Too many companies are woefully unprepared for a cyber-attack. A full 43 percent of companies reported they can’t handle an attack that lasts just 24 hours. Two new tipping points will only make a bad situation worse: the Internet of Things (IoT) and encryption.
The growth of IoT devices – and subsequent hijackings of them into botnets – has given hackers a new weapon in their arsenal. When hackers assaulted Dyn, a backbone of the internet, last September, they used 100,000 Mirai-infected IoT devices in an attack that shut down Twitter, Netflix, Reddit, and scores of other major sites. This was a wake-up call for businesses everywhere, as Mirai variants continue to appear in targeted attacks.
SSL encryption, as useful as it is in obscuring data from hackers, also offers ready-made cover for attacks. If all web traffic is encrypted, it’s harder to sift the good from the bad, leading to encrypted attacks against web apps and more that need to be identified and diverted before they cause any damage.
Both of these vectors leave enterprises holding their breath as every new attack could present a major hit to their revenue and reputation. Not to mention small and medium-sized businesses, like car dealerships. These businesses have valuable personal information that hackers want, but they’re lucky to have a single full-time IT employee to defend their systems. While a number of companies are investing in in-house security, many don’t have the resources or the time to guard against frequent attacks.
Something needs to change.
One solution is to expand an existing relationship that all these businesses already have. When Radware asked the organizations themselves how they planned to defend themselves, 32 percent said they wanted their carrier to offer a service that would protect them. The number was even higher for service providers in Europe.
It’s an opportunity that would be welcome news for both carriers and their clients. But how can carriers serve as managed security service providers (MSSPs), and meet this call, and why should they?
A path for growth in a static industry
Most carriers struggle to increase operating margins with low single digit revenue growth year over year in today’s environment. Tier-1 carriers around the globe are working to increase revenues, but networks are so static, hardware centric, and manual that any growth in revenue comes with rising costs.
The growth in cyber-attacks offers a ready-made opportunity for carriers to expand their services. Instead of just offering connectivity, they can expand to a higher value-added service protecting against DDoS and encrypted attacks.
At the same time, many carrier clients, struggling to guard against attacks, want to turn to their existing business partner they already know and trust. Some carriers have already begun offering this type of service and have seen high demand from businesses large and small.
One of the world’s largest cloud-delivery platforms jumped into the MSSP business and is already seeing impressive gains. In just the first quarter of 2017, it reported $110 million in revenue for its cloud security solutions, up 36 percent year over year. In its Q1 2017 financial report, the company noted that “Our … Performance and Security Solutions … accounted for over 60 percent of our overall revenue in Q1, and they contributed very attractive margins.”
Level 3 Communications, a global communication provider serving enterprises, government, and other carriers, reported in its Q1 2017 earnings that overall corporate revenue was basically flat with growth of -0.1 percent. Managed security revenue, however, grew 9.1 percent.
How carriers can get started with MSSP
There are two big risks that carriers face in adding security services to their existing offerings.
First, many carriers aren’t security experts. They sell Ethernet, they sell wireless, but when it comes to spotting and mitigating a massive DDoS attack lasting days, they often don’t have the in-house expertise or systems to do so. For organizations in this boat, it’s easy enough to partner with a security company that does have that expertise in order to become an MSSP.
Second, carriers question whether their sales and marketing teams will be able to sell MSSP when they’re so focused right now on selling connectivity, wireless services, and other traditional topics. The security story is a more complicated, sophisticated sell, but through training, sales can be brought up to speed quickly and make an impact on the business, as Level 3 Communications and others have shown.
There are three major ways to get into selling an MSSP service:
1. White label an existing service. This is the least risky of the options, and requires no upfront capital. It’s also the fastest way to bring a service to the market. The carrier gets to focus on sales, marketing, and back-office support, but delegates the security expertise and the technology to a partner. This can be sold as a part of connectivity or compute/storage services as part of a high-value bundle.
2. Build your own service. This takes the most time, capital, and resources, but also offers the highest margins and overall NPV. If you have an in-house IT team that can operate and manage a network security solution, you can maximize your return on investment.
3. Get the best of both worlds. A third option is to start with a white-labeled service before transitioning to managing it in-house. You forego large capital expenditures up front so you can focus on marketing and selling the service while building back-office operations and expertise. You’ll be able to quickly serve customers and gauge enthusiasm while planning to migrate operations in house over time to recognize the large profit streams in the later years.
Solving two problems with one service
Cybersecurity threats are only going to grow more frequent and more powerful. Businesses everywhere are searching for ways to shore up their protections and avoid business disruptions. Carriers need a new revenue stream and have been identified by companies as partners they’d like to handle their security.
From a problem comes an opportunity. Both carriers and the businesses they serve would be wise to seize it.
Mike O’Malley is the Vice President of Carrier Strategy and Business Development for Radware. In this role, he is responsible for leading strategic initiatives for wireless, wireline, and cloud service providers. Prior to Radware, O’Malley held various executive management positions leading growing business units at Tellabs, VASCO, and Ericsson.