Originally published in July 2019: The digital transformation sparked by the creation of the internet has yielded new technological opportunities in faster, better and more innovative ways—and this transformation continues to have a profound impact on both large and small companies today.
These changes can be earmarked by new technologies, and how (or whether) they are adopted and leveraged by disruptive newcomers. Here, disruption often happens in the last mile of the customer experience; in the managed service provider (MSP) world, that means this disruption occurs within service delivery actions which are highly visible to the end customer.
The current MSP market began to truly evolve 20 years ago. Early on, there was a high degree of hardware centricity, where MSPs procured hardware on behalf of their small and medium- sized business (SMB) customers. MSPs then provided the installation, maintenance and support services for that hardware.
With new tools emerging to remotely monitor IT environments, the concept of managed services began to take shape. MSPs slowly transitioned their traditional break-fix and fee-for-service business models into monthly recurring revenue models.
Leveraging remote aspects of service delivery significantly increased MSPs’ capacity to support more devices and, therefore, more clients. This generated more revenue, which in aggregate increased the value of those companies.
When cloud-based services came into play around 2010, there were concerns that that cloud would dramatically simplify IT—causing the corporate customer to go buy IT services directly from the cloud providers. However, the reality was that cloud-based services made IT more complicated, and only came to represent a relatively small portion of the overall IT infrastructure in these environments.
Additionally, there has typically been little attention paid to SMB cybersecurity, making those companies prime targets for cybercriminals. Because of the growing complexity of small business technology environments, being able to meet the security needs of these increasingly technological organizations has quickly risen to be a top MSP priority.
How digitization disrupts traditional markets
Consider the following businesses:
The world’s most valuable retailer holds no inventory: that’s Alibaba.
The largest accommodations provider has no real estate: that’s Airbnb.
The world’s largest movie house owns no cinemas: that’s Netflix.
The fastest growing banks don’t have any actual money: that’s Cryptocurrency.
The world’s most popular media owner creates no content: that’s Facebook.
The world’s largest taxi company owns no vehicles: that’s Uber.
And the list goes on and on. Let’s look at this last example and see what the effects are to the traditional businesses this disruption disintermediates.
The cost of owning a taxi medallion in NYC peaked around 2013 at over $1.3 million. But between 2014 and 2015, New York City’s non-corporate medallion price dropped 45%, all due to Uber and Lyft. These digital disruptors have driven medallion prices down to as low as $160,000 with the last such sale in June of 2018.
So how is it possible that a traditional MSP that started its business 20 years ago—and still depends on readily available local skills—continues to build out its capabilities with a non- existent labor force? How can that MSP compete against those leveraging the digital disruption of AI-driven automation? How can it compete against outsourcing low-level work to low-cost geographies like India and Manila? It’s simply not possible. MSPs cannot afford to be the unsuspecting taxi medallion owner.
SMBs, like all businesses, have become further dependent on their IT infrastructure for critical business applications. This is as true for internal communication and collaboration amongst employees as it is for those outside the firewall (trading partners, customers and others for reservations, financial transactions, and more).
There is now a hyper-connected community of businesses and customers. From a security standpoint, this is an ideal opportunity for cybercriminals. At first, little attention was given to securing those environments because the SMB had never been thought of as a prime or likely target for cybercrime—until now.
Addressing the skills gap challenge
Not only are SMBs increasing their dependency on IT, but there is an accelerating decline in skilled labor due to Baby Boomers retiring (millennials now represent the biggest demographic in the workforce). This is one of the largest challenges facing the modern workplace.
Millennials are the first generation born into the cloud and are well-oriented tech consumers. They are not accustomed to traditional corporate infrastructure, which includes antiquated user interfaces, siloed applications and business functions, and disparate data sources.
This tech-savvy workforce is putting additional stress on traditional IT environments, and at the same time are far less likely to want to fulfill these IT tech jobs that were favored by the previous generation. This skills gap is creating more stress for workplace IT—and is pushing large companies to outsource their IT to MSPs.
These MSPs, however, are facing the same skills gap challenges. The commoditization of hardware and some essential applications moving to the cloud (e.g. Exchange servers swapped out for Office 365®), have led to declines in profit margins. Now, MSPs themselves must also attract, hire and retain quality talent at an affordable price and in their local market.
Thomas Friedman explains the challenge in his New York Times best-selling book, “The World is Flat.” Friedman articulates how the large enterprise environment outsourced software development to low-cost centers that had extraordinarily talented and well-trained engineering labor pools, principally in India. Certain companies that dominate our corporate world today (Google, Facebook, Amazon) took advantage of this outsourcing model.
The current SMB market is experiencing a similar dynamic, with a massive labor shortage of skilled technical talent, particularly in the area of security skills. The only way to effectively deliver these services is to tap into these highly skilled, low-cost regions of the world. If you can remotely monitor a system across the street, why can’t you monitor and manage it from across the globe? Most of the activity taking place in the systems is machine-level interaction, and does not require human-to-human communication, which means that language barriers are no longer…well, barriers.
