What’s next for MSPs, SMBs and cybersecurity after a year that changed everything? I recently chatted with a few friends in the cybersecurity space regarding the current state of cybersecurity as well as what MSPs should expect for the remainder of the year and going into 2021; we’ll loosely call it 'cybersecurity predictions for 2021.'
The idea of making predictions after 2020 may seem a bit silly, but that doesn’t mean we can't theorize what might happen and have a (flexible) plan in place. So, with that in mind, here are some of our thoughts on where things are headed in terms of cybersecurity while acknowledging that no one knows for certain what the future holds. If we learned anything this past year it’s that anything (read: COVID, Tiger King, murder hornets) can happen.
Cybersecurity Labor Shortage
No surprise here. Often, as MSPs start to add cybersecurity to their services mix, they use their existing network technicians to do the security work—technicians who typically have little to no security expertise or education. You may have a technician you invest in and have a career plan for, but the security job market is ripe with opportunity, making it really hard to maintain and keep cybersecurity talent. The cybersecurity workforce shortage is just over 4 million due to a global hiring surge, and it is estimated that the cybersecurity workforce needs to grow by 145%.
Matt Lee, Iconic IT’s Director of Technology and Security, recently completed his CISSP certification and within minutes of posting about it on LinkedIn he had almost 7,000 views, 200 likes, a hundred comments and three job offers.
Attracting and Retaining Cybersecurity Talent
We're starting to see MSPs say, “I am going to commit, for the first time, to getting one FTE on board to build and maintain our security practice both internally and externally.”
The conversation around attracting and retaining talent is going to be critical in 2021. I asked a group of MSPs recently how many of them had full-time engineers dedicated to security. A quarter of them raised their hands. And then I asked, 'How long do you plan to keep them?' And they just buried their heads. They went on to explain that their cybersecurity talent is getting headhunted almost daily; that's a problem, because bigger enterprise companies can afford to pay them more than they ever would.
So, how do you retain that talent? MSPs will have to get creative and remember it's not all about salary.
The Perch Security team takes a unique approach, and allows their team to research some really cool things. Incentives can also go a long way. Wes Spencer, CISO at Perch Security, shared that a $200 GPU incentive really made an impact on one of their engineers.
And don’t forget to offer training opportunities. There’s the age old question: What if I train them and they leave?
But what if you don't train them and they stay? There are a lot of free training options out there that you and your team can take advantage of (insert shameless plug for IT Nation Certify Trainings). I will say I strongly believe that you get more value out of growing people internally, in some cases. People that grow up through the organization have a tendency to want to stay with you. Yes, some will leave, but so will the ones who are brought in already talented today. They're likely also looking for the next big opportunity elsewhere.
It’s also worth mentioning that, beyond training for your technical security resources, you can also train your staff to have a business conversation about security and further the actual outcome of your MSP.
Evolving Industry Skill Set
There’s a shifting talent pool in general, not just in cybersecurity. Five years ago it was all about servers; bolting it together. In the next few years, it's going to be about tying cloud services together. It's going to be about working with the modulus platforms. It's going to be talking about security as it relates to business risk. So we're going to be hiring different people as MSPs, or training different skill sets for the ones we already have, where we have a base layer of knowledge to even get into the security industry. So, we may even see people that have basic security knowledge or capabilities start getting headhunted to be groomed into these positions. I think we're going to see this interesting ebb and flow of what an MSP hires all the time.
Cost of Do-It-Yourself Cybersecurity
The cost for do-it-yourself cybersecurity is also a huge expense that MSPs have to consider. Wes Spencer, CISO at Perch Security, shared that it takes thirteen to fourteen analysts just to have 24/7 coverage on all shifts for a Security Operations Center (SOC). Some sources state it takes a minimum of ten to twelve analysts. So, let’s do the math. The average entry level analyst salary, depending on where you live, is anywhere from $70,000 to possibly the low $120,000s. Multiply that by 10x to 14x and you’re looking at $700,000, on the low end, to $1,680,000 at the high end.
Find Your Niche: What Do You Want to Deliver?
There are so many areas of security. As an MSP, it really comes down to establishing your focus, putting a plan in place to bring in the necessary people and growing their skill sets if needed.
We recently did some research on the state of SMB cybersecurity in conjunction with Vanson Bourne that surveyed 700 small businesses. One of the critical numbers we've now seen two years in a row is that 91% of the SMBs surveyed would change to an MSP or start using an MSP to get the ‘right’ cybersecurity.
Have the Security Talk
The reality is that any MSP can deliver the technology. That’s not the hard part. It's the conversation that matters. You need to have the security talk with your clients. It’s just like having the talk about the birds and the bees with your kid(s), or maybe a first date with the girl you'll eventually marry. It's awkward at first.
I've talked to a lot of MSPs that say, “I tried; the client didn't get it. They didn't want to pay for it, and they don't understand it.” If it didn’t go well the first time, try again. It takes practice; using analogies help. As technical people, we want to drop the whole 500 page assessment on their desk that shows all these glaring issues that need to be fixed - that won't work.
I’ll leave you with this analogy that Wes Spencer shared. When you go to a really nice restaurant and you’re feeling like having dessert, you don’t ask for the full list of ingredients. You pick a dessert by how it looks and the way you think it’s going to taste. In the same way, we have to learn how to describe the security program as a whole, without trying to go so in-depth into the ingredients that we lose the client.
If you’re hungry for more (pun intended) from our 2021 cybersecurity predictions webinar, check out the recording. Stay safe, healthy and secure!
Author Jay Ryerse is vice president, cybersecurity initiatives, at ConnectWise. Read more guest blogs from ConnectWise here.
