Having invested over 13 years of my life in the Managed Security Services Provider (MSSP) space, I had the privilege of having insights into the top InfoSec companies in the world. In my later years as a strategic solutions developer many of my discussions with business leaders revolved around market and customer strategy and competition. My last role at my unnamed MSSP job included developing strategic partnerships aimed at specific slices of the security industry while as a greater MSSP developing next-gen concepts to attract and retain our customer base.
Some of the executives defining our business objectives and goals were consuming reports from industry talkers like Gartner and growth news from competitors (both of which in my opinion were little more than marketing fluff), and were being told the security services industry was in the midst of a boom and would be increasing exponentially year-over-year for the foreseeable future. This led to the inevitable objectives from our excited executives:
a) Build something to put x competitor out of business to capture their market share.
b) Develop something new that shows true expertise and draws attention and customers to us.
c) Change what you do to make our services more competitive than those companies that are experiencing exponential growth.
More simply put: do something cooler than FireEye, deliver something sexier than Mandiant, do it at a price so low that all of the SecureWorks customers come flooding to us.
Those objectives I outlined are impossible for a single organization to meet as their primary objectives, hence one reason why I'm no longer with an MSSP. You can't build to compete in a commodity industry and hope that your customer base will fund the development of services to attract the top customers who will truly drive profit, but expect non-standard and truly cutting edge services. Here's the deal. Let's set a projected customer base that is comprised of every potential US based company that would fall into the general buckets:
1. Commodity based or compliance driven security services (~70% of the MSS industry today)
2. Major companies with internal security practices with a niche problem they can't solve (~20%)
3. Top companies with full-fledged, advanced security programs who never will outsource (~10%)
I'll add some more categories: the majority of the MSSP market (the 70%) are organizations who don't know or care about security, but they know they need to have some. The middle 20% are doing the best they can afford, but understand they need help from true experts to fill in the gaps. The top 10% are likely critical infrastructure, defense contractors, IT innovators, or major financial institutions who know and have experienced true security problems like no one else, and have staffed and built accordingly and don't really need services help.
The Gartner projections and the growth bragging done by MSSPs are all focused on the 70%. Having interacted with that segment of the market, my experience is these organizations want the minimal solution at the minimal price to maintain a minimal level of compliance with some defined standard. That means your products and services MUST be extremely scaled back and dumbed down. They do not actually want to know about security problems because mitigating them costs money. They want to be compliant and ignorant. When you operate in this world, you select products with low value, highly automated and templatize your services, and hire entry level security professionals looking to enter the industry without demanding much salary. With that combination you will be able to offer competitively priced solutions, but the tools, automation, and low skilled staff, and uninterested customers will not enable you to reach into the arena of advanced threats which you need to invest in to build experience that will attract larger customers.
The middle 20% are the exact opposite. They have interacted with advanced threats and have come face-to-face with serious cyber challenges. They know the risks. They know enough about the adversary to be concerned, but not enough to fully act. They know the potential solutions...but can't sustain them in house and thus need help. They expect unique solutions, in-depth analysis, custom experiences, and proprietary insights into threats and threat actors. To meet the needs of the top 20-30%, you need industry expert intelligence, visibility, technology, processes, top notch customer service, extremely customized and white-glove oriented services, disaster recovery, flashy presentations, showpiece facilities, blogs on emerging threats, and cash to burn on parties and special events. You need serious money to build and sustain. You need to be willing to go deep with these customers and you can't nickle and dime them to death. You have to sacrifice some profit for the sake of experience. You also need to build a bridge between your standard services and your advanced team satisfying your top echelon customers. The problem with that model is once your customers interact with your best services, they will be frustrated by your standard efforts.
You can't deliver anti-malware services to Lockheed Martin that augment their in-house capabilities with an IDS and a $30,000 salaried Security Analyst who follows a one-size-fits-all service template. That won't fly. You can't simply ingest commodity (and free) intelligence from open source communities and inject that into your products to generate automated alerts. Your customer base already does that. You can't deploy low-end one-size-fits-all technology with a 10 year old threat paradigm to protect your customer environments because they can build something better in-house. You truly need bleeding-edge across the board. That is expensive. Really expensive. You can't just send random and standard response recommendations for every detected threat. You can't work in an isolated threat paradigm that doesn't consider the sector or business characteristics of your customers. However, to meet the growth projections of this market (the big ones), you can't afford to do anything less than highly automated, low skilled, and template driven standard services.
The shortcut lies in close proximity to national defense. However, those partnerships and experiences are locked up by data classification and NDAs, making them marketable, but almost unusable. For example, at a defense contractor, I may have solved a significant security challenge for a US Government organization, but I can't take and use that anywhere, and neither can they. Mandiant's APT1 report was old news the day it hit the press for a select group of the security industry, but those "in the know" couldn't share those details. Creating that from scratch in the commercial space requires considerable time, access to rich data in multiple environments, and top talent. This is a common problem those near the defense circles have. They want to use their government experiences as a marketing tool, and often do, but their customers don't realize that USG experience and cool intelligence can't be integrated into a standard service. I've tried...you can't. So if someone comes to you saying "our staff are all from the NSA," resist the temptation to be impressed. Nothing against the NSA, but realize all that cool stuff they worked on there is likely isolated to DoD spheres, and the intel doesn't move with them to their new employer.
