said.
“Most MSPs come from the side of, ‘We do everything. You don’t need anyone else. And if you have anything else, our contract is void,’” Kilander said. “We have to get past this mindset.”
Managed Security Basics
For solution providers and MSPs that do want to explore expanding into managed security services, there are a few good places to start, channel executives told CRN.
For instance, an MSP could start by acquiring an inexpensive SIEM platform and collecting logs from different systems, according to Stel Valavanis, founder and CEO of onShore Security, a Chicago-based MSSP. From there, it could begin to build processes around managing the data, policies and reporting, he said.
By doing that work, “they can actually gain a lot of maturity in a pretty short time, if they really want to become an MSSP,” Valavanis said.
However, he said, MSPs on this journey need to recognize that delivering managed security services requires a different mindset than traditional management of IT. “Security is more like accounting than it is like firefighting,” Valavanis said.
Because attackers typically are inside victims’ systems for weeks or months before they’re detected, “you’re looking for activity that hints that there are things going on,” he said, which is akin to accounting work. “You’re not looking for attacks as they happen.”
For this reason, MSPs should not necessarily view the MSSP model as the next logical step, Valavanis said. “It has a very different nature to it,” he said. Too often, though, service providers looking to expand to become MSSPs run into problems from “dragging in some of that MSP thinking,” Valavanis said.
For an MSP that’s exploring the idea of offering managed security services to customers, a recommended initial step is to become proficient at managing its own internal cybersecurity program, according to FCI Cyber CEO Brian Edelman.
“If you do it [well] for yourself, then make that jump,” said Edelman, who founded the Bloomfield, N.J.-based MSSP in 1995. “But if you don’t do it well for yourself, then learn to do it well for yourself—and then make an informed decision that allows you to do something that’s good for you and your clients.”
For those solution providers and MSPs that want to play an important role in meeting customer needs for managed security services—but aren’t inclined to try to deliver those services inhouse— there are a growing number of choices.
In addition to working with MSSPs such as Cyderes and Avertium, another notable partnership option was originally devised by security service provider Novacoast.
The offering, Pillr, is targeted at MSPs that serve SMBs, with its platform that enables partners to bring 24x7 SOC services to SMB customers.
A platform like Pillr’s is needed because, first and foremost, most security vendors tailor their products to the requirements of large global enterprises, said Adam Gray, chief science officer at Pillr. But for SMBs, many products are “either too complicated or too watered down, or don’t really fit their budgets and people and expertise,” he said.
“I founded the Pillr side specifically to fill that market and that void,” said Gray, who is also the CTO of Novacoast. Now a separate entity from Novacoast, Pillr currently works with 1,300 partners in North America and Europe.
Notably, for the MSPs that work with Pillr to bring SOC coverage to their SMB customers, something interesting tends to happen: They naturally improve their capability for delivering valuable security services, according to Gray.
“They become much better practitioners around remediation and response,” he said. And from there, MSPs will often get more involved with deploying vulnerability management controls and helping their customers with improving their cyber hygiene, Gray noted.
By working with Pillr, MSPs also “get better at reading the threat intel reports, they get better at the advisory reports, and they start to get a lot more proactive,” he said. “They become much better stewards of security simply by having access to the information and having it digested in a way that is suitable for them.”
For Cyderes and its recently introduced channel program, the focus so far has been on working with reseller partners. The program includes the major components of a typical channel offering: discounts and margins, deal registration and protection, training, dedicated channel account managers and co-selling opportunities.
Jamie Wolf, formerly a channel executive at cybersecurity vendors including Black Kite and Onapsis, leads the partner program as Cyderes’ head of global channel, alliances and ISVs.
By working with channel partners, MSSPs such as Cyderes get the classic benefit of a boost to their scalability, noted Alacrinet’s Duhaime: “It’s cheaper to give us margin than it would be to try to acquire all those customers on their own.”
There are some differences with a partnership between two companies in the channel, however, as compared with a partner-vendor relationship. For instance, from the get-go, extra effort may need to be put in around building trust—especially when it comes to navigating potential areas of competition.
As part of establishing its in-channel partnerships, Cyderes has made clear to its VAR partners that product resale is not a top priority, according to Cyderes’ Aurigemma.
“They need to be assured when working with you that you aren’t going to step into their space,” he said. “That’s the piece of the puzzle that I think we’re starting to unlock. I think others will figure that out as well.”
Ultimately, “when they meet us and realize that we’re not looking to encroach on some of their core services—that we know our swim lane—we’ve had some great outcomes.”