Secureworks CEO Wendy Thomas On Shifting From MSSP To XDR And A ‘Partner-First’ Model

With the transition from managed security services provider to vendor now well underway, and demand surging for its extended detection and response (XDR) platform, Thomas tells CRN that ‘it was time to make the full transition to partner-first.’

Doubling Down On XDR, Partners

Cybersecurity firm Secureworks is at “the end of the beginning” of its transition from a managed security services provider (MSSP) to a vendor focused on providing extended detection and response (XDR) capabilities to customers, Secureworks President and CEO Wendy Thomas told CRN. At the same time, Secureworks is deeply leveraging its knowledge and experience of managing security for customers in the way that it has built its Taegis XDR platform, which has been built “from the ground up, from the first line of code,” Thomas said.

[Related: 10 Hot XDR Security Companies You Should Watch In 2023]

As part of its transition away from being an MSSP itself, the company has in recent years been moving to do more with channel partners — an effort that took a big step forward in December when Secureworks committed that all new Taegis business will be sold with the help of partners in North America. “It was time to make the full transition to partner-first,” Thomas said in a recent interview with CRN. Ultimately, partners “have a great opportunity to build a high-margin services business on top of a high-margin product resale business” with Secureworks, whose XDR platform utilizes security data feeds from across a customer’s entire environment, not just endpoints and networks. The “open” XDR platform has the ability to collect and correlate data feeds from numerous third-party tools, and then analyze the data together in a unified way in order to help security teams prioritize the most-pressing threats to tackle.

As evidence of the company’s momentum in XDR, Secureworks disclosed hitting $222 million in annual recurring revenue, up 80 percent year over year as of the end of October for its Taegis platform. XDR is the core of the Taegis platform, though it’s also available with other add-on modules such as vulnerability detection and response (VDR).

Earlier this month, Secureworks, whose majority owner is Dell Technologies, disclosed that it has cut 9 percent of its workforce as part of “aligning its investments more closely with its strategic priorities.” Those priorities include its “higher value, higher margin Taegis solutions,” the company said in a filing with the U.S. Securities and Exchange Commission. Secureworks joined numerous other companies in the cybersecurity industry, as well as in the tech industry overall, in cutting back on staff amid the worsening economic environment. CRN spoke with Thomas prior to the disclosure of the layoffs.

What follows is an edited portion of CRN’s interview with Thomas on the Secureworks transition from MSSP to an XDR provider with a partner-focused sales model.

Moving To Partner-First

Secureworks initially launched its current channel program in mid-2020. Since the company had started out in the services business, it had previously focused on direct sales — but following the launch of the channel program, Secureworks had shifted more than half of its new Taegis sales to partner-involved deals over time. “It just made sense” to make the shift to 100-percent channel now, Thomas said. “It was time to make the full transition to partner-first.”

Secureworks has found that “the go-to-market model with partners is incredibly successful and scalable,” she said. “And the most important reason is, customers want to work with their trusted advisors, who may do even more for them than just security. And so it made sense to give our customers the choice around going to market with partners but still have the benefit of all the Secureworks portfolio offerings. And what we have found is that that just opens up market opportunities that we didn’t necessarily have as a direct organization. So it creates scale for our business and really opens up the addressable market for us.”

It also removes channel conflict, Thomas noted. “Partners can feel very confident that there is no conflict. And that’s probably one of the biggest positive pieces of feedback, beyond a very compelling margin profile, very compelling program. A partner like Secureworks is 100 percent committed to go-to-market with them has been extraordinarily well received.”

Security Services Partners

For the first time, Secureworks over the last 12 months has signed up “security-focused partners” in North America to complement the national solution providers that it had already been working with, Thomas said. “And that shift into security-focused partners has opened up our ability to be involved in some of the RFPs that weren’t available necessarily as a direct sales force.”

Currently, Secureworks is in “what I like to call the end of the beginning, in terms of our MSSP transition to an XDR provider,” she said. “What it means is, partners have a great opportunity to build a high-margin services business on top of a high-margin product resale business. And it’s the combination of those two opportunities that’s important. For us as a company that has been transforming, we’ve talked in our last earnings call about ending this year with about 80 percent or more of our annual recurring revenue having transitioned to the Taegis platform. We’re getting very close to the transition of the existing base to our new product portfolio.”

Leveraging Its MSSP Background

Secureworks has an advantage over competitors thanks to its experience in building its own managed detection and response (MDR) platform, Thomas said. “By managing all of these different security point products, we learned what works, we learned what telemetry they provide and how to normalize that data, in order to run cross-correlated detection analytics to reduce the noise. So the understanding of the products out there is very intimate. Security management of those was one one advantage of taking that knowledge from MSSP business model to an XDR platform.”

A second major advantage from its MSSP background was the ability to know “what does good look like” in terms of automation — what the best way was to build orchestration into the platform “to automate investigations and to automate response capabilities.”

“My favorite response when I meet with customers is that the security analyst on the team says, ‘This UI looks like it was built by somebody who has done my job and has taken away the pain points.’” Secureworks is unique in that it has that experience from knowing “what it’s like to be in a SOC every day, to get the noisy detections down, and to automate much of the work so that they can work on the things that only humans can do.”

Secureworks also has more than two decades of experience with tracking threat actor tactics, techniques and procedures, she said. “We are one of the few providers who have such an extensive amount of threat intelligence that we build into our tactics graphs,” Thomas said. That allows Secureworks “to detect adversarial behavior much quicker.”

Open XDR Approach

Secureworks believes that its open approach to XDR has resonated with the market, Thomas said. “We’re not requiring our proprietary agent to be deployed, if you have one of our supported agents -- of which we’re supporting the vast majority of the market.”

Another fundamental approach that’s different with the company’s XDR “is that we built this from the ground up, from the first line of code,” she said. “And the importance of holistic detection and response, it is that full coverage, but it is the data architecture underneath of ingesting that telemetry that is not just aggregating the alerts from the individual point products. But again, it’s really distilling those into the one alert that matters, so that you can focus your resources on the things that really matter and reduce your risk and reduce your time to response.”

Other vendors that purport to offer XDR often are still largely focused on the environments they originally focused on — such as endpoints or networks — but there’s a lot more to correlating threats today than just considering those systems, Thomas said. “What they’re really doing is they come from their point of strength, and then they use a SIEM-like approach to just aggregating the other telemetry. That is not cross-correlating and distilling that telemetry into the alerts that matter. It’s really just a new version of a SIEM under an XDR label,” she said. “And that’s probably the biggest fundamental difference. [Most other vendors are] either not open, so you’ve got to move to their proprietary stack, or they are really just aggregating like a SIEM.”