The cybersecurity talent shortage will continue to grow — with an estimated 3.5 million openings by 2021. If that were a city, it would be the third-largest in the U.S. after New York and Los Angeles.
In conversations with various cybersecurity providers of all sizes, it is easy to understand why these businesses are so important. Consider the challenges inherent with corporate cybersecurity:
- Vulnerability management. Enterprise networks are ever-changing and understanding how systems are vulnerable can quickly become a manpower intensive task.
- Firewall/SIEM. We are hearing from multiple vendors about vendors selling these products only to have customers re-engage months later asking for managed services.
- Governance and compliance. The management of the cybersecurity program itself is also a task that quickly grows in scope. Firms who engage in B2B relationships are getting increased requests for compliance checks by their customers.
- Demands by the board. If the enterprise gets breached (or even another firm in the industry vertical), the board may take notice. This often leads to an external assessment and a long list of tasks that have to be implemented.
The continual increase in cybercrime along with the notoriety gained by such incidents lead to adoption of cybersecurity technologies — which then leads to personnel requirements. Cybersecurity providers such as Managed Security Service Providers (MSSP’s), Managed Detection and Response (MDR’s), and other types of services (i.e. penetration testing, risk assessment, etc.) offer a scalable way to fill the gap.
However, the market for managed security solutions is relatively small. For example, Microsoft has 50,000 SMB customers alone for Office365. Meanwhile, SecureWorks, one of the largest MSSP’s, claims less than 5,000 clients on their website. We regularly chat with many MSSP’s and other service providers ranging from the top global providers to firms with under 20 employees. Strong regional players have 100–500 customers while a few global players approach 10,000 customers. But no one is approaching the level of traditional IT providers like Oracle, IBM, and Microsoft.
So, in other words, there is a labor crisis in cybersecurity, and the current batch of service providers has not yet dominated the market. There are few natural candidates that can capitalize on this opportunity:
Managed IT Service Providers (MSP’s). They likely already have a service agreement with clients seeking security services, and we have met with many MSP’s that are growing this capability.
IT VAR’s. We have encountered countless VAR’s who get requests for security services to complement recently purchased security products. Again, they also have existing agreements in place with the clients.
Hosting providers. As companies migrate to the cloud, many view it as an opportunity to build their IT program with strong security from the ground-up.
But we also know that firms rely on multiple providers and resellers to meet their unique IT requirements. This will lead to some level of competition between firms who normally offer complementary solutions (i.e. a hardware VAR and an MSP providing help desk support may both end up offering overlapping security services).
Who will win a given customer? While price is always a consideration — especially in lower markets — it may ultimately not be what makes a customer select a given security service solution. Speed and differentiation will be key: Who can create and mature security services and how that security service will provide a unique must-have feature.