2020 Reflections: Top 10 Takeaways from the Intersection of Cybersecurity and IT Services
During the second half of 2020, Johnny, Zack, and the Worklyn analysts went to school on cybersecurity and IT, speaking with over 250 experts, executives, advisors, and investors in the market as we prepared to build a platform at the intersection of cyber and IT services. Below is a bit of what we learned, in story form. And if you want to read a more comprehensive summary of our findings, plus predictions for 2021, check it out here: MSPGrowthHacks Cybersecurity & IT Services Industry Report
The Macro Story (1-4): Between COVID, the SolarWinds hack, and the proliferation of ransomware, 2020 was a dark year for all, but the acceleration of cloud migration and the passage of thoughtful legislation provided at least small silver linings in the world of IT and security.
1. COVID and its one (small) cybersecurity silver lining:
The story of 2020 starts and ends with the COVID pandemic, which devastated nearly every nation in the world, but also crammed six years worth of digital transformation into six months (h/t to Microsoft CEO Satya Nadella, who originally coined a modified version of this quote). Traditional network perimeters dissolved, or, at least, lost relevance as organizations across the country embraced remote work. Old-school security folks fretted that the shift to remote would leave critical businesses, from hospitals to law firms, more vulnerable than ever, with their employees running amok from around the country. But for all the sadness and destruction COVID has wrought on families, we believe that the story around cybersecurity is actually a small silver lining. Organizations previously stuck in the cyber stone ages, hoping that on-prem firewalls would protect them forever, were forced to abandon the old paradigm of network-based security and embrace secure cloud transformation. And executives that had been loath to spend on new security tooling were forced to implement multi-factor authentication, endpoint security tools, and anti-phishing programs for newly diffused workforces. The initial results look promising: about 2/3 of surveyed security professionals reported that they saw a similar or reduced amount of security incidents after transitioning to remote work.
Coming into the year, there was some debate as to whether more cloud necessarily equates to more security. But even security luddites promoting the vulnerabilities of cloud now acknowledge that the recent SolarWinds hack - arguably the most catastrophic cyber incident in history -- emanated from the compromise of an on-premises (on the local physical network) product. Compared to SaaS solutions, on-prem tools can be much more easily leveraged to execute “supply chain” attacks, where hackers take over a technology supplier to gain access to end-customer systems and data. Thus, one silver lining of COVID was its acceleration of secure cloud transformation and zero trust network architecture adoption -- end-states that should make it more difficult for future hackers to execute a similar supply-chain hack.
2. Threat environment – the SolarWinds supply chain hack, and ransomware rising:
MCed by (state-sponsored?) Russian hackers, and discovered in December, the SolarWinds hack sounded a deafening and devastating crescendo to a cacophony of dangerous nation-state cyber-attacks in 2020. Australia, New Zealand, Germany, and Pakistan all saw their critical infrastructure networks targeted, to varying degrees of success, by (likely) nation state actors. Meanwhile, for most US businesses, the threat posed by profit-motivated ransomware gangs is more immediate and more dire than nation-state-directed espionage.
Already straining to respond to the challenges of the pandemic, under-resourced healthcare providers and school districts across the country were crippled by a wave of ransomware attacks over the past 6 months. In October alone, attackers used ransomware to disable computer systems at healthcare facilities in Oregon, New York, Vermont, Michigan, and Wisconsin. Locked out of access to critical IT systems, businesses, hospitals, and schools were forced to return to the dark ages of paper processes while deciding whether to pay-out hefty ransoms to get back their data and efficiency. The threat is exacerbated from above and below; organized ransomware gangs are building muscle and professionalizing -- some even have PR arms and real-time chat support -- while at the lower end of the market, buying and deploying ransomware has never been cheaper or easier -- Trojans that steal passwords, credit card data, and even images from webcams sell for as little as $50, and remote access trojans that can take over computers, complete with technical support, run less than $1,000. With barriers to entry crumbling and rational criminals turning to cybercrime, where payouts are higher and risk of injury or imprisonment is more remote, it’s no surprise that the total global cost of ransomware nearly doubled to $20B in 2020. And whether on land or sea, no organization is immune; even most of the major maritime shipping companies have fallen victim to ransomware. Boat owners: reach out for more detailed thoughts here; we even have a colleague who is singularly focused on cybersecurity for anything that floats!
