Managed security service providers (MSSPs) are going to need to prove their worth during an economic downturn that has security leaders starting to ask tougher questions about the value of their services.
A Forrester Planning Guide 2023: Security & Risk report is recommending that among the areas where security spending could be scaled back is allocations for managed security services. The report states:
“Over time, MSSPs devolved into alert factories sending templated emails about alerts to clients that failed to provide context or accelerate decision-making. As MSSPs wane, swap those investments to managed detection and response (MDR) or security operations center-as-a-service (SOCaaS) providers.”
Other cutback recommendations being made by Forester include standalone data loss prevention (DLP) platforms and user behavioral analytics tools.
Managed Detection and Response (MDR) and Security Operations Center-as-a-Service (SOCaaS) platforms that provide a range of capabilities delivered as a cloud service are gaining traction. In some regards, they can represent a threat to MSSPs when a vendor provides them directly to a customer. In other instances, MSSPs are reselling these services to provide a richer set of services at a lower cost than they could if they chose to build out the same capabilities themselves. The issue, of course, is what level of profitability can be achieved by reselling a service versus an MSSP building and maintaining a platform on their own.
The Forrester advice to customers from an MSSP perspective is not all negative. Forrester advises security leaders to continue to spend on security controls that protect customer-facing and revenue-producing workloads.
Forrester also recommended budgets that support modernization efforts involving cloud and zero-trust along with software supply chain security, extended detection and response (EDR) capabilities, attack surface management and breach and attack simulation and privacy-preserving technologies should be defended against cutbacks. Specific areas that warrant additional attention include application programming interface (API) security, bot management, cloud workload security, zero-trust network access and security analytics all merit additional investment, the report notes.
It’s unlikely most organizations will have the expertise required to implement any of these emerging security technologies let alone integrate and maintain them. As such, MSSPs need to position themselves as the path of the least cost resistance to acquiring these capabilities.
Achieving that goal would naturally require MSSPs to increase their current levels of investment in product and service development. Therein lies the rub, of course, a MSSP must be generating a sufficient level of profit from their existing services to fund those investments or attract additional rounds of outside investment that can be used to create higher-margin services that are truly differentiated.
There is no doubt the Forrester report does unfairly tarnish all MSSPs. However, there are MSSPs that are not providing their clients much more than a steady stream of meaningless alerts. Many of those MSSPs, despite an increased appreciation for cybersecurity, are likely to fall by the wayside as the economy contracts. Regardless of the level of service provided, however, MSSPs should expect to be fielding some difficult questions from clients in the days and weeks ahead.