In a recent study, Securing small and medium-size enterprises: What’s next? (March 2021), McKinsey & Company explored why smaller businesses are an ever-appealing segment for cyber security providers, and what might need to change for vendors to adequately serve this market. In this blog, I’ll dive a little deeper into some of their key thoughts.
Cyber security sales growing fast
The report explained that “mounting cyber security threats are particularly fraught for small and medium-size businesses (SMBs), defined as those with fewer than 500 employees.” Currently, global cyber security sales for SMBs are estimated at more than $40 billion, according to Gartner, IDC, and McKinsey research, growing at more than 8% every year. But despite its size, “the market remains often underserved by cyber security providers.”
To adequately serve SMBs, said McKinsey, providers require a new strategy with more efficient direct remote-selling approaches and a unique channel plan to capture growth in the managed security segment. To better appeal to this customer segment, pricing and packaging are also absolute table stakes.
Pandemic driving vendor consolidation
McKinsey stated that “even before the pandemic, SMBs faced challenges when it came to limited budgets and hiring skilled personnel. Now, as the pandemic continues to take its toll on the broader economy, tighter budgets are expected to also affect cyber security spending,” driving cost optimization which often leads to vendor consolidation.
It’s no secret that SMBs’ cyber security needs have been relatively underserved compared to the enterprise market. It’s also been less profitable than the consumer and enterprise cyber security segments. According to McKinsey, “that’s a missed opportunity hiding in the open as cyber security and the threat of future attacks weigh equally on SMBs.”
“Historically, the cyber security companies vying for ascendancy in this segment have traditionally been enterprise point solution providers or consumer players looking to expand their reach into what for them were new markets.” In the future, McKinsey believes that might change “with the emergence of opportunistic new entrants offering new approaches to cyber security technology and distribution that SMBs find compelling.”
MSSP's gaining share of the market
McKinsey reported seeing a shift with managed security service providers (MSSPs) gaining share through direct contracts with SMBs and partnering with managed service providers (MSPs) to deliver managed cyber security. “In fact, the MSSP share of the SMB market is estimated to grow 14% from $7 billion to $10 billion by 2022.” This growth may also compel value-added resellers (VARs) to “provide more managed services in order to expand their revenue and gross margins, a move that will further accelerate the growth of the managed security service sector.”
SMBs need simpler, holistic platforms
According to McKinsey, SMBs would be best served with a simpler and integrated “security suite” on a cloud-based platform. Core to this platform is the need for a holistic, managed detection and response (MDR) approach to analyze all threat vectors, including endpoints, networks, and cloud. This platform should also help secure the firewall and include phishing preventative measures and mobile security capabilities.
“The idea is to reduce the complexity of implementation, deployment, and maintenance with components increasingly deployed on the cloud,” said McKinsey. “The proposition would likely resemble a simple and competitively priced ‘security-in-a-box’ solution.”
Threat remediation needs to be achieved through intuitive and interactive means that give non-cyber security IT practitioners actionable guidance. This should include hands-on access to security analysts to offer strategic counsel and clarify mitigation steps—including what they are and how to action them.
McKinsey also recommended a “product bundle” approach. Ideally, this would embed several preventative services to help SMBs assess cyber security situational awareness and influence cyber behaviours, including training modules, incident response services and preparedness, and a security maturity assessment.
Questions SMBs should ask
At Field Effect, we encourage and can help facilitate discussions about business outcomes that need to take place as you consider enhancing your cyber security posture and risk mitigation. To ensure your investment is adequately fit-for-purpose and aligned with your business goals, desired outcome, and budgets, your organization will need to ask such questions as:
- What are the critical business processes driving profitability, customer engagement, and business innovation? What elements of security and risk are impeding their success?
- How do we overcome these roadblocks, and what is the most suitable and optimal path to achieving success?
- How are customers and employees changing how they work and engage with our business, and how do we seamlessly support them while managing risk and security?
- How do we create, share, and gain value by enhancing our security posture and mitigation of risk?
- What external support might we need to increase the quality of our security insights and the time to action for any remediation?
- How do we prepare for incidents like ransomware and malware, and how do we increase our employee cyber security situational awareness?
By asking the right type of questions and approaching future cyber security investments in the context of business-focused impacts, SMBs will be able to craft better digital security transformation roadmaps and ultimately deliver better business continuity, resiliency, and growth.
Field Effect’s core mandate is to be a catalyst, helping SMBs better protect their digital assets by breaking free of the ever-growing complexity and exorbitant cost of siloed cyber security. We empower SMBs with the confidence and holistic managed detection and response solution they need to achieve their cyber security goals.