3. New cyber threats have immediate implications for managed service providers:
Because they hold the (hopefully encrypted) “keys to the kingdom” for many of their customers, Managed IT services providers (MSPs) are becoming increasingly popular targets for ransomware gangs. This means that MSPs and managed security service providers (MSSPs) must invest in hardening customer data protection -- for instance, by providing cloud and on-premises data and IT system backup services -- and help customers respond to incidents. But they also must eat their own dogfood by investing to ensure their own internal cybersecurity posture is up-to-date. If a managed service provider is breached, they could lose the majority of their customer base overnight.
The insertion of malware into SolarWinds’ Orion software platform underscores this risk all-too-vividly. The media has rightfully focused on Russia stealing data from large government agencies, including the departments of State, Homeland Security, Commerce, and the Treasury, and on how Russian hackers might leverage their access to critical Microsoft source-code to launch future cyber-attacks. But SolarWinds also provides similar networking monitoring tools to thousands of MSPs. Thankfully, this suite of tools does not appear to have been compromised, but you can bet that more profit-motivated cyber attackers are already trying to run a similar playbook on SolarWinds and other MSP-centric remote monitoring and management platform providers like ConnectWise, Datto, and Kaseya (more on these guys to come).
4. Patchwork regulatory regimes – legislation in Louisiana and beyond:
While the House and Senate are too busy debating election results and counting fish to worry about trivial, non-partisan problems like large (and small) supply-chain hacks, some forward-thinking state legislators are beginning to act. In the wake of a series of ransomware attacks against local school districts and its DMV, Louisiana governor John Bel Edwards signed a first-of-its-kind, bipartisan law requiring MSP and MSSPs that serve public bodies to register with the state and keep the state notified of any cybersecurity incidents or ransomware payments. While the Louisiana legislation is not particularly toothy, it does require much-needed transparency and accountability -- a worthy first step. We expect to see variations on this legislation from other states that have been ravaged by ransomware, like Maryland.
A similar story is playing out, state-by-state, around data privacy regulations, inspired by the European GDPR laws governing customer data privacy. The California Consumer Privacy Act (CCPA), which took effect in 2020 and is meant to empower consumers with some ownership over when and how their data is monetized, seems likely to create a similar patchwork of state-by-state privacy laws. Adhering to CCPA and other emerging state-level data privacy regulations will be made all the more confusing by the digital reality that data, employees, and businesses do not neatly reside on a state-by-state basis. The growing patchwork of state-by-state regulatory regimes will only exacerbate the hyper-fragmentation in today’s IT services and cyber services industries. Call us skeptics, but we don’t expect to see a unified national legislative framework to promote privacy and cybersecurity enacted anytime soon. If you or your organization need help
understanding the ramifications of cybersecurity/data privacy regulations, drop a line; we know a slew of experts in this space.
The Market Story (5-7): Lines that once segmented managed service offerings are blurring across capabilities and customers, while a host of well-funded cybersecurity product and service offerings have emerged to address the massive global shortage of cyber talent.