Ideally, the goal is to automate as many of these activities as possible. What can’t be automated can be addressed by deploying these highly skilled and talented technicians in low-cost
The modern MSP takes full advantage of these dynamics and redeploys its talent and skills toward high-value, customer-facing activities that an SMB owner is happy to pay a premium for. In turn, the MSP can continue to pay appropriate wages for those individuals and keep the work interesting enough to keep them engaged.
Failing businesses often find themselves having put their best resources on their biggest problems. Comparatively, successful businesses put their best resources on their biggest opportunities. That means you cannot put the technically skilled labor in your organization on low-level network operations center (NOC) and help desk work. That creates high turnover, poor customer service and asymmetrical business models.
Instead, you need to redeploy your best people away from that lower-level work and onto high- impact customer-facing opportunities—such as re-platforming, three-year IT strategies, cloud deployments and security strategies. This requires a combination of automation and the leveraging of a lower-cost but still highly skilled workforce; in other words, outsourcing.
Security as a catalyst for transformation
Ransomware, phishing attacks and other social engineering vectors have become increasingly common today. While larger enterprises used to be almost exclusively in the crosshairs for cybercriminals, hackers have now set their sights on the undefended and highly vulnerable SMB market in the US—a cohort containing more than 6 million corporate targets and nearly 50 million unsuspecting individuals. Given the lack of attention typically paid to SMB cybersecurity, these companies have generally made for easy marks.
The number of successful ransomware attacks (and subsequent payments) is staggering, and the effects of such malicious efforts can be crippling. In economic terms, cybercrime now outweighs the sum of all other forms of organized crime in the world—including money laundering, gambling, prostitution, drug trades and extortion. And because SMBs aren’t in the spotlight in the same way that major brand names or enterprises are, the space is a valuable, target-rich environment that is relatively easy to exploit.
The MSP often is flat-footed in addressing these needs because suitable security solutions that are engineered for the SMB market are lagging. Furthermore, skill- and labor-strapped MSPs find it impossible to compete for security-certified and properly trained professionals to work in SMB environments. There is heavy competition from high-paying, large enterprise employers who are faced with a similar challenge.
This exacerbated dynamic creates a conundrum for MSPs, which will be held responsible in the event of an attack. These organizations are required to inform their customers of the risks, regardless of the MSP’s inability to actually address those risks.
A recent research report had 93% of SMBs declaring they would consider moving from their current provider to a new one if they were offered the “right” cybersecurity solution, even if the SMB was not planning to change otherwise.
SMBs were also willing to pay up to 25% more for a new MSP that has the right security solution, or willing to pay that much more to their existing MSP if it brought such a solution forward.
The survey also revealed that SMBs are planning to invest more in cybersecurity in the next 12 months. Despite this, MSPs are still reluctant to bring these issues to their customers’ attention since most of them are woefully incapable of addressing their customers’ security needs in the first place.
SMBs reported they were more inclined to terminate their existing MSP for a new one that brings the right solution forward. It is also estimated that MSPs will be replaced more in the next two years compared to the rate over the past two decades. This further shows the enormous opportunity and demand for MSPs that can bring effective security solutions to the market.
Can you leap over the skills gap with BDR, RMM?
Addressing the skills gap and capitalizing on security dynamics are critical components in the anatomy of a modern and successful MSP. Backup and disaster recovery (BDR) companies, for instance, have tried to reposition themselves as being in the “data protection” business.
However, calling a BDR a data protection device is like calling a sprinkler system a fire prevention device. A sprinkler only goes off after a fire has already started. In the same way, by the time you recover your backups, a breach has already affected your network; the damage is done. And when you factor in the possibility of sleeper bots, without the ability to immediately detect a potential issue, BDRs are constantly preserving malware and other malicious software as part of those backups.
The best-case scenario for BDR as a data protection device lies in the gap between the breach detection and remediation—where the most current, unaffected backup determines the amount of productivity lost by the customer. As malicious infiltration improves and stays undetected longer, this gap will worsen. While it is still an important part of a more comprehensive security solution, using a BDR for this purpose alone is an inadequate approach to security and data protection.
Remote monitoring and management (RMM) is another example where we see the real-world consequences of this skills gap. Vendors are marketing their ability to automate the RMM of IT infrastructures, claiming to leverage scripting and other methods of automation. While this is a clever marketing approach (and may provide some level of increased productivity), the scripts are narrowly developed based on the sole experience of a particular technician or group of them in a specific MSP. This limits the set of environments and scripts developed for them to the number of sites and devices that that MSP has under contract.
While this may be helpful, it is a rather narrow and limited way of developing true automation that can operate effectively at scale. And while it may increase the number of devices that can be managed by an MSP’s technician, it is still dependent on the MSP attracting, hiring and retaining the right set of skilled workers for long periods of time within that organization.
Cyber insurance is not all it’s cracked up to be
In the traditional world of managed services, MSPs are enough in control that they can be held responsible for IT performance. Because there are only nuisance factors and no existential threats in doing so, there is little assumed risk. Security is the first category where there is a shared responsibility as social engineering through employee phishing is the most prevalent access point.
