If there’s one trend which can match the extraordinary rise of cybercrime in the last decade, it’s the way that cybersecurity defences are rapidly being turned into something which can be bought as a service. As with other previous software expansion – the move to online and cloud applications for instance – this is being driven by a mixture of technological capability, business need, and deeper changes in business models in an era of digital transformation.
For years, the dominant model was to build cybersecurity inhouse as a do-it-yourself operation. This gave organisations control over technology but at a price: there was a need for constant investment as well as integration of new technology systems as these appeared. Over time, this bred complexity, which has had negative consequences down the line for cybersecurity as organisations struggle to close gaps between products from different generations.
As cyberattacks have gone from a general business risk to something that is more acute, complexity has combined with this trend to drive up costs and led to a shortage of skills as experienced personnel have become hard to hire. It was these factors which fueled the need for cybersecurity services companies. At a stroke, this allowed whole industries to solve the complexity and problem of unpredictable cost by using a third-party supplier.
Today, the market has seen such a huge expansion the question is less a matter of which types of cybersecurity service are offered as a service than which can’t be offered in this way. So far, the answer is that anything can be turned into a service if the market will pay for it.
One recent estimate by analyst Grand View Research is that in 2020 the global market for cybersecurity services was worth almost $92 billion, which will grow at a compound annual growth rate of 10.2% to reach $193 billion by 2028. Almost three quarters of this was professional services, which includes business support, technical management services, consulting and training, and incident readiness and response services (which also covers established services such as penetration testing, forensics, red teaming, bug bounty management, and vulnerability assessment).
The remaining quarter includes managed support provided by managed security services providers (MSSPs) and more recent developments such as managed detection and response (MDR). These sectors are not always mutually exclusive, and a new sector of companies is emerging which provides both professional and managed services under one roof.
At first this seems unlikely – professional services such as training, penetration testing, and post-incident forensics seem would usually be thought of as distinct from managed security as a service of the sort offered by an MSSP. However, it’s also possible that demand for one is driving demand for additional services in which case consolidating them in one provider makes complete sense.
Interestingly, cybersecurity services companies are not necessarily immune from some of the problems that caused them to boom in the first place, especially when it comes to skills. IT skills have been in short supply since at least the networking boom of the 1990s, but this is doubly so in cybersecurity where there remains a gap between qualifications and hands-on experience under real world conditions.
Organisations looking at cybersecurity services need to assess this hidden element of the sector carefully. All providers will hire staff with experience of penetration testing, training, and incident forensics. However, the skills needed in an emergency – in the event of a ransomware attack, say – will still rest on previous experience of this type of event.
A question mark hovers over how quickly managed services will grow. The crunch point here isn’t the idea of managed detection, which has been around for years, but the capabilities of incident response. Logically, the two work best when one entity looks after both sides of this part of cybersecurity defense because handover to a separate department or organization is always going to slow response.
Gartner predicts that by 2025, half of organizations will be comfortable enough to allow third party MSSPs to handle response, cleanup, and forensics in one cycle, up from 15% today. That prediction will still depend on how much innovation service providers will be able to push into their expanding MDR platforms, which themselves are built atop a plethora of tools and cybersecurity platforms.
The first generation of cybersecurity vendors emerged from the networking industry of the 1990s while the second generation emerged as startups, some of which merged with large, former networking vendors. Cybersecurity consisted of numerous, poorly integrated niches. Perhaps the new wave of cybersecurity services will eclipse this economic model and become giants in and of themselves. If so, this sector could eventually dominate the whole cybersecurity sector as all cybersecurity becomes a service in one form or another.