With cyber resilience spending on the rise, recovery specialists are looking to lure customers away from managed security services providers or forge alliances with them.
As businesses invest more in cyber recovery as part of their larger security strategy, they’re being pulled in two directions. Traditional MSSPs have a lock on threat detection, incident response and regulatory compliances, while disaster-recovery specialist firms prepare clients for an attack’s aftermath.
Organizations need both services — and may need both partners.
“MSSPs and MDR providers are excellent at 24×7 monitoring, detection and containment — but recovery is a different discipline,” Richard King, president of MSP and MSSP KeyStone Solutions, told Channel Dive. “The customers that bounce back fastest are the ones that separate detection from recovery, pairing their MSSP with a specialized cyber‑resilience partner and a clearly tested recovery playbook.”
Managed services have been the norm for businesses that outsource cybersecurity. But dividing cyber operations between more than one provider is becoming more common, according to Justin Giardina, CTO at 11:11 Systems.
The company, which provides recovery-focused infrastructure security services, is winning clients as organizations leverage multiple partners to bolster cyber defenses and beef up resilience, Giardina said.
Nearly 7 in 10 businesses outsource some or all incident recovery management, according to a recent 11:11 report that surveyed 800 IT leaders at companies of 1,000 or more people. More than half of respondents said their organization blends outsourced and in-house models.
That bulk of the clients 11:11 meets with entrust part of their cyber resilience to an MSSP. Many of the more prominent providers — Trend Micro, CrowdStrike, Arctic Wolf and Rapid7 — provide detection and response services.
“Most of those names have not only some type of technology that can help protect the customer, but also have a layer of services, whether that’s a managed security operations center service or some type of … ability to notify and potentially fix customer issues,” Giardina said. “When we work with customers, that’s the highest percentage of technology or solutions that they come to us with, and sometimes they don’t want to leave those solutions.”
Winning over clients doesn’t necessarily mean displacing an MSSP, Giardina added. Incident recovery can be layered on top of detection-focused services, strengthening an organization’s defense posture.
“When you look at these types of programs from a column-based approach or a checks-and balances approach, usually those customers that have a security vendor … are only tackling one column of the larger comprehensive plan,” Giardina said.
The resilience gap
Maintaining recovery plans isn’t easy. Security lapses can emerge as organizations grapple with hybrid architectures, migrate applications to cloud and adopt new technologies.
“I sympathize with IT staff. They’re always asked to do more with less, and usually the first thing that falls off of high-priority items are things like recovery tests,” Giardina said.
Hubris is an issue, too. More than 4 in 5 respondents to the 11:11 survey admitted their company is overconfident in its cyber incident recovery capabilities. Nearly one-third said their organization neglects testing recovery plans annually.
Regular testing is essential, as IT infrastructure can change significantly in just three months, Giardina stressed.
Nearly all respondents — 96% — said they’re planning to invest in cyber recovery in the next year, despite various hurdles. System complexity was the most prominent issue, city by 41% of respondents. Budget constraints and a lack of in-house expertise were other challenges cited.
Cyber insurance policy pricing has helped drive adoption of cyber recovery services, as have regulatory requirements.
“Insurer and regulator asks are more concrete,” King said. “We’re seeing requirements for immutable, off‑platform backups, privileged access hardening around backup systems and proof of periodic recovery testing show up in due diligence questionnaires and policy renewals.”
KeyStone offers virtual CISO and business continuity services. The company also conducts and documents regular backup tests for its clients.
However, Keystone doesn’t go it alone. The company brings in disaster recovery-focused partners to provide dedicated infrastructure and isolated data environments called clean rooms when needed. Recovery partners operate under KeyStone’s runbook, which keeps KeyStone as the single point of accountability.
Partners working together to combine cyber services has gained traction as MSSPs, MSPs and cyber recovery providers work with many of the same clients.
MSPs that handle PC troubleshooting and other daily services are a route to market for 11:11, Giardina said. However, 11:11 maintains primary contact with the customers when it’s practical, even if an organization opts for a secondary provider.
“Customers aren’t really coming to us to provide that piece of the pie in the ecosystem,” Giardina said. “They’re actually coming to us to bake the whole pie for them.”
At the same time, the dream of being a single provider for many customers is aspirational, according to Giardina. The reality of a modern IT stack is complicated and dynamic.
“Your infrastructure potentially is going to look different than it did three months, six months, 12 months ago. As a managed service provider, you have to be flexible,” he said.