5. Lines between cybersecurity and IT services blurring, with managed services moving on up to enterprise co-managed:
Over the past months, we’ve heard a similar and consistent refrain from both customers and service providers: MSPs and MSSPs are on a collision course. Small and medium sized businesses pine for IT services providers that can take care of the IT necessities – keeping the network running and helping enable cloud transformation – AND help protect them from the latest cyber threats. Large enterprise IT departments are comfortable managing large rosters of application, cybersecurity, and network vendor point solutions, but at the lower end of the market, customers are demanding a “single throat to choke.” Service providers are responding in kind: MSPs are suddenly rebranding as MSSPs – and it doesn’t hurt that valuations for MSSPs looking to sell have approached record highs in recent years. Owners of IT services businesses are putting in the time to build up internal cybersecurity expertise while also turning to partners for advanced offerings like managed detection and response (MDR).
But MSPs can be so much more than just outsourced IT departments for SMBs. We are seeing more large companies choosing to outsource select parts of their IT stack to specialist third-party providers while maintaining a focused in-house IT team. MSP’s have responded by moving up market, targeting companies with 1,000-5,000 employees, and offering outsourced services for “up-the-stack” functions such as cybersecurity, and cloud management, while the customer maintains other critical IT functions, such as application development, in house. Generally, business-enabling or revenue-generating technology functions (think CRM and custom cloud apps) remain managed in-house, while business-supporting or cost-generating functions (think network and management and cybersecurity) are outsourced. And though MSPs might only be providing a handful of functions to an enterprise customer in the co-managed model, enterprise customers have a higher willingness to pay, can be stickier, and offer opportunities for providers to land and expand. What remains to be seen is whether the business models are similar enough that traditional, SMB-focused MSPs can step up to offer co-managed services by de-bundling in a manner similar to cable providers, or if a new breed of co-managed-first providers -- the Netflix in our Television metaphor -- will ultimately take the cake with enterprise customers. MSPs that can un-bundle services without sacrificing margins and operational efficiency will see their total addressable market more than double.
6. The ABCs of E/M/X-DR – big funding creating big opportunities around detection and response:
There are plenty of MSPs in MSSP clothes, but to credibly call yourself an MSSP these days, you must at least help your customers implement and manage endpoint detection and response (EDR) tools. As traditional on-prem network perimeters dissolve, securing the endpoints that make up the new diffused perimeter has rightfully become the priority for CIOs and CISOs. No surprise that Silicon Valley and the public markets have reacted accordingly, dumping billions into a high-flying cohort of EDR vendors. Crowdstrike, the leading publicly traded, cloud-native EDR solution, saw its stock rocket up by over 300% in the past year, now trading at nearly 50x its annualized revenue. This year, Carbon Black, the OG of EDR (founded in 2002) was acquired for $2.1B, a relative 9x revenue bargain, and Cylance, a younger EDR compatriot, was acquired for $1.4B by Blackberry. Tanium’s valuation ballooned to $9B after raising another $150M mega-round. And don’t forget the other two venture-backed EDR unicorns – MSP-focused SentinelOne ($3B valuation) and Israeli-founded Cybereason ($1.5B because, of course, Softbank had to get in on the EDR goldrush). Together, that’s $65B in combined EDR equity value, and with oodles of cash from public and private market investors, these EDR vendors are competing exactly as we’ve come to expect in over-capitalized, booming marketplaces: focusing on seizing market share today and letting profit margins be tomorrow’s problem. This has created an attractive, though likely impermanent opportunity for MSPs, MSSPs, and VARs to cheaply procure EDR solutions for their customer bases and resell them at fat margins. We’ve seen managed services providers boasting super-high EDR recurring product resale margins north of 25% (traditionally, product resale margins are under 10%) as the various EDR vendors cut prices for channel partners in exchange for market share. The gravy train will eventually dry up a bit for service providers, but for now, many are enjoying the ride.