Alas if you build to meet the needs of the top 30%, you end up building a service model that kicks you well beyond the interest level and pocket book of the 70% of the industry in which you are hoping to grab growth and market share as your base for sustainability. You end up with a niche solution that you will struggle to sell beyond a handful of clients. The general market might love your solutions, your branding, and your intelligence, but they will walk away due to sticker price and perceived irrelevance. In my last gig, we had customers provide us similar feedback saying, "we love your solution, but can't afford it," or "you had the best technical solution, but the price was too high." Likewise if you build for the 70%, you will never reach the data, the incidents, the technology, the intelligence, the experiences etc. needed to meet the needs of the top 30%. In my last gig we also acquired a product vendor that had an amazing solution used in USG spheres, however because of the way it was built, and because the methodology in which the USG used it, it was almost useless in commercial spheres. We couldn't sell it. Sure it sounded amazing...but it just didn't relate to the commercial marketplace.
There is also the quality of service issue. As Mandiant is experiencing, if you do launch at the top 10%, and try to expand outside of that sphere you will end up compromising the level of expertise and quality of services you provide. To maintain a high perceived value, you can, like Mandiant does, limit the scope of what you do so specifically that you will always do exactly what you say you will. However, when you expand into the 70% you have to go wide, which means you need to hire new talent at a pace that will meet the needs of the extended market. As you do, you dilute your value to the point where your customers are left with a 70% service billed at a 10% cost.
As my former MSSP employer is experiencing, you also can't build to compete in the 70% market and hope to attract the 30%. Those 70% customers don't generate enough revenue and margin nor experience to enable you to invest in advancing beyond the realm of the basics.
There is a choice to be made. Go for one or the other. Most industry leaders are doing exactly that. FireEye doesn't market to the medium business customer, and Fortinet underwhelms in the advanced security customer. Therein lies a new challenge; the existing competition in a saturated market.
My Conclusion
Based on my experiences, I have come to conclude that barring some major innovative solution that uniquely changes the way the security industry works in a manner that is compelling to a wide section of the industry, attempting to enter the security market today is an endeavor into chasing the proverbial pot of gold at the end of the rainbow. Those Gartner projections are nothing more than a myth unless you are already well established in that sector with capabilities to capture it. Entering this market to compete with existing solutions or products is a non-starter.
If you want to go after that growth, it needs to be with something truly paradigm changing.
Thoughts on Marketed Solutions
If you want to enter the modern cyber security industry, there is little hope unless you have something so compelling and differentiating, that significantly disrupts the existing industry OR solves for a problem that no one else has. It has to be genuinely new, effective, and compelling to a wide section of the industry.
We have a live example in all the "analytics" start-ups. Of those I've interacted with, they all tell the same story, but don't actually offer solutions that are unique. They all say you can't solve modern threat problems with static correlation (they use the word signatures), but then they offer a signature based system. They all claim SIEM is a failure because it relied on data normalization, contextual awareness, awareness of the problem (known use cases), and defined correlation rules. Then they offer a solution that normalizes data, overlays context through "data enrichment," and requires you to query the data or schedule recurring queries based on questions you want answered (we called that use cases and rules development in SIEM). They don't do anything the top 30% can't do, and they price the bottom 70% out of interest. Fail.
Is cloud the next frontier? If leading provider Amazon Web Services (AWS) is any example, my answer is no. They seek to openly share and publish advice on capabilities that are emerging due to customer demand. As customers seek greater visibility, AWS develops it, and makes it available to all. Those innovations that have come out are simply re-creating what we did in the traditional datacenter within the context of a new virtual datacenter. I'm not saying the two environments aren't unique, as they most certainly are, but the security innovation we're seeing the cloud is comparatively decades old thoughts being ported to an emerging platform. We've already solved the core issues, it's now a matter of porting what we know we should be doing to that dynamic environment.
Personally, the one major area that is left relatively untouched and unspoken for (apart from the passionate folks at CrowdStrike), is active defense. I know everyone out there is afraid of going blackhat on the adversary, but to quote someone (I can't recall who it was, but it wasn't my original thought), "do we really think the bad guys will sue us in international court for taking down their illegal money theft scheme?" The last frontier in my opinion is the disruptive industry. If someone had the gaul to actually build out a full-fledge adversary hunting and annihilation service (and I mean purely within the cyber realm), where you could be hired to identify who is targeting a customer and to silence them (again, on the Internet/cyber world), then in my opinion, you've solved for a unique and compelling slice of the market that should attract everyone.
Who's in?