In an Uncertain 2025, MSPs Should Expand Their IT Security Services: Analyst

There is a lot of economic turmoil and worry in the world right now, caused by President Trump’s constantly changing up-and-down tariffs, by large-scale DOGE-inspired government job cuts, by general economic uncertainty, and by global political and trade shifts and upheaval. It is enough to make life even harder to predict than usual for IT vendors and business leaders in general.

But working to find something positive in all of the uncertainty might be a good goal for today’s MSPs, according to Jessica C. Davis, a principal analyst for research firm Canalys, who covers MSPs. Davis was formerly the editorial director for channel brands at CyberRisk Alliance, the parent company of ChannelE2E, before joining Canalys.

In a recent post on LinkedIn, Davis wrote that “amid this policy volatility, one constant remains: cyberthreats. Cybercriminals are not waiting on the sidelines.”

Her advice to MSPs looking to keep their revenue rolling in regardless of the political and economic climate in the nation and the world is simple – “Addressing the uncertainty for 2025 could come down to investing in one of the fastest-growing markets for MSPs, cybersecurity,” she wrote.

And getting started on this road to business growth is certainly within the power of today’s savvy and well-connected MSPs, she wrote. “It has never been easier to create a cybersecurity practice at an MSP business. Top Remote Monitoring and Management (RMM) providers have added a range of cybersecurity services to what they offer MSPs, from vulnerability management and patching to Security Operations Center (SOC) as-a-service and Managed Detection and Response (MDR).” In addition, she wrote, MSP line-of-business staples like business continuity and disaster recovery have also become core offerings when it comes to cyber resilience.

Davis dove deeper into her security market advice for MSPs in a recent follow-up interview with ChannelE2E.

“One of the things I said in that post was that cybersecurity is a strong bet for 2025, that the threat actors are not going to stop exporting their threats because of tariffs,” she said. “They are going to keep going and attacking. And MSPs and small- and medium-sized businesses (SMBs) are popular targets for them because they are considered easier targets that are under the radar. It is not going to make headlines if an SMB gets attacked.”

For larger companies, there is more pressure on them not to pay off cybercriminals following attacks, said Davis, but for SMBs, they are more likely to go out of business if they have the downtime from the cyberattacks, making them more vulnerable.

In the past, smaller businesses thought they were too small to be targets of such attacks, but the landscape today has changed, said Davis. And phishing attacks, where cybercriminals target smaller companies to lure employees into trusting dangerous messages and files that open the floodgates to security issues, are also major worries today, she said.

All of these things are opportunities for MSPs, said Davis. “MSPs have added protections along those lines. There are plenty of vendors who are offering MSPs tools like phishing training, business email compromise training, all kinds of tools, along with backup and disaster recovery,” she said.

Additional Analysts Weigh In

Several other IT analysts who spoke with ChannelE2E on MSPs and potential new IT security business expansion in light of 2025’s global upheaval have varying opinions on the situation.

“The good news for MSPs savvy enough to invest in cybersecurity capabilities is that the upside, from an opportunity standpoint, is enormous,” Shelly Kramer, the founder and principal analyst with Kramer & Co., told ChannelE2E. “Our research indicates that budgets for cybersecurity and AI initiatives remain funded over just about anything else in the tech stack, and with good reason: there is no reason to expect the risk of cyber breaches to abate in the age of AI.”

And those security needs are even greater today due to those new AI security threats, she said. “Threat actors are leveraging generative AI to make their work better and to execute breaches more rapidly, so we collectively need the capabilities MSPs bring in the cyber arena now more than ever. This is true of the SMB and midmarket sectors, which deeply rely on the capabilities that MSP partners bring, augmenting their internal teams in myriad ways.”

Kramer said those broader MSP services are needed across the SMB market, “from endpoint and identity management capabilities to business resilience and continuity capabilities. It presents attractive opportunities for MSPs to lean in and capitalize.”

Another analyst, Zeus Kerravala, founder and principal analyst of ZK Research, agrees.
“For MSPs, there is still plenty of gold in those security hills,” said Kerravala. “Uncertainty is a threat actor’s dream as it creates more disruption and shifts in technology. Each of these shifts requires a security rethink, and it is at these moments that hackers can slip through the cracks and often go unnoticed for months. MSPs have a great opportunity to help customers look at their current security deployments, identify the gaps, and help customers plan for the future.”

But another analyst, Jack E. Gold, the president and principal analyst with J. Gold Associates, LLC, told ChannelE2E that he is not sure that SMBs and other companies will even want to spend more money on security during these still uncertain times.

“Security is always an issue, especially with SMBs who on average have far less expertise and resources to apply to security,” said Gold. “But many companies do not have much of a budget for security add-ons, similar to consumers who are very hesitant to pay for security services.”

The problem is that “there is no doubt that the bad guys are now heavily targeting the SMB space because they see it as less protected and easy pickings,” said Gold. “From an MSP perspective, the question is, how do you get customers to pay for the added security that high-grade security capabilities require?”

Gold said he is also concerned about serious and dangerous cracks showing up in the overall cybersecurity ecosphere due to all the government pullbacks and cutbacks that have been made under Trump’s budget-slashing moves.

“I expect overall cybersecurity to suffer, as there are many important programs that get funded by the feds that are in danger,” said Gold. “These programs can drive the knowledge of what to defend against and also share data on what the current threat environment looks like. Without this knowledge, it is harder for security companies to protect us, and that is especially true of the smaller firms that are more dependent on the government data. That also includes many of the MSPs that rely on the specialist security companies to protect the systems they resell.”

The Need for Security Will Win Out Over Such Hesitancy, Says Davis

Davis said she understands these challenges but believes that SMBs will still choose tight security over financial savings right now.

“This is a hot area,” said Davis. “The SMBs need help. This is not going to be impacted by the economy so much, or the tariffs so much. In terms of pricing, a lot of MSPs bundle the prices of these services. They offer the full stack to their customers, and they can take it or leave it.”

Other MSPs might offer cybersecurity as affordable add-on services as needed for customers, she said. “That might be shifting with the changes to the economy in the year ahead,” said Davis. “I am a big advocate of having it bundled in and requiring cybersecurity services and charging more.”

More and more vendors are broadening their cybersecurity offerings to customers, she said. This includes vendors such as Todyl, Coro, and Heimdal.

“They are all cybersecurity platform companies that are trying to be the platform for MSP security,” said Davis. “They have a whole range of cybersecurity services that they are offering MSPs and saying, ‘just go with us because you do not need to buy all these point solutions if you buy from us.’”

Cybersecurity is evolving today, she said, making it a far cry from the simple antivirus and system scanners of yesterday. “It is way more complicated than that today.”

Overall, cybersecurity is a top-three revenue driver for MSPs, according to a recent Kaseya global MSP benchmark study, said Davis. “And the RMM and Professional Services Automation (PSA) vendors too are getting in on this as well. This is the core stack for MSPs with RMM and PSA. You have Connectwise, Kaseya and N-able – all those companies have either bought or developed or a combination of those two, creating managed detection and response services for MSPs.”

A recent ConnectWise Service Leadership study also found that higher-margin MSPs with higher profitability generate a larger share of revenue from managed security services, which, she said, supports her argument that investing in security services today makes sense for MSPs.

“Increased cybersecurity [services] are really a safe bet for 2025,” said Davis. “MSPs are usually in a really good position during downturns because if companies are cutting their internal IT, they need to outsource that to someone. But who knows what is going to happen with the current economic environment.”