Did the MSSP Model Just Receive a Vote of No Confidence?

Last week, news broke around a rumored sale of SecureWorks. Reuters and CRN reported that Dell Technologies is looking to offload its SecureWorks security subsidiary, just after that subsidiary’s stock hit an all-time high at $24.56 per share on February 5.

It’s an interesting signal from the infrastructure giant that it is considering dumping its security business, an international brand within a fast-growing segment that outpaces its parent’s general IT infrastructure business. Is this simply corporate book balancing or something more interesting? Let’s explore what the larger implications hold for the future of businesses modelled on the Managed Security Service Provider (MSSP) approach.

What we know about the sale

Reports suggest that Atlanta-based SecureWorks, with a projected market value of $1.5 - $2 billion, has approached Morgan Stanley to broker its sale. Remember, Dell acquired SecureWorks in 2011 for $612 million as part of its acquisition of EMC, then listed the subsidiary on the stock market in 2016. SecureWorks’ website offers security solutions designed to protect corporate networks from cyber attacks. It claims 4,300 customers across more than 50 countries.

Since its own IPO late last year, one could assume Dell might be under pressure to get its house in order. And while the ~$2 billion market value of Secureworks seemingly would do little to erase the reported $50 billion debt piled up from Dell’s EMC acquisition, it’s easy to imagine that this SecureWorks news is potentially about paying down Dell debt.

The impact of acquisition

Corporate mergers can result in improved services and better pricing, but the results take time. Corporate sales often bring uncertainty, employee reduction and churn, operational cost cutting, and divestment in long-term R&D projects. The culmination of these tactics and factors can lead to significant impairment in customer service and operational performance.

I can attest personally to the impact of a sale, but in this instance it was a positive one. In late 2017, I had a front row seat to eSentire’s acquisition by Warburg Pincus. In this case, the dust settled quickly with new leadership (CEO and CFO) that brought new vision. And within months we made strategic partnerships announcements (Cyxtera and Sumo) and launched multiple products (esLOG and Managed Endpoint Defense).

What’s more, within a year, we made our first strategic acquisition of Artificial Intelligence security leader Versive. Few companies define a category and fewer still redefine it. eSentire did just that by blending MDR expert human security analysts with AI systems and machine learning to manage the increasing volume of threats from a more fluid attack surface, and to counter the advances of persistent and well resources adversaries like criminal organization and nation state actors.

A vote of no confidence for the MSSP model?

The question remains, why is Dell possibly willing to part with its security business? The prospective ~$2 billion relief isn’t big enough to sacrifice the future performance of a firm that operates in a rapid-growth market segment. As the expression goes, the tide raises all ships. While not yet EBITDA positive, SecureWorks is a well-known brand and stands to at least gain from the market growth in which it operates. It also holds a dominant position in the MSSP space and is a recognized leader by industry analysts such as Gartner.

So why explore selling it to to pay off a meager four percent of debt? The MSSP model has been around for years and is well understood as a device-centric (prevention technology) approach to managing threats. Perhaps Dell isn’t mortgaging its security future. Perhaps Dell simply doesn’t see equity and growth in a margin-thin, outdated model that can’t scale to meet exploding digital transformation with AI and IoT, the groundswell of well-resourced and sophisticated adversaries, and an enormous alert overload that burdens the client base.

A model broken by alert exhaustion

The MSSP model generates an alert volume well above most customers’ ability to respond. One customer told us their MSSP sent nearly 10,000 alerts a day. That’s nearly seven alerts a minute! More advanced than most mid-sized businesses, this nationally recognized brand could respond to about 500 alerts (five percent) a day. And any one of the 10,000 total could be business disrupting.

That’s where Managed Detection and Response (MDR), which spawned from MSSP, comes in. Gartner created the MDR category as turnkey security for mid-sized organizations that require more than device management and alert notification. MDR provides detection of threats and various flavors of response. It’s not simply about detect and alert, it’s taking proactive action on behalf of the client. It’s knowing what to do with the proverbial needle, once it’s found (assuming it even is). Few MSSPs have succeeded in migrating to the MDR model.

What’s worse is that the MSSP model is built on alerts and assumes a static perimeter. Digital transformation is eroding boundaries with mobile devices, Internet of Things (IoT) and artificial intelligence. This evolution touches every facet of business and changes the way firms do interact and do business with their clients and supply chain. And economics demand that technology continuously evolve. This constant and accelerating diffusion of technology outpaces the abilities of current MSSP security to adapt and protect the entire fluid attack surface of most businesses today.

That’s why MDR is a more attractive model. And it’s why eSentire invested in Versive to combine human expertise and machine learning. This new machine scale world demands the ability to process massive amounts of data, look for the telltale attack signs (especially yet-to-be discovered attacks), and provide security analysts with data to make rapid decisions, contain or disrupt attacks, and prevent intrusions from disrupting business.

MSSPs will continue to struggle to adapt to a different world, driven by a business model that struggles to scale without a linear increase in staff and the tradeoff between diminished customer service or ballooning costs passed on to the buyer.

It reminds me of the expression about adding eggs after the cake is baked. It’s hard to bolt machine learning into a model that relies on prevention technology and logging only. Machine learning can’t replace humans, but it certainly can automate the investigative processes led by human analysts. And it can automate many of the tasks like attack-disruption actions, forensics collection and curation, and post-event reporting. It’s streamlined, more accurate and transparent.

The future of MSSP

So is this potential sale of SecureWorks a no confidence vote? Only time will tell and constituents will vote with their corporate wallets. Given the proposed price tag, a future sale will likely take a while. In the meantime, it will bring volatility, uncertainty, ambiguity and chaos (or VUCA). And all eyes will be watching to see the value placed on the MSSP model.