Cybersecurity is, by its nature, a rapidly changing field. With attackers constantly seeking to compromise systems and defenders battling to protect them, the business has to remain at the top of its game and utilise the technology available but that’s becoming increasingly difficult. As we’ve seen with the high-profile attacks against M&S and JLR, even the largest organisations can struggle to keep pace, and so many elect to use the services of a systems integrator (SI) to build and manage their security architecture for them.
SIs select and combine security solutions from multiple vendors to create a unified form of defence but many are not just deploying, integrating and managing that technology but are also monitoring and responding to incidents via a SOC, much like an MSSP. They’ve already sewn up the market when it comes to large enterprise, with three quarters of those businesses opting for one of the big five (Accenture, Deloitte, IBM, PWC and CapGemini) and predictions suggest the provision of cybersecurity services will continue to be a core revenue generator for them, resulting in CAGR of 6.8% to 2034. So, with considerable overlap now happening, how can MSSPs compete with SIs for that cyber spend?
What’s preventing them from competing effectively isn’t size - it’s the MSSP business model. MSSPs want to lock-in their clients to contracts spanning years to give them those recurring revenues and a stable client base but they’re then not prioritising improvement. During the term of that contract, be it two, three or five years, clients are no longer content to simply see services delivered against a static SLA; they want to see their security posture become more mature and resilient. And that requires service levels to flex and change.
Charging for changes
SIs understand that changes are needed to adapt to emerging threats and they charge for those. Not surprisingly, those charges are viewed as punitive, which makes the business far less likely to sanction them which equates to an increase in risk. It’s this stasis that MSSPs can exploit. If they can move away from the cookie cutter approach and provide a more tailored, adaptive service - one that doesn’t penalise the business but actively encourages change - they can sell their services based on the concept of continuous improvement.
If the business were to manage its own SOC solely inhouse, these changes would occur naturally. There’s a constant cycle of improvement that any business moves through as it learns and refines, and it’s this kind of service that the MSSP should look to emulate. By incorporating these changes into a continuous service improvement program that runs in parallel to the day-to-day machinations of the managed service, the MSSP can then differentiate and secure recurring custom.
So what might this look like in practice? Today MSSPs focus on three phases: onboarding, transformation and improvement but they don’t go deep enough.
Onboarding, for instance, should not just focus on technology onboarding and SOC integration but should be preceded by deployment planning workshops that identify the how best to tailor the service. Transformation is about more than tuning the tooling, as it presents the opportunity to identify options for advanced playbook automations and extending detection, use cases rules and alerting.
But its Improvement where the real value can be added, by analysing the SOC telemetry datathe MSSP can do more than identify gaps and weaknesses such as exploring technical roadmaps and service enhancements to drive down the security risk profile. By also accommodating the security strategy of the customer and their goals, the MSSP can then package up a continuous development plan that is engineered to the customer’s needs.
Demonstrating improvement
Things also become more interesting if the reports the MSSP generates don’t just show the usual security metrics and performance against the SLA. By analysing the health and performance of the technology and configuration change management i.e the improvements actioned, it becomes possible to measure trends and demonstrate how the service has contributed to an increase in security posture. Now we have a quantifiable way to show that the flexibility of the service offering is delivering results. And, because a cost isn’t associated with each change, rolling improvements become part and parcel of service delivery.
Such change is important because the needle has scarcely moved when we look at cyber maturity. The 2025 Cyber Benchmark report, which measured security posture against the NIST Cybersecurity Framework v2.0 and ISO27001, found the average maturity level of large corporations (those classed as turning over more than a billion euros in revenue annually) stood at just 54%, up one percentage point from last year. This means that almost half of big business is not cyber ready i.e. is not adequately prepared to protect against attacks, has not baked cybersecurity into its processes and is failing to improve its resilience.
As time elapses, this means that the security posture of these businesses may actually decrease because attacks are continually being developed, are becoming faster and more automated. So, while it was ‘good enough’ to have defences in place against malware and ransomware in the past, affording the CISO protection against 98% of attacks, that is no longer the case. Let’s assume that an Endpoint Detection and Response (EDR) has visibility of 100,000 endpoints but 100 of devices have been missed as part of the deployment. All it takes is for the attacker to compromise a single device to get a landing point in an organisation – less than 1% - for that protection to be ineffective.
Evolve or die
It’s therefore clear that neither large enterprise nor the MSSP can afford to stand still. Service providers need to become more agile and to routinely review their service offerings and the vendors they work with so they can assess and deploy cutting edge technologies more easily and move with the market. That way, they can ensure they keep pace with evolving threats and ensure they provide a comprehensive level of protection.
MSSPs can compete with SIs and even beat them at their own game if they focus on offering a high-end but adaptable service. But this isn’t just an opportunity to carve out and protect market share. By adopting this approach, they’ll also boost the maturity of their customers security posture who in turn will come to regard their services as both an asset and as indispensable.
