Managed service providers (MSPs) operate in a challenging and competitive marketplace. Small and medium-sized business (SMB) customers increasingly view as commodities the core IT infrastructure support services MSPs have long provided. At the same time, competitors are growing larger and more sophisticated as industry consolidation continues.  Private equity investments have created more than 80 MSP platforms that are aggressively pursuing add-on acquisition opportunities. FOCUS Investment Banking has been an active participant in the consolidation closing MSP transactions with 34 parties in North America over the last 24 months.

Against this backdrop, the security requirements of MSP customers have undeniably expanded. According to Vanson Bourne research commissioned by ConnectWise, 32% of SMBs surveyed had experienced a cyberattack in the last 12 months, up from 25% the prior year. While these attacks may not grab headlines like those on Colonial Pipeline and JBS Meat Packing, they can be devastating to a small business in terms of the costs of remediation and recovery, not to mention reputational damage. Notably, the research also indicated that 82% of SMBs impacted by a cyberattack lay at least some of the blame on their MSP with 68% responding that they would pursue legal action against their IT service provider.

Developing a robust managed security offering is a natural way for an MSP to respond to these challenges.  In addition to being a differentiator and one-stop shop for both support and security in the eyes of customers and prospective clients alike, tapping into the managed security market provides access to new, fast-growing revenue streams.  The MSSP market is forecasted to grow at more than 11% per year according to Research and Markets, while industry leaders are estimated to grow by 16% according to MSSP Alert’s Top 250 MSSPs research.

While the benefits of adding a managed security offering are clear and seem like an obvious service extension for an MSP, the reality is more complex and potentially risky for organizations that haven’t historically been security focused.

Most MSPs already provide a baseline level of cybersecurity services, such as patch management, antivirus, and firewalls, but they often don’t offer the comprehensive set of managed security services that MSSPs deliver.  To quote MSSP Alert’s Joe Panettieri, most MSPs are in the “shallow end” of the pool when it comes to cybersecurity.

What should be included in a managed security offering?  A robust managed security offering typically includes

  • 24/7 security monitoring with SIEM (security information and event management), MDR (managed detection and response) or similar tools
  • identity and access management
  • threat and vulnerability management
  • security awareness training
  • penetration testing

Depending on the MSP or MSSP’s customer base, industry-specific compliance solutions (e.g., CMMC/NIST SP 800-171, HIPAA, and GDPR) that readily map managed security services back to regulatory requirements may also be part of the solution.

While it’s possible to organically develop the capabilities necessary to deliver managed security services, the transition from traditional MSP to full-fledged MSSP is neither quick nor easy and requires changes to almost every facet of an organization’s operations.

As a starting point, new security-focused capabilities and offerings must be developed. This requires hiring experienced cybersecurity talent that is expensive and in short supply in the current labor market, then putting them in a position to drive both strategic and day-to-day operational change. Similarly, sales and marketing, customer support, and hiring and training practices must be retooled to focus on cybersecurity.

In other words, the company’s cultural mindset must be directed towards cybersecurity to be a successful managed security provider. An extensive organizational shift of this scale takes time and significant investment and is frankly too much for most traditional MSPs to undertake organically.

For MSPs that want to own the MSSP capability given its mission-critical nature, M&A can accelerate the development of internal capabilities and dramatically enhance speed to market with managed security offerings. At our practice at FOCUS, we are seeing growing interest in this approach from both existing MSP platforms that need to enhance their cybersecurity capabilities and from private equity investors looking to create managed security-focused platforms.

Data from the broader market also bear out this trend. Through the end of 2021, MSSP Alert has reported on 85 managed security transactions, including acquisitions completed by well-known MSP platforms such as Logically and Evergreen Services Group. At FOCUS we expect another busy year of deal making in 2022 that is on pace with 2021, as the drivers of cybersecurity demand are not going away.

If you want to enhance your standing as a bona fide managed security provider, M&A can provide an accelerated path to reaching your goal. To learn more about how M&A can help you achieve your business goals, contact me at [email protected].


This post can also be found on N-Able’s website at:  https://www.n-able.com/blog/accelerating-the-path-to-managed-cybersecurity-with-ma

April Taylor, a FOCUS Managing Director, has more than 20 years of consulting, management, and M&A advisory experience. Since joining FOCUS in 2010, Ms. Taylor has worked on numerous transactions involving businesses in the business services, human capital management, and technology and software fields.