Managed service provider rollups have bolstered their cybersecurity capabilities and pushed upmarket in the last six years, fueled in part by a wave of private equity investors. The movement is driving pure-play managed security service providers to expand into IT.
“MSSPs are definitely trying to partner with MSPs in order to stave off a larger MSP building the full stack,” said Scott Steele, COO of Thrive, a managed IT service provider that has pushed into the midmarket with a rounded portfolio of IT, security and AI services.
MSPs have moved en masse toward cybersecurity over the last decade. MSP-specific cyber tools have proliferated, and customers increasingly group security and IT under the same umbrella.
“If I'm in an all-eggs-in-one basket kind of company, I don’t want somebody managing my computer and somebody managing my security,” Ntiva Director of Product Management Ted Brown said.
MSSPs are now having the same problem as MSPs. Cost is a major factor in the competition. Security-capable MSPs are bundling cyber and IT at a winning price. Executives say some MSSPs will have no choice but to acquire an MSP to help with customer acquisition.
“If I’m an MSP that's rising in the market, and I'm an MSSP that's maybe struggling to get new business, I can see those two joining up to being an MSP that sells MSSP services and joining that fashion,” Brown said.
The merger targets aren't your average MSP.
Many MSPs are still running security through a partner, despite reporting security revenue. The outsourcing partners include Crowdstrike, Sophos and OpenText.
Steele said this outsourcing model helps MSPs meet customer needs, but with limited scalability.
“It’s very hard for them to take that offer and then make it integrated in the whole ecosystem of what they deliver,” Steele said.
Bringing security in-house is one factor; actually moving upmarket is another. MSSPs by and large focus on larger customers than the typical MSP client, according to Abe Garver, MSP team managing director at Focus Investment Banking.
“MSSPs are really endpoint-focused, and the most efficient, effective MSSPs happen when your customer base is a middle-sized business or enterprise business, and you can deploy protection to tons and tons of devices,” Garver said. “An MSP focused on the S of SMB is not really a good fit or match.”
MSSPs also likely couldn’t afford to buy an MSP rollup platform.
“Thrive last year had $100 million of EBITDA. You'd have to have an incredibly large private equity group backing the MSSP to start going after the big whales in the business,” said Garver, whose firm advised companies that sold to Thrive and Ntiva.
There are some needles in the haystack for acquisition targets if an MSSP looks at a smaller service provider. Garver pointed to Buchanan Technologies, a midmarket-focused MSP with a security practice.
According to Garver, MSSPs first and foremost need to be thinking about how to find new customers. In some cases, buying an MSP would help. Cybersheath, for example, built an MSP for a land-and-expand approach. The firm uses managed security and CMMC as the tip of the spear and cross-sells managed IT into existing accounts.
“The bigger, most important question to ask is, will it help us get new customers?” Garver said. “And if you answer yes to that, then the capital markets will listen and work around you to make it happen.”