Of course, EDR software is just a point solution, a product to be plugged in, not a service to be provided. Buying EDR alone doesn’t buy you security; you need to know how to use the tools. So smaller, less security-sophisticated organizations are looking for a more fulsome solution that synthesizes EDR with telemetry from more old-school network-focused tooling in a 24x7 security operations center, and layers on human-based services to deliver turnkey threat detection and response. Industry analysts and vendors can’t agree whether to call this managed detection and response(MDR) or extended detection and response(XDR). And, as if the market jargon wasn’t confusing enough already, some vendors have also begun to market themselves as SOC-as-a-service(SOCaaS) providers. At the end of the day, all these companies are combining technology and services helping customers detect and respond to cyber incidents. They differ in how much of the technology stack and how much of the service delivery, remediation, and response process they own (vs. their customers). XDR providers are generally large, publicly traded product vendors that have built a service offering enabled (usually) entirely by their own products. MDRs, meanwhile, generally integrate with technology products from other vendors, often leveraging their own proprietary SIEM/threat analytics platform to aggregate disparate data sources. Both MDRs and XDRs provide a layer of human services on top of the product stack -- security analysts experts that triage incidents, hunt threats, and respond to breaches for the customer.
Given the expense and technical challenges associated with standing up a SOC (security operations center), MSPs serving regulated industries and smaller traditional MSSPs (the folks who manage networks and firewalls) are partnering with XDR and MDR providers to offer white-labeled detection and response, though based on their websites and marketing, you’d often think they are the ones providing the service. MDR providers successfully targeting the MSP channel include SKOUT Cybersecurity, Perch Security (recently acquired by ConnectWise), and Arctic Wolf, which raised $200M this year in a round led by Viking that valued the business at $1.3B. On the other end of the spectrum, some MDRs focus on selling directly to more technical, sophisticated enterprise customers. Cysiv, a new Series A spin-out of security giant Trend Micro, has also achieved remarkable success in a short time by remaining vendor agnostic and perfecting the security data ingestion and analysis process. Few have been more successful than Expel, which has raised $118M from an assortment of big name VCs and differentiates by integrating with a wide variety of popular cybersecurity tools that their customers have often already purchased...Given their reliance on human talent (services) for delivery, these companies don’t command SaaS valuations, but VCs haven’t shied away from large bets here either, pouring over $700M of venture funding into MDRs in 2020 alone. Recognizing the same market opportunity identified by VCs, large, public, traditionally product-focused cyber companies – including Silicon Valley blue chip Palo Alto Networks and East Coast challenger Rapid7 have also rolled out service-wrapped XDR offerings. If you want to learn about the E/M/X-DR landscape, please reach out - we’ve mapped the cybersecurity services supply chain and the different players in the game.
7. The security talent shortage and the primacy of outsourced security services:
The rise of MDR, and continued reliance on outsourced security services is the result of a simple dynamic: there are not enough skilled cybersecurity professionals to fill the needs of internal IT/security departments. According to a survey and report conducted by ISC2, there was a global shortage of 3.1 million cybersecurity professionals as of summer 2020. Just to be clear, that’s 3.1 million humans, not dollars. And in the US alone, the gap between desired positions and those employed in cybersecurity is over 350,000. Not surprisingly, over half of respondents surveyed believed that cybersecurity staff shortages were putting their organization at risk.
And even if you ignore this distressing talent gap, for SMB customers, outsourcing cybersecurity services is just cheaper and more efficient than trying to hire and retain talent in-house. Building a SOC and staffing it 24x7 with cybersecurity analysts is a prohibitively expensive undertaking for all but the largest, most security-centric organizations. Much more efficient to focus on your core business and outsource security operations, threat detection/hunting, and response to a service provider with security in its DNA, who can run an outsourced SOC, implement best practices, and leverage access to data from a larger customer set to make sure you don’t get breached. Though more universities are reading the tea leaves and implementing cybersecurity graduate programs, we’re betting that the cyber talent gap isn’t going away anytime soon, and that demand for outsourced security solutions will only continue to grow as ransomware attacks continue to besiege smaller companies and nation states home in on large companies and critical infrastructure.
The Money Story (8-10): We are future operators, but we are currently investors focused on acquiring IT and cybersecurity companies, so we’d be remiss not to don on our investor hats and provide some thoughts on M&A and public market performance for cybersecurity and IT services businesses.
