Worklyn’s Post-Pandemic Predictions: March 2021
Five predictions for cybersecurity and IT services in the post-pandemic world
While the battle against COVID is not yet won, the arrival of spring and the increasing availability of vaccines for all who want them allow us to start looking ahead to the post-pandemic world for IT and cybersecurity services providers.Is remote work here to stay? Will the breakneck pace of cloud transformation continue to accelerate? What about the slew of ransomware attacks afflicting businesses small and large? What’s next for MSPs and MSSPs, and how will M&A dynamics in this industry evolve? Check out Worklyn’s Top Five Predictions for IT and Cybersecurity services in the post-pandemic world below for our thoughts:
(1) Cloud migration continues, as WFH and Zero Trust become the “new normal”: Even as the pandemic begins to wane and some businesses migrate their workforces back to the office (yes, real estate people, we know you’ve been back in the office since last summer), spending on secure cloud migration will continue to grow. Security product companies like ZScaler that offer a modern, zero-trust network access replacement for traditional VPN will continue to reap the benefits. Many companies will embrace more flexible, optional work-from-home policies to enhance productivity, while looking to shore up and secure newly-created cloud environments. As a result, customer demand for zero-trust network architectures will increase, and third party providers, whether they call themselves system integrators, MSPs, or MSSPs, will need to take a consultative approach to help customers move critical data and functionality to the cloud, embrace zero-trust policies, and implement an entire new universe of technologies that require consistent re-authentication and continuous authorization for employees and partners seeking to access critical data stores. A new class of MS(S)P will emerge that is dedicated to helping customers migrate to and manage zero-trust cloud IT architecture.
(2) Ransomware rages on, with increased focus on data exfiltration: Unfortunately, criminals have embraced working from home too. Ransomware will get worse before it gets better. According to BitDefender, ransomware attacks increased by over 700% from 2019 to 2020. 2021 will be another record year for the number of ransomware attacks, and the average cost of ransomware will continue to increase (though it won’t double again as it did from 2018 to 2019) in 2021, making this year, again, the new high watermark for ransomware. Increasingly, ransomware gangs and hackers will seek to extort victims with the threat of publishing data, recognizing that in this era of online outrage and information overload, consumer-facing companies have a massive interest in protecting their brand and preventing data leakage. Even if a breached company has done all the right things to implement robust backup and data recovery systems, the threat of data exfiltration and publishing will push some to pay out ransoms.
(3)Marketplaces reshaping the channel for MSPs: Online marketplaces have revolutionized B2C commerce (see: Amazon, Shopify), and are beginning to take hold in B2B sales environments as the pace of business digitization and technology innovation accelerates. Online marketplaces thrive with lots of (fragmented) end-customers scattered around the market and these end-users are adept enough to procure and adopt solutions from home. Given its fragmentation – there are between 20,000 and 40,000 MSPs operating in the US alone – and the technology-forward nature of many MSP business owners, few markets are riper for transformation to marketplace-based procurement than MSP-land. The suppliers (e.g. technology vendors that sell tools to/through MSPs) will also be motivated to shift toward marketplace-based sales models, as developed marketplaces enable increased capital efficiency via reductions in longer-term sales and marketing spend. Both resellers and vendors are investing in marketplace buildouts -- not surprising given that investors clearly attach high valuations to so-called “platform” businesses. AppDirect recently raised $185M for a B2B technology service provider marketplace touted as Shopify for customers in need of recurring digital services, Microsoft has rolled out its Azure marketplace for qualified MSPs, and the leading MSP-focused cybersecurity vendors are also getting in on the act; in February, SentinelOne opened its “Singularity XDR Marketplace,” an open application ecosystem that enables customer and partner security teams to integrate new and third party security tools (like Netskope, Recorded Future, and Splunk) into their Singularity XDR platform without coding or scripting. In 2021 and beyond, technology vendors focused on selling to/through the MSP channel will seize marketshare and expand margins by building out user-friendly marketplaces. And MSPs will be better off for it. But the largest opportunity is beyond the reaches of the “big four” (Connectwise, SolarWinds, Datto, and Kaseya) and any single MSP-focused vendor. Unsurprisingly given the complexity of “the channel,” no leader has emerged in creating a true marketplace for MSPs, but we expect that eventually, a startup unaffiliated with any single technology vendor will rise to unicorn valuation status by building a marketplace connecting MSPs and with the latest technology tools.
(4) MSSPs migrate away from SIEM, race to MDR: As traditional network perimeters evaporate and both customers and providers embrace zero trust network architectures and enhanced identity management to prevent cyber attacks, managed security services providers (MSSPs) will continue to shift their offerings toward managed detection and response. And while customers in less technology-forward industries will continue to demand firewall management, traditional managed SIEM solutions, once the centerpiece of most fulsome MSSP offerings, are being disrupted.
