First, private equity reshaped the MSP software and IT service provider markets. Now, PE is reshaping the more specialized managed security services provider (MSSP) market. The key takeaway: MSPs that are exploring cybersecurity strategies need to move faster -- while also realizing today's partners may become tomorrow's foes through M&A deals and various funding arrangements.
The latest MSSP M&A deal unfolded today -- and it's a biggie. Private equity firm Sunstone Partners acquired and merged three MSSPs -- Sword & Shield, Terra Verde and TruShield. The resulting company, called Avertium, is surely a Top 100 MSSP.
MSSPs buyers and investors come from multiple backgrounds. Example deals tracked on MSSP Alert, ChannelE2E's sister site, include:
- Big Service Providers: Orange move to acquire SecureLink in May 2019, setting the stage for a massive European MSSP business combination.
- Big Consulting Companies: Deloitte, a Top 100 MSSP, in March 2019 acquired Converging Data Australia, a cybersecurity firm that partners with AttackIQ, Carbon Black, Phantom & Splunk. KPMG, also a Top 100 MSSP, acquired Canadian cyber risk services & testing solutions firm Egyde to bolsters its cybersecurity offerings in April 2018.
- Consumer Companies: ADT acquired Secure Designs Inc. (SDI), a well-known MSSP that manages SonicWall firewalls and other security equipment for small business customers. The deal surfaced in August 2018.
- MSSPs, Investors and Other Buyers: The list is too long to summarize here. For the details, check out this comprehensive list of MSSP mergers, acquisitions and investments.
MSSPs and Private Equity: Why?
At least five factors are driving the M&A activity, ChannelE2E and MSSP Alert believe:
- Talent: The cyber skills shortage is driving MSSPs to find talent through M&A.
- Threats: The growing, shifting threat landscape is inspiring M&A deals to close technology and expertise gaps.
- Speed to Market: Acquiring companies can often be a faster path into a new or evolving technology market or business region.
- Scale: Smaller MSSPs are merging to counter the scale of larger rivals.
- Slowing Growth: The traditional MSP market will experience sub-10 percent compound annual growth rates (CAGR) in the years ahead. The MSSP market, in stark contrast, is growing at an 18 percent CAGR.
What It Means for MSPs, VARs and IT Consulting Firms
ChannelE2E and MSSP Alert have consistently offered the following advice to small business MSPs: You need to offer managed security services, but that doesn't mean you need to spend recklessly or compete head-on against big, established MSSPs.
Instead, think of the managed security services market as a pool. Most MSPs will remain in the shallow end -- taking care of patch management, remote monitoring, endpoint security, business continuity and other areas that mitigate risk for customers. Full-blown MSSPs, meanwhile, swim in the deep end of the pool -- offering far more advanced cybersecurity services, and potentially building out their own SOCs along the way. The challenge: The shallow-end MSPs will need to partner up with true MSSPs or SOC as a Service providers to stay ahead of the evolving cyber threat landscape.
It's a complicated, never-ending journey to be sure. Even established MSSP market leaders such as SecureWorks have been struggling with churn. Rumor has it Dell wants to sell SecureWorks, and private equity firms have been poking around the company in recent months.
As the old cliche goes, the only constant for MSSPs will be change -- with a large dose of M&A also mixed in. MSPs and MSSPs should prepare accordingly.