8. The Rise of Cloud – a double edged-sword for service providers:
There were few public market growth stories more compelling than the explosion of enterprise cloud software. Buoyed by the shift to remote work, the Bessemer Emerging Cloud Index finished the year up over 100%, compared to a 15% rise for the S&P and a 42% rise for NASDAQ over the same period. With both its stock price rising and revenue growing by nearly 400% this year, Zoom gets the headlines, but cybersecurity SaaS providers Crowdstrike, Cloudflare, and Zscaler all saw their share prices rocket up by over 300% and are now trading at 45-50x annualized revenue. Okta, a cloud identity authentication and security provider benefitting from similar tailwinds, looks like a relative bargain with a valuation of 37x annualized revenue (full disclosure: Zack worked at Okta before Johnny convinced him to jump onto a new rocket ship at Worklyn).
On the one hand, the massive penetration of cloud software providers may pose a threat to MSP and MSSPs focused on managing traditional networks and on-prem technology tools like firewalls. Plus, some solutions like Zoom are so easy to deploy that there’s no need for a middleman(ager) to help deploy and monitor them. But as elegant as they are, cyber software tools like Crowdstrike, Zscaler and Okta are no piece of cake to properly deploy, integrate, and manage; this requires real expertise -- expertise that SMBs and even some less-sophisticated enterprises do not possess. Thus, service providers with cybersecurity and secure cloud migration capabilities will seize the opportunity to grow with the aforementioned SaaS providers.
9. The Datto IPO and the “big four” MSP technology vendors:
While MSPs have been the hidden heroes of the cloud revolution to-date, Datto’s October IPO may finally wake the world up to the massive potential of the managed IT services market. Along with Kaseya, ConnectWise, and SolarWinds, Datto, is one of the “big four” providers of technology solutions to MSPs (though Barracuda, more focused on network security, has a case to be considered as the fifth member of the squad). It’s impossible to talk about the “big four” MSP technology providers without talking about their “big three” financial backers: Thoma Bravo, Vista Equity, and Insight Venture Partners. Since 2013, each of these PE firms has made at least three major investments in the MSP technology space (Thoma Bravo: SolarWinds, Continuum, Barracuda; Vista Equity: Datto, Autotask, LogicMonitor; Insight Venture: Kaseya, Spanning, Unitrends). What makes this niche so attractive to these technology-focused private equity firms is the unique blend of growth and profitability. While Datto’s EBITDA margins -- estimated at 29% for FY20 -- pale in comparison to those of SolarWinds (clocking in near 50% for FY20), 70% of SolarWinds revenue comes from its “Core IT Management” business, which is higher margin IT infrastructure management software that SolarWinds sells to larger enterprises, not MSPs. But SolarWinds sees growth in this enterprise business slowing, and just before the December hack, the Company filed a Form 10, giving official notice of its intent to spin off its MSP business into a standalone entity in order to prioritize growth by better attacking white space in the MSP market, specifically finding a way to serve larger customers entertaining co-managed IT options. While the MSP spin has been deprioritized as management responds to the breach, public market investors will likely soon have a second pure-play MSP technology provider to bet on in “SolarWinds MSP”. SolarWinds shares (“SWI”) have traded off more than 40% from their 52-week high, and uncertainty around the impact of the hack and its reputational damage remain high, we believe the MSP spin will unlock significant value for shareholders, as the Core IT business will be able to prioritize profitability and the MSP business prioritize growth. We value SolarWinds’ MSP business at ~$2.8B and given the company’s current market cap is ~$4.5B, we see the current SWI share price of $14.75, (below 2018’s IPO price), as a very attractive entry point.