MSPs need to inform their customers of this, then provide end-user training and hold the company and its employees accountable by running phishing tests after the fact. However, end- user training is just one element of a more comprehensive security offering.
MSPs that lack a comprehensive security offering resort to buying some combination of cybersecurity and liability insurance, then recommend the same for their customers. This is a very risky and unwise idea for a variety of reasons.
First, cybersecurity insurance is a nascent field with limited experience on coverage recovery. MSPs and businesses don’t fully understand the coverage requirements; and after a breach, the insured often discover that they did not truly qualify because they didn’t meet certain preventative and response requirements for proper coverage.
Additionally, the rules and regulations around coverage are complicated and unclear, with a level of subjectivity reserved by the insurance providers. Claims are not always paid, given the lack of precedence or claim history. Insurance policies appear to be inexpensive on the surface, but when a breach is not covered, the true cost becomes a completely different matter. This is a battle that the insurance companies are winning.
Even if a claim is fully covered, the best-case scenario is one where a business loss is recovered through financial restitution. Essentially, if you had fire insurance for your home and your home burned to the ground, your claim would be equal to the value of the home—but your home would be lost.
In the same way, an SMB may get some financial restitution for a data breach and the subsequent data loss, but that doesn’t ensure the business’ reputation—or its actual well-being and continuation—will remain intact.
More companies today are simply shutting down in the wake of an attack, even though they had cyber insurance. That is not a win. Cyber insurance alone is not enough, as it too requires the addition of the right technology, skills and employee training for a truly comprehensive security solution.
What comes next?
Modern MSPs must automate and orchestrate a comprehensive and complete approach to business intelligence data from hundreds of thousands, if not millions, of endpoints. In addition to consolidating the alerts generated from these environments, systems must capture the remediation steps taken so they can improve upon security conditions. This enables true AI, facilitated by a high volume of business intelligence.
Size, scale and brand matter when it comes to buying IT—after all, it’s typically a confidence buy. If you’re an SMB owner, you want to have confidence that the hired IT company is capable, competent and is going to be there when you need them. The company must make sure you’re running on the most current security versions, ensuring your network stays secure. A cybersecurity issue is now an existential threat to your business.
That is where trust comes into play. When you make a purchase decision for IT services, you need to trust that they have the right security solution, the right insurance, the right employees and the right technology. As the old saying went “no one ever got fired for buying IBM.” Brand matters. This is a huge trust factor—confidence alone is not enough.
MSPs need NOC, security operations center (SOC) and help desk operations to immediately oversee alerts and actions taken for full remediation. Alerts are received and analyzed, with remediation steps curated into automated actions that are taken when the alert condition is repeated; this is true automation that MSPs need in an ever-evolving cyberattack landscape.
Having the right partner will ensure that MSPs can gain system adherence in a unified way, doing so quickly and inexpensively. This also empowers those MSPs to stay competitive and profitable with their service delivery. Technical MSP organizations also need to be empowered with the right level of control over the environment orchestration and remediation methods they employ.
MSPs should have complete control over the executable elements of automation, and be able to tie together the orchestration of the critical aspects of service delivery. That includes security where the earliest anomaly detection lets the MSP engage with a SOC technician who can determine whether it is malicious activity.
For example, if it’s malicious, the platform can automatically trigger other events across the RMM agent. This includes actions like disabling a user account that was opened, initiating a backup for everything else on the system, and notifying a help desk agent who will call the end- user to keep them informed. This can all happen automatically and instantaneously—but at the MSP technical team’s discretion and under their direct control on a site-by-site basis.
There are no simple, silver bullets that can solve the cybersecurity challenge (or capitalize on the opportunity it presents). When MSPs can find the right company with which to partner—one with the size, technology and experience necessary to keep networks and data secure—they are taking a crucial step toward creating a comprehensive and long-lasting security solution.
MSPs that are still taking a traditional (if not antiquated) approach to security are operating under an already failed modality. They may not realize their current method is a failing one—or worse, they may be failing already and not know it.
The NYC taxi drivers were also operating in an old modality, and they were unwilling to recognize that. You will not be successful if you are unwilling to acknowledge that a change has already occurred. MSPs are not moving quickly enough, and in some cases, are standing completely still.
To capitalize on the opportunities that these market dynamics have created, you must be vigilant in addressing the skills gap challenge, implementing the right technologies, regularly training employees in security best practices, and recognizing that keeping your business secure is a never-ending, always-evolving undertaking.
MSPs that can rise to meet these challenges—by refocusing their own disciplines and leveraging strategic partnerships—will position themselves to win out over those that can’t. And in an increasingly competitive managed services landscape, we’re already seeing a separation between the winners and losers.
So when your clients come to you asking if they are truly protected, which side of the equation will you be on? Will you be the NYC taxi driver clenching an outdated and worthless medallion, or will you be the forward-thinking practitioner who’s prepared to embrace a new model of advanced service delivery and cybersecurity? The choice is yours.
Continuum is the proactive platform for what’s next. With technologies and integrated services spanning security to backup to monitoring, the Continuum platform anticipates and tackles MSPs’ next challenges—enabling them to grow with confidence.