Security is one of the IT functions that can be managed by a service provider. And while this function is not a new area of IT operational concern, security has become so complex and multifaceted that it has developed into its own specialized area of managed services to take account of the lack of security expertise in many organizations to protect themselves against increasingly complex threats, attacks and compliance requirements. MSS is gaining in breadth (of technology used and functions addressed), while the types and level of 'managed' service varies greatly between providers.
The 451 Take
The MSS market has rapidly emerged as a key value-add in the hosting and managed services space. Three types of providers dominate – the technology vendor that offers services, the 'pure play' services-only specialist, and the 'long tail' of hybrid providers looking for a piece of an adjacent market. Vendor neutrality remains an important trait in this space, as well as some common principles seen in other areas of managed services, including transparency, partnership capability and strategic relationships. As new kinds of security threats – both cyber and legislative – accelerate demand for security products and services that push the requirement for more sophisticated offerings, managed security service providers (MSSPs) will become an increasingly important part of the digital infrastructure ecosystem.
The three different types of providers
MSSPs provide many of the same benefits that traditional managed service providers offer – predictable and controllable costs, expertise, support and risk reduction. However, not all MSSPs are alike. There are several varieties that need to be recognized – each with their own pros and cons – in order to understand the MSS space and what is on offer.
The first are MSSPs that are heavily dependent on developing and delivering security technologies – companies such as Symantec, Alert Logic, Rapid7 and Fortinet. We designate providers in this sub-segment of MSS as security service technology providers (SSTPs). These providers offer technology and products that include appliances, applications and devices such as firewalls, antivirus and intrusion detection.
SSTPs are typically geared toward a few specific areas or functions in the managed security space. Some of these providers are even further specialized, focusing on delivering tools for specific markets such as retail or healthcare, or to address specific compliance efforts and requirements with regulations such as HIPAA or PCI. While these providers may also deliver further security services beyond the technology, their mainstay is the security service technologies they develop and deliver to their customers.
On the other end of the spectrum of the MSSP space are the 'pure play' providers. Examples include Sword & Shield, Nuspire and Digital Hands. Such MSSPs typically focus on delivering security services without developing their own technology. This service-only approach creates a wide range of portfolio options: ranging from providing monitoring and management of security devices and systems (e.g., intrusion detection systems and firewalls) to providing patch management services, performing security assessments and security audits, to security incident response services.
With limited or no propriety technologies, companies in this sector usually provide services by leveraging systems and technologies from security service technology providers or by managing what the customer already has purchased and installed. There are a wide range of security services being offered by pure-play MSSPs, and the combination of services can vary greatly from one provider to another.
Typical scenarios range from full outsourcing of security programs to specialized services that focus on a specific element of the enterprise's security (e.g., perimeter security, threat monitoring, data protection, regulatory compliance or incident response). Most of these providers are vendor-agnostic. Many provide on-site services as required, but may have limited regional or local coverage areas.
There is a third category of providers that sit in between the SSTPs and pure-play MSSPs. Hybrid MSSPs are large in number and often have their roots in other sectors. Telecommunications companies, managed service providers, systems integrators, VARs and others have entered the MSSP space.
Most of these providers start offering MSS by leveraging their relationships with their existing customer base, and have subsequently branched out, using MSS as an opportunity to acquire new customers for their traditional core services. Examples of hybrid MSSPs include Tata Communications, CenturyLink, IBM, Hewlett Packard Enterprise (HPE) and RackSpace.
A key challenge for many of these hybrid MSSPs is their potential lack of vendor neutrality – objectivity is increasingly critical when delivering proficient MSSs while maintaining the status of 'trusted advisor.' Vendor neutrality is a key element for many enterprises looking for a level of objectivity that leads to the best combination of services and technologies.
Challenges and opportunities
While the three kinds of MSSP described above illustrate the diversity of the provider market, their approach and business models mean that the level of management of the security services they provide varies greatly. One challenge for the sector is the continuing consolidation in the MSS space that is reducing the number of pure-play providers.
Recent acquisitions such as Coresec by SecureLink, Solutionary by NTT, Integrity-Paahi Solutions by Deloitte and Trustwave by SingTel are just a few examples of the ongoing consolidation. Those providers that remain tend to be more industry- or geography-specific.
At the same time, we are seeing more partnerships between MSSPs to provide services outside of their core specialties in order to offer more complete services. Examples of such partnerships include those between Covenant and HUB International, Solutionary and eCop, and Glasswall and ZeroDayLab.
Elsewhere, Hybrid MSSP and SSTPs not only offer their own MSS, but often have channel programs to allow other MSSPs to leverage their platforms for service delivery (e.g., Carbon Black, AlienVault, Cylance and SecureWorks). These partnerships and programs can empower MSSPs that may have limited resources or expertise to deliver services they otherwise could not provide. Arguably, this can make it difficult to evaluate the true capabilities of each MSSP; however, if the partnership provides a well-articulated, transparent offering to the customer, the identity of the provider should matter less than the delivery capabilities.
Given the consolidation, partnerships and programmatic relationships between many of the MSSPs, what are the opportunities for customers and vendors, and where could the market be headed? Reflecting on the development of the traditional hosting market, for example, provides some clues.
Consolidation has led to portfolio enhancements and geographic footprint expansion. Partnerships have led to best-of-breed offerings that address vertical-specific requirements. Formal partner programs have provided an on-ramp for regional MSPs to work with technology vendors to deliver a wider choice of locally sourced offerings. While such outcomes are not always guaranteed, those that are successful help increase innovation and adaptation in a crowded market.
Rory Duncan is the Research Director for 451 Research's Managed Services & Hosting channel. His research focuses on the global managed services and hosting market, where he tracks IT managed service providers, web and applications hosting firms and content delivery network providers. His coverage includes services, the IT distribution channel, market sizing, M&A activity, and factors that affect the business strategies of these companies.
Senior Analyst Aaron Sherrill covers the Managed Services sector, which includes disaster recovery and security services. Aaron joined 451 Research after serving as Vice President and Chief Technology Officer for two of the largest Managed Service Providers in the market. He was instrumental in developing and growing the MSP business, driving the technical strategy for the companies, developing and leading information security programs, and bringing new managed cloud and service options to the marketplace.
Keith Dawson is a principal analyst in 451 Research's Customer Experience & Commerce practice, primarily covering marketing technology. Keith has been covering the intersection of communications and enterprise software for 25 years, mainly looking at how to influence and optimize the customer experience.