If you crank up the Wayback Machine and load the websites of today’s biggest managed security service providers (MSSPs), you’ll get a neat reminder of a time before the huge proliferation in services that we see today. Most providers offered only a handful of services then, compared to the dozens they do now. If that sounds like progress, I’m not so sure.
In my view, the ambition of some managed service providers to be everything for everyone has watered down the overall quality of security services on the market. Not only is this bad for customers; it’s detrimental to the entire sector. Businesses that have built their reputation on delivering one particular service are now bolting on “supplementary” services that aren’t of the same high standard. I say supplementary in quotes because some firms are actually delivering new services that are in direct conflict with their original core offerings.
If you’re a client, ask yourself this. Is cyber security a simple and commoditised sector that lends itself to generalists? A business’ security needs are complex. They require help from specialists, not a jack-of-all-trades promising to solve every security challenge, then inevitably failing to deliver.
What shifted?
A common rationale from providers to explain service expansion is that joined up services can be more efficient and lead to better outcomes for customers. Whilst this can be true, the main driver is often a commercial need to grow annual recurring revenues. From the customer side, working with fewer providers is often seen as a way to reduce complexity and avoid lengthy procurement cycles.
There are also other trends that encourage service proliferation. MSPs are branching out into security services, and so are product vendors who want to be a solution for everything. Mergers and acquisitions within the security industry are also reasons that the portfolio of services offered by providers continues to grow.
Security is not a commodity
Choosing a security partner is not like picking a Wi-Fi provider. Businesses cannot afford to treat security as a commodity. It isn’t one. Security is complex, and not all providers are experts at everything. And that’s ok. You wouldn’t ask your podiatrist to look at your back if you were serious about getting it treated, even though they are a doctor. For optimal results, you should work with experts in their field.
Service bloat is especially problematic if providers are piling more work onto the same group of people. Not only are these workers being asked to manage tasks outside their expertise, but their workload may also be too high, increasing mistakes and the likelihood of risks being overlooked.
Providers marking their own homework
Excessive workloads and lax quality of service are just the tip of the iceberg. Perhaps the single biggest problem with service bloat is the inherent conflict of interest that it creates due to competing incentives. Clients that mix their penetration testing provider with their managed detection and response (MDR) provider, for example, are placing an unhealthy and unrealistic amount of trust in their partners. It’s like selling a house and trusting a real estate agent to represent both the buyer and seller.
Take the example of a company that uses red and blue team services with the same provider. What happens when the business is compromised in a way that the red team highlighted but blue didn’t detect? The same is true for providers that deliver both MDR and incident response (IR). Your MDR provider’s primary job is to prevent a breach. If a major breach occurs, it represents a failure of an MDR’s defences. If you hire the same provider to conduct IR, they have a powerful incentive, whether consciously or subconsciously, to minimise the scope and severity of the breach and downplay their failures. They may also obscure the root cause or try to control the narrative to protect their reputation and avoid liability. In short, they are being allowed to mark their own homework.
Moving forward with specialists
I would love to see our industry move away from the trend of every MSSP wanting to be ‘everything to everyone’. An excessively broad selection of mediocre services isn’t easing the pain for security teams. Quite the opposite; it’s contributing to fatigue if these services result in more alerts than security teams can handle.
Ideally, security specialists should work independently and collectively, focused on achieving the best outcomes for their customers, not forever trying to boost their recurring revenues.
It’s for this reason that I’d encourage security teams to focus on building an ecosystem of specialist partners that can work together collaboratively.
With the right partners, security doesn’t need to be prohibitively expensive or complex. It’s about finding partners you can trust, who are experts in their field, and can work in cooperation. “Who do we already know?” is not an optimal procurement process to guarantee the best outcomes.
There are a lot of cyber security masters available today, so why opt for a jack of all trades?
Andy Kays is CEO at UK security services provider Socura.