But today, Datto is the only one of the big four that exclusively serves MSPs -- 17,000 and counting, to be exact. No coincidence, then, that they chose MSP as their NYSE ticker. Datto’s product strategy is also more focused than its aforementioned competitors, as backup/disaster recovery solutions account for ~75% of total sales, though it has expanded into professional services automation (PSA) and remote monitoring and management (RMM). Both Datto and SolarWinds prioritize profitability rather than growth and innovation, reinvesting only 11-12% of their revenue back into R&D. Given its PE ownership, ConnectWise appears similarly profit-focused, though, of late, they have invested aggressively in expanding their technology and service offerings via acquisitions like ITBoost, Continuum, Perch Security, and Stratozen. And Insight-backed Kaseya has also utilized M&A to buy (rather than build) innovation and new service offerings. We were thus not surprised to hear MSP business owners complain about poor customer service and lack of integration from all these players. We believe there is a potential market disruption opportunity for a venture-backed, next-gen technology player that focuses on optimizing integrations rather than owning the entire service stack. Of the would-be disruptors, we’ve heard the most buzz around Pax8, a cloud-native Colorado startup that has raised $61M to provide professional services automation tools for managed cloud providers. It’s a simple but well-worn story in enterprise tech: where a market is owned entirely by profit-focused PE and public investors, pockets of opportunity emerge for focused disruptors to build simpler or lower cost products with modern back-end architecture and backing from VC/growth investors.
10. The M&A market for managed services providers – thriving despite COVID:
ConnectWise’s security M&A spree indicates that COVID has done little to curb buyer appetite for providers of managed security services in the MSP ecosystem. Based on analysis of precedent transactions and conversations with brokers and bankers, we see differentiated cybersecurity providers with real recurring revenue trading at 3-5x revenue. Even cybersecurity services consulting firms that don’t enjoy recurring revenue but have built pools in-demand cyber talent and capabilities are commanding similarly premium revenue valuations. For example, Crypsis, a leading provider of project-based cyber incident response services, was acquired by security product vendor Palo Alto Networks for $265 million this summer. Going forward, cybersecurity services providers focused on threat detection and response will continue to command valuations north of 4x revenue, but more traditional network-focused cybersecurity managers that focus on firewall management and network intrusion response may struggle to find buyers willing to transact at even 3x recurring revenue.
Unlike their sexier cousins in managed cybersecurity, managed IT service providers trade on EBITDA multiples, with premiums applied for scale (more EBITDA=higher multiple) and prevalence of true contractually recurring managed services revenue (as compared to common but less attractive revenue stream like professional services and recurring product resale). Our conversations with recent and potential sellers, brokers, and bankers in the MSP space indicate that, after a brief lull in deal making during the first half of 2020 after COVID, MSP M&A has seen a resurgence, with valuations returning mostly to pre-pandemic levels. However, where transactions were previously structured as 100% cash buyouts, recent deals have seen up-front cash comprising closer to 50% of the purchase price in order to account for increased deal risk. MSPs with less than $2M of EBITDA generally trade at 4-6x EBITDA, whereas more scaled providers with $2-$5M EBITDA generally trade at 5-8x. 99% of the 40,000 providers in the fragmented MSP space fit in this size range. Thus, given their scarcity and the glut of private equity buyers looking to deploy significant capital in the space, MSP platforms with more than $5M in EBITDA often command super-premium double digit EBITDA margins. Paradoxically project-based IT consulting firms that specialize in app development and implementation/integration of popular software solutions like Salesforce are commanding the highest EBITDA multiples of any category in IT services. Though they generally lack the recurring revenue streams that make MSPs so attractive to financial sponsors, IT consulting firms that focus on hot areas like cloud transformation and e-commerce are getting 12-15x EBITDA multiples due to competition amongst strategic acquirers like Accenture and Genpact. We see tremendous opportunity to combine an MSP with a stable recurring revenue base with companies that have real expertise around cybersecurity, cloud apps, and/or data analytics.
Until Next Time: We look forward to keeping you updated on this growth strategy and learning more every day.