The Solution to the Growing Divide Between Providers and Clients

Gartner® recently published a report called, Emerging Tech: Grow Your Security Service Revenue with Cybersecurity Validations. We believe the report provides research from a buyer’s perspective on security services they purchase while offering guidance to MSPs and MSSPs on how to improve retention and upsell rates of the critical services they provide. So, what has Gartner discovered, and what do they recommend?

Download Report Now

From the buyers’ perspective

Since Gartner performs inquiry sessions with clients who purchase security services, they have a unique opportunity to learn what organizations are most concerned about. In the report, it highlights some of the key findings as follows:

• “As more executives engage in the cybersecurity purchase and retention decision, security service clients are wanting more than just threat detection and response for their IT/OT/cloud environments.
• Many security service clients express frustration in not knowing what their provider does for them, and they question the benefits of the service.
• Security service clients lack cybersecurity resources and look to their provider for guidance on what to do to mitigate risk. They want a partner that will proactively help them improve their security maturity.”¹

Also in the report, clients expressed the desire to have processes in place so that they can validate their provider’s security services are working as claimed since they struggle to confirm the results of their providers. These processes would include a way of validating that services are improving clients’ security postures, reducing their risk, and securing their critical data and operations. The discussion around validations in the report highlights several technology areas to consider like:

• Attack Surface Management (ASM)
• Breach and Attack Simulation (BAS)
• Automated (Autonomous) Penetration Testing and Red Teaming

From the providers’ perspective

On the flipside, Gartner had inquiry sessions with service providers who expressed their upmost desire to help clients prevent negative outcomes from cyberattacks. However, they lack clarity on what the client’s security posture is and seldom see clients taking responsibility to improve their position. As we can see from the report, we feel there is a disconnect between those who purchase services and those that deliver them.

Why this report is important as per us

Gartner has the distinguished role of hearing from both sides of the many dilemmas in our industry. And when they do, we feel not only do they provide an analysis of what they hear, but they also bounce solutions off both sides of the jam to see what sticks. And in this case, the Gartner report provides actionable recommendations for sellers of security services.From the service provider perspective, the report provides critical insights about how to grow revenue with distinct options providers should consider, and advice on what to do from both a short-term and longer-term outlook to meet their clients’ needs. Simply put, clients want more out of their providers and are willing to invest in enhanced services. Following the guidance in the report will turn out to be a win-win for both parties involved. Those who want to learn more about the contents in the report can download it here. [link]

Why we think Horizon3.ai was mentioned in this report?

Because our autonomous pentesting solution, called NodeZero, is the AI-driven pentesting co-pilot MSPs, MSSPs, and security consultants have come to rely on to meet their clients’ growing needs for validations—and more. The reason for this is simple. NodeZero is a force multiplier that helps service providers perform comprehensive adversary emulation and autonomous penetration testing exercises. This allows providers to meet their deliverables, enhance their clients’ security, and improve revenue and retention, all while tremendously reducing the amount of time needed to do so.

“We are seeing a tremendous uptick in interest from security providers who want to up their game and expand their services to include security assessment as part of their repertoire,” says Snehal Antani, Horizon3.ai co-founder and CEO. “They tell us there are not enough skilled assessors (aka pentesters) to perform the needed services. For example, there are only about 6000 OSCP certified ethical hackers in the US alone, and fewer elsewhere. This fact leaves providers often unable to deliver and/or enhance their services to meet client demand. This is where NodeZero comes into play.”

Today, there are many security service providers, MSPs, MSSPs, and security consultants who have standardized many of their services on NodeZero, stating that it is enabling them to overcome the limited number of pentesters they can tap into today. Not only can the solution run autonomous pentesting, but more importantly, the solution helps build a baseline of where service delivery clients are upon service engagement. This way, providers can validate improvement over time and clients can rest assured risks are reduced.

For example, “NodeZero has changed the game for my team and for our customers. What took us five person-days is now less than two days, and our customers can get frequent telemetry as opposed to a periodic snapshot of risk,” said Kelly Robertson, CEO at SecureCENTRX.

NodeZero enables providers to see their clients’ networks through the eyes of an attacker. With this perspective, they can continuously identify attack paths and exploitable weaknesses that need fixed. These weaknesses span critical vulnerabilities and misconfigurations, compromised credentials, sensitive data exposure, and ineffective security controls and security policies. NodeZero’s reporting interface enables security providers and clients to easily understand attack paths, what weaknesses to prioritize for fixing, and how to fix them. This results in reducing mean-time-to-remediation (MTTR) and helps them prove their services are delivering increasing value to their clients. MSPs and MSSPs can charge clients to fix problems that NodeZero surfaces, and they and their clients can use NodeZero to conveniently verify fixes. No longer will clients be in the dark about service efficacy.

Strategic Planning Assumptions

According to the report, “The number of security service providers that provide cybersecurity validation assessments to test their service efficacy and their client’s security posture will grow from less than 10% in 2023 to up to 40% in 2025 and over 50% by 2026. Security services providers that adopt this cybersecurity validation assessment trend will see improvement of over 5% in their acquisition, retention and upsell rates.”

After reading this report, we believe service providers that want to align to these strategic planning assumptions should seriously consider onboarding NodeZero as part of their assessments to meet these strategic goals.

¹Gartner, Emerging Tech: Grow Your Security Service Revenue With Cybersecurity Validations, Travis Lee, 10 April 2023.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Clients Want Assessments to Prove Service Efficacy appeared first on Horizon3.ai.

*** This is a Security Bloggers Network syndicated blog from Horizon3.ai authored by Horizon3.ai. Read the original post at: https://www.horizon3.ai/clients-want-assessments-to-prove-service-efficacy/