Bulky, traditionally on-prem SIEM solutions are struggling to hoover up all of the new IT and security data sources being created via digital transformation in a timely and cost-effective manner. Further, many SIEM customers (and managed services partners) are fed up with data-based pricing mechanisms employed by leading vendors like Splunk that make analyzing the many new data sources necessary to achieve proper security monitoring prohibitively expensive. Elastic, long a fan favorite alternative to Splunk in the security operations community, is also causing heartburn for MSSPs of late. The critical “open-source” backbone for many MSSP-created SIEM solutions, recently changed its licensing to prevent AWS from offering a free version of their software, but this may also prevent MSSPs that had built customized managed SIEM solutions on previously-open-source Elastic tools ElasticSearch and Kibana from continuing to offer managed SIEM to end customers. Luckily for MSSPs offering managed SIEM, there is no shortage of analytics vendors primed to disrupt the space. Microsoft rolled out its cloud-native Azure Sentinel SIEM offering in 2019, and already a crop of MSSPs offering managed Azure Sentinel has emerged. Google Chronicle and AWS Security Hub are not far behind with their own offerings, while hot new analytics companies like DataDog are also poised to enter the traditional SIEM market, further disrupting the MSSP vendor supplier landscape.
On the demand side, customers, recognizing the expense of standing up their own SOC and the importance of proactive threat hunting, will continue to shift toward managed detection and response (MDR) solutions that enable them to outsource the entire process of data aggregation, analysis, and threat hunting to focused third-party providers. Winners in the MDR space will differentiate by either focusing on technology integrations (a la Expel) to serve more sophisticated end-customers or by mostly owning their technology stack, while being simple, easy to implement, and customer-service oriented (a la eSentire) to serve MSP partners. Customers struggling with the cost and complexity of managing their own SIEM would do well to consider outsourcing the entire threat detection and response process to a focused MDR provider that can manage their SIEM or replace that functionality.
(5) Transaction valuations diverging for MSPs, MSSPs: Ultimately, we’re in the business of acquisitions, so it wouldn’t be right if we didn’t try to call our own shot here. So what will valuations look like for MSPs and MSSPs over the next 12-18 months?
To know where we’re going, we must know where we’ve been, and as we pointed out in our last blog, the pandemic didn’t put much of a dent in MSP transaction valuations, though there was certainly a lull in dealmaking during Q2 of 2020. We believe 2021 will see more MSP deals than ever, with many business owners rushing to sell before President Biden increases the capital gains tax. But based on the deal processes that we’ve been involved in since 2021, and seller-friendly market dynamics, we believe valuations for MSPs will continue to trend upward: the norm in 2021 will be 5-6x EBITDA multiples for MSPs with $250-$500K in EBITDA and 8-10x EBITDA multiples for MSPs with $4-$5M in EBITDA. Ultimately, it comes down to demand outstripping supply. First of all, there are more private equity suitors than ever, seeking to acquire majority recurring revenue MSP “platforms” with more than $2M of EBITDA. The paucity of truly scaled (more than $5M of EBITDA) MSPs is causing some sponsors to move down market to hunt for smaller game. Secondly, it’s really damn hard for an MSP to scale sales and marketing organically! Like it or not, many traditional MSPs still adhere to a very regional sales model, and PE-backed IT services shops are finding that the easiest way to acquire new customers is to acquire new businesses! This is leading to increased buyer competition even for acquisitions of smaller ($200-$500K EBITDA) MSPs.
For the past five years, MSSPs have been an even hotter commodity than MSPs, and the demand for outsourced security services is only increasing (for many of the reasons stated above). However, we have reason to believe that valuations for MDRs and MSSPs are coming down from their peak. Pre-pandemic, the general consensus was that traditional MSSPs with north of $10M in revenue could expect to command 3-5x revenue valuations. But email security vendor Proofpoint’s thrifty ~$63M acquisition of Intelisecure, a leading provider of in-demand managed DLP solutions, for less than 3x revenue is a harbinger of changing M&A dynamics. Traditional MSSPs are getting squeezed from both sides, as increasingly security-focused MSPs compete for traditional managed firewall, SIEM, and endpoint work, and MDR/XDR providers lure away larger, more sophisticated customers that require more advanced solutions focused on threat detection and response. With few exceptions, private equity sponsors were never really willing to splurge on MSSPs as standalone platforms, and with few remaining strategics willing to pay up for managed network security capabilities, more traditional MSSPs looking to sell will have to accept valuations more in the range of 1.5-2.5x recurring revenue.