The MSSP conundrum: How to balance cost versus cutting edge - Photo by Marcelo MoreiraFor Managed Security Service Providers (MSSPs), differentiating and offering value while watching the bottom line is a constant struggle. It’s becoming ever more challenging because although the security market now offers many features that could be potentially used to rollout more services, MSSPs need to justify investment in a highly price-sensitive market and are increasingly conservative about spend. Yet, if they fail to innovate, they’ll lose customers. How should MSSPs seek to balance their costs against investing in cutting-edge technologies?

Customer expectations rise, but prices are falling

While businesses are economising, the indications are that security budgets will remain relatively buoyant. The State of IT 2023 report reveals that cybersecurity will take more out of IT budgets, with 11% expected to go to software, 7% to hardware, 6% to cloud and 11% to managed services.

Cybersecurity is also seen as a top priority. One that is now eclipsing digital transformation as businesses focus spend, according to the 2023 Global Tech Outlook report. These figures all suggest that spend will continue to rise, although the caveat is that customer expectations are also increasing.

A recent survey of MSSPs across Europe and the US conducted by TakePoint Research found that customers expect features and services to increase in line with technological advances. At the same time, they also expect prices to go down or stay the same and for costs to be predictable. In short, expectations are high, and price is inelastic. The same report said this is significantly constraining MSSP ambitions. It is limiting the ability to create new value-added service packages, and that to do so, the value-add must be compelling.

Therefore, while advanced technologies and innovative cybersecurity products may create opportunities for new managed services, MSSPs must be confident that clients want to buy the new capability before committing to it. So how can MSSPs invest in new technologies they know will be well received?

Licensing and transparent pricing

As a rule, MSSPs seek solutions that can drive business growth without necessarily increasing licensing costs. This is because licensing models are predominantly based on data volume (per message, per gigabyte, per event, or events per second, etc.), which means costs can rapidly increase as the business scales, threatening the MSSP’s ability to maintain consistent costs.

Such licensing is widely used by basic managed Security Incident and Event Management (SIEM) solutions and associated services and is doubly so for services based on Security Orchestration And Response (SOAR) and User and Entity Behaviour Analytics (UEBA) platforms that process even bigger volumes of data. But the MSSP can’t simply pass on these charges.

To safely monetise these new services, MSSPs need vendors to be more transparent in their pricing. Today, this information isn’t widely available, making it very difficult to compare and contrast offerings and explore how they could be bundled. It means MSSPs need to demand this information up front to avoid vendor lock-in and to be able to control their licensing costs.

Services that add value

Out-of-the-box Integration

When it comes to service propositions, the bread and butter for MSSPs have been out-of-the-box integrations. These save time, as the MSSP doesn’t have to dedicate internal resources to develop and deploy these capabilities for each customer. Out-of-the-box also allows clients to bring their own technologies, such as firewalls and Endpoint Detection and Response (EDR), and to integrate these with the MSSP’s SIEM.

The survey found that MSSPs favoured solutions that offered them flexible configurations and easy customisation per client. They did not want to be limited by an interface that provides a one-size-fits-all menu of clickable boxes and buttons. For example, regarding SIEM, MSSPs said their security analysts wanted to create a specific detection rule first. They then wanted to be able to roll it out across the customer base rather than applying it to each customer SIEM individually. Automating this using a SIEM in-house can, therefore, significantly increase the ability of the MSSP to offer more value with a negligible cost impact on the customer.

Centralise threat intelligence

Similarly, leveraging a single SOAR platform can allow a group of security analysts to work on event data simultaneously rather than in client siloes. This centralises threat intelligence and enables the MSSP to use a single dashboard. It can share a unified set of rules and playbooks across its client base. It also enables them to trigger incident response actions on the customer’s BYO technologies mentioned above.

However, many MSSPs have not yet deployed SOAR. That is despite the knowledge that automation and orchestration will be necessary to remain competitive and grow their business. This is down to two reasons. Firstly, they need flexible licensing options as this enables them to scale without costs ramping up dramatically. Secondly, they need vendors to teach their analysts how to design and roll out these playbooks so that they can roll these out across their customer base, speeding response and shortening their SLAs.  Rather than invest in a SOAR platform and all the setup, rule configuration and playbook tweaking it involves, many are opting to automate only specific processes or build custom use cases and advanced correlations together with their customers, which is extremely resource intensive.

Moreover, those that are using the technology are only doing so for data consolidation, enrichment, and normalisation, not automated response, which is its chief virtue. Technologies such as SOAR and UEBA offer great value add potential. However, MSSPs need to nail down vendors on licensing costs and support to make them a viable offering and to maximise their potential.

Flexible deployment options

MSSPs must offer various deployment options to meet customers’ regulatory requirements. This is because although cloud adoption has accelerated, many clients still need to keep sensitive customer data on-premise which makes going purely cloud not an option. For this reason, the survey found the most popular model was to offer SIEM/firewall/SOAR deployment on-premise or in a private cloud, with the MSSP performing management in the cloud.

Interestingly, the report also revealed that none of the MSSPs were willing to work with SIEM vendors who migrated the entire company offering to the cloud. They felt this left them too exposed. Ideally, they wanted to be able to bundle multiple cybersecurity functions into a single service package. One that they could deploy on-premise, in the cloud, or in hybrid infrastructure to give them maximum flexibility.

What does every MSSP need?

In conclusion, there’s clearly potential for MSSPs to scale SIEM services using automation to create and apply rules and to leverage new technologies to offer automated threat detection and incident response with SOAR and UEBA. The reason it’s not happening today isn’t because there isn’t sufficient budget but rather because the security market hasn’t adapted to their unique needs. MSSPs need to be able to service multiple customers simultaneously without prices ratcheting up unexpectedly.

Vendors must work with them when devising solutions and provide training and support to security analysts. MSSPs need flexible platforms that support integration to give them options and the ability to scale, which means predictable licensing costs. It’s these criteria, then, that MSSPs need to look for when investing in cutting-edge technologies, to help them advance and grow their business.

Logpoint is the creator of a reliable, innovative cybersecurity operations platform — empowering organisations worldwide to thrive in a world of evolving threats. By combining sophisticated technology and a profound understanding of customer challenges, Logpoint bolsters security teams’ capabilities while helping them combat current and future threats.

Logpoint offers SIEM, UEBA, SOAR and Business-Critical Security technologies in a complete platform that efficiently detects threats, minimises false positives, autonomously prioritises risks, responds to incidents, and much more.

Headquartered in Copenhagen, Denmark, with offices around the world, Logpoint is a multinational, multicultural, and inclusive company. For more information, visit


Please enter your comment!
Please enter your name here