By Bob Layton, Digital Defense, Inc.
One question always comes up when I do podcasts or media interviews: how to deal with the shortage of trained cybersecurity experts. There’s a global shortfall of almost two million cybersecurity professionals, according to the Center for Strategic & International Studies.
While millions of cybersecurity jobs are going unfilled, cyber threats are increasing. Security breaches have grown by 67 percent in the past five years as malefactors discover new vulnerabilities and attack vectors, endangering US$5.2 trillion in global revenue in the next five years, according to Accenture.
It isn’t just large enterprises being targeted. There are growing ransomware attacks against small-and-midsize businesses and public organizations including local school districts and regional hospital systems. These operations store a wealth of highly sensitive personal data of great value to cybercriminals but can’t find or afford qualified cybersecurity professionals to protect it.
Despite well-meaning STEM programs rushing to train or retrain mid-level workers in cybersecurity, I believe those 2 million unfilled cybersecurity jobs will never be filled. And here’s the good news: they won’t have to be.
Thanks to the cloud, a new model of industrial-strength Cybersecurity-as-a-Service is arising among Managed Service Providers (MSPs), Managed Security Services Providers (MSSPs), and Managed Detection and Response (MDR) companies. For simplicity, let’s call all of these businesses “MSPs.”
Cybersecurity – often an expensive in-house undertaking, even if qualified cybersecurity pros can be found – is increasingly being provided as a cloud service to customers on a subscription basis by MSPs. Like many other leaps forward, the inevitable arrival of MSP-provided Cybersecurity-as-a-Service has been accelerated by the pandemic. When offices emptied last spring, businesses of every size found themselves managing all their employees’ vulnerable devices remotely and simultaneously. This demanded multiples of the usual attention from IT departments whose members were working remotely, too.
I called the arrival of MSP Cybersecurity-as-a-Service “inevitable” because it’s been a no-brainer for years and offers solutions to three of the industry’s top problems.
- Pricing: Traditionally, MSPs that wanted to offer cybersecurity had to spend a lot up-front for a high-priced hardware/software cybersecurity product, then hope to amortize that investment profitably by charging customers monthly fees. Given cybersecurity’s complex and pricey solutions, many MSPs shied away from offering security at all in their bundle of services. The arrival of Software-as-a-Service (SaaS) cybersecurity, however, has enabled MSPs to become subscribers themselves, and bundle world-class cybersecurity into their overall managed service package, making them more attractive business partners to their customers.
- Business Model Alignment: MSPs are learning that sustained and consistent customer subscriptions – Monthly Recurring Revenue (MRR) – is more profitable in the long run than larger but sporadic sales in the traditional value-added-reseller (VAR) model. But MRR income potentially creates cash flow problems for MSPs when faced with large, pig-in-a-python one-time capital expenses, such as cybersecurity hardware/software solutions. Smart SaaS cybersecurity vendors are getting into sync with MSPs’ MRR rhythm, so MSPs can pay their SaaS cybersecurity partners on the same cadence the MSPs get paid by their customers.
- Proof Of Value: It’s the nature of the beast: MSPs and their customers are in a constant back and forth over what services are provided at what cost and what value. For a long time, MSPs have struggled to convince customers of cybersecurity’s importance relative to its high cost (see above). Plus, MSPs have been suffering the same cybersecurity talent shortage as the rest of the world. Meanwhile, cyberthreats proliferated. Fortunately, SaaS has solved those problems by augmenting the efficiency and impact of MSPs’ in-house cybersecurity pros. Which brings us to value: MSPs’ customers demand and deserve solid proof of value. Good SaaS cybersecurity providers present security-posture reporting in easy-to-understand ways – such as intuitive metrics and dashboards that literally “grade” threats and cybersecurity readiness with letters (A, B, C, etc.). That way, everyone from C-level to CISO can understand the information and appreciate the cybersecurity value being provided by the organization’s MSP.
Given the superior value and simplicity of MSP-provided Cybersecurity-as-a-Service, it’s no wonder more than two-thirds of businesses surveyed by the tech association CompTIA several months into the pandemic said they were unprepared for the surge in remote work and, on the assumption that increased remote work is here to stay, would turn to MSPs for cybersecurity services. Forbes.com reports that by 2026, 77 percent of cybersecurity spending will be for externally managed security services.
Owners and managers of SMBs will always find things to keep them up at night, but they no longer need to lose sleep worrying about where they’re going to find – and how they’re going to pay – cybersecurity professionals to protect them in an increasingly cyber-threatened world. Thankfully, MSPs are bridging the gap.
About The Author
Bob Layton is chief revenue officer of Digital Defense, Inc., a leader in vulnerability management and threat assessment solutions. Follow Bob on LinkedIn and @TroubadourBob on Twitter.