Enterprise IT and security teams are stretched thin and struggling to hire the talent they need. Every new point solution they add to their infrastructure needs to be evaluated not only in terms of effectiveness–but also in how much operational overhead it creates. Alert monitoring and response is out of hand.
What I’ve observed–and heard in conversation after conversation with CISOs–is that enterprises are warming up to security software that comes bundled with services, as long as those services reduce the operational overhead of implementing and maintaining the software.
All of this means that a security startup needs to think deeply, very early on, about how its software will be evaluated by its enterprise customers.
One clarification at the outset: I’m not talking here about managed security service providers (MSSP) or cybersecurity-as-a-service where the service component is the primary offering. There are many great businesses in these categories. Scale is an early investor in Expel, for example, which provides its customers transparent managed security with 24×7 detection, response, and resilience.
Back to the Future
This emerging trend of software plus service is a case of “back to the future”. Before SaaS and cloud became the norm, enterprises expected licensed software purchases to come bundled with professional services offerings.
Today’s demand for services emerges from three headwinds that enterprises are facing simultaneously:
- A tight cybersecurity hiring environment
- The complexity of hybrid cloud environments
- The workload generated by new point security solutions
Let’s look at each of these dynamics in turn.
Tight Cybersecurity Hiring Environment
There’s a widely cited, if likely inflated, estimate that there will be 3.5 million cybersecurity job openings by 2021. Whatever the exact number, the implication is that large businesses are struggling to find sufficient talent to manage increasingly complex security infrastructure–with its clear link to managing business risk. We saw evidence of this situation in Scale’s 2019 cybersecurity survey, where just 40% of organizations considered new hiring a core part of their strategy. Largely because they’re being forced to look for solutions other than headcount growth.
Of course an important part of the dynamic here is wage inflation. New security hires today are more expensive and thus need to be doing high-value work that contributes to an improved security posture. Yet much of the work overload comes from low-value tasks like log parsing and notification response. Another finding from our cybersecurity survey: enterprises said a top obstacle to “achieving security posture” is “excessive alerts / false negatives”.
Managing the Complexities of Hybrid Cloud
Hybrid cloud environments will remain the norm for some time to come. Regulatory requirements and legacy applications require on-prem, while the agility, elasticity, and increased velocity of innovation push further cloud adoption.
The complexity of getting it all to work efficiently is significant when you consider multiple runtimes across virtual machines, containers, and serverless environments. But what CISO isn’t losing sleep over the difficulty of keeping hybrid cloud environments secure when threats continue to multiply? “Secure” is a constantly moving target.
Scale invested in several companies offering key components of a modern security program, like PerimeterX, which secures virtual perimeters, including preventing automated bot attacks; Threat Stack, which offers a cloud security platform for the modern cloud infrastructure; Agari, which is focused on the unique security requirements of corporate email; and CyberGRX, a vendor security risk management platform.
New Point Solutions Solve Some Problems and Create Others
CISOs and their teams are living in the age of choice when it comes to security point solutions. The challenge, of course, is managing the operational overhead created every time a new point solution is added to the stack.
Attackers are evolving at an ever-increasing speed and forcing enterprise security teams to respond at an equal pace if they don’t want to be the low-hanging fruit for hackers. This is the well-known cybersecurity cat-and-mouse game. The result is that new security solutions are coming to the market faster than ever before to deal with the changing attack and threat landscape. One only has to walk the RSA exhibition floor every year to see the growing vendor landscape.
While all these new security point solutions succeed at improving cybersecurity resilience and managing enterprise risk, they come at the cost of complexity and added burden on human resources to manage and operate them.
Layer on top the hiring shortage and the increasing complexity of hybrid cloud environments, and it’s no wonder that more enterprises are seeking to outsource discrete security functions. From their perspective, the ideal situation is to continue to add security vendors but without the added operational overhead.
The Lesson for Security Startups
The lesson for security solution vendors is straightforward. Vendors that can support their enterprise customers with a services offering will experience a double benefit: reducing friction during the initial sale and removing operational burden from their customers once they’re up and running.
Today’s cybersecurity software startups need to understand the specific challenges their enterprise customers are facing around personnel and productivity, and the pressure they face to outsource low-value work.
Until some of these dynamics change, demand for services will continue to be a reality. The savvy startup will see a services offering as both a sales tool and an upgrade path all in one.