Why the Cyber Security Managed Service Market Needs a Twist?

So good evening everybody, and let's get started. So first of all, quicker introduce introduction from my site. I'm coming to this conference now since more than 10 years. I do identity management when it was still either efficiency or regulatory related projects. Now it all turned into cybersecurity rated projects because it becomes one of the core pillars in zero trust. Why do I find the managed services market needs a twist? We're gonna learn in the next couple of minutes, and I quickly go through the slides if this clicker works.

So we quickly take a look into the cybersecurity market and how it looks actually today. Then I think one of the reasons why the market is today, how it is, is related to the products that are out there. And last but not least, we also strongly believe that industry and business expertise is actually needed to get to the right state in terms of cybersecurity. So where are we today in the cybersecurity market? So first of all, we have a huge scarcity of experts, right? So if you look into every job Porwal, either before or after an attack, it depends on the number of job openings.

Typically after the attack, it's way more. And there are currently two and a half to three and a half, 3.5 million open headcounts in the market globally. And I think in Germany, I think it's, it's also increasingly high. Each teel is under very high pressure, either from a regulatory perspective, the boards are going after him, and the business also wants innovation and don't want to be blocked by security related policies.

And in addition, we need to have a high level of visibility to be resilient and have a high degree of automation to actually respond to cyber techs in a, in a very short timeframe. And if you are running an identity governance project for four years and you just have connected two systems, then maybe you are not where you are actually wanted to be and the return on invest of your software has never been accomplished. And that actually shows that there is typically a large gap between what a customer actually demands and what the market today supplies and why did this actually happen?

And that's an assumption and I actually thought said at the beginning, it's a slight provocate of storyline. If I'm looking today, and again I touched more or less every system that is today deployed in the German market being an identity techie by heart. We come out of a world where we had on-premise software, specifically in iga, where we required lots of engineers and code, lots of functionalities into the product. And it required a very long implementation time. And this wasn't seldom that a project took 10 years.

Yeah, so many global organizations are still on the journey but haven't still not accomplished what they actually wanted to accomplish by buying an identity governance solution. Now the market itself has developed forward and it all goes cloud, right? And you have actually a, a couple of different vendors how they approached it. So you have some of the vendors who said, well, possibly the step towards a complete rebuild of my software might be too high. It might be too high or too expensive.

I just move it into another private cloud and say, well, I have a cloud offering, which is at the end still the same product, which is on-premise deployed, which is per se fine. But if I'm comparing a poc, we executed last year. We have seen that as during the poc, the cloud vendor on a multi-tenant cloud solution released 45 patches of features in the timeframe where the other party with a single tenant cloud solution has not developed anything. So you basically see a large economy of scale in the development of multi cloud solutions specifically.

Also, there's a huge ecosystem behind those software windows. And you know, I've been part of that as well. I had my own company running this and you basically live on all these large implementation projects, which is also a pretty good business.

However, the project itself change if you go from legacy identity projects to cloud-based identity projects. And why is that? You have way more standardization in a cloud-based software than in on-premise, right? So in on-premise you can have a join process that turns three times a circle and then creates all the accounts in in SaaS. It's all way easier. And the ease of use in, in SaaS also requires less engineering capacity.

Now, I spoke to a couple of our clients and asked them, well, you wanna go cloud on iga? I understand this, but is your current managed service provider actually suggesting the way how to go to cloud? And they said, no, actually no. And why is that? If a company that supplies a managed service consists out of 80% of engineers, they possibly don't suggest you to go cloud on a simplified way because it's contradictory to their own business model.

And you know, when I spoke to about my outline and, and the agenda with a couple of people, I got a hell lot of examples that actually prove that there's a huge problem in the way how all these contracting actually happens. Because many of those suppliers live on the back of change requests and actually block the innovation. And if you look into the service management RFPs today, so if someone releases the service management, it's all perceived as a pure IT project. So what does the service management provider should do? They should manage all the incidents, tickets and stuff.

And if the tickets, I don't know, increase a certain threshold, they get charged extra. If the response time resolution time is not met, then possibly they, they get a fine.

However, even the discussion around this is sometimes a bit odd. So if you really buy a SA based product and you buy manage service around it, the entire uptime is already managed by your vendor, right? So I talked to a customer that said, well, we have a product SaaS based and we have a 24 7 support by our manager's provider and we get charged for everything, extra account onboarding, application onboarding, et cetera. And I was asking, well, you know, this is a cloud-based solution. What are they actually keeping the lights on for?

And the customer said, well, oh, I think our contracts need to change going forward because there's not the right outcome that we actually wanted to expect because they don't meet all the compliance and regulatory requirements they wanted to have. They don't get the efficiency. And that's actually a nonsense discussion. So you rather should focus in a managed service setup on the outcome that actually will be brought to a customer.

And that maybe is an idea to think about a business process outsourcing in terms of cybersecurity, where you actually outsource a business process instead of the runtime of an IT tool. And specifically if you look into the innovation, yeah, the customers do not, are not able actually to innovate fast enough because they're battling with their service providers on, oh, is this a change? Is this in scope, is it not?

So maybe changing rather into a capacity based model where you secure the resources which are already discussed for the innovation that you actually need, would make more sense than just debating on, you know, let's keep this guy idle for another two weeks because we need to discuss whether this is a change request, whether this is still in budget or whether we raise another po, which is not bringing any value for the customer at this point.

And therefore, let's say the ask is actually that managed security service providers should not act like a pure IT provider, but rather bring skin into the game and actually take end to end responsibility about process efficiency, compliance controls, and also improvement of the process itself.

So if the, if the process is designed wrongly and already bad, they don't have an interest to improve it because they live on the tickets, they get right, it should be their interest to improve the process and help a customer actually running smooth and easy to use processes and take over this responsibility. And here comes my perspective on why business and industry expertise is needed.

You know, as POC we could come out out now with typically regulatory stuff and everyone says, oh yeah, we are not highly regulated, et cetera, et cetera, which is boring. But I take the most easy stuff that is currently in the market and the pain for 90% of my clients, I'm working with the typical cyber insurance KPIs. I actually three and they're easy to measure. Hundred percent MFA for all users, a hundred percent MFA for all administrators and patron vulnerability management. Within 40 days.

The managed security provider, the security service provider does not have any interest to reach those goals. Why? Because he's running the Azure ad instance or whatsoever Octa, you know, he runs possibly cyber arc and he runs a product to patch the systems. Whether he meets those KPIs, he doesn't care. Then I speak to those customers and said, well look, how do you stand on a hundred percent MFA for all users?

Oh, that was easy. We rolled out the authenticator app for everyone.

I'm like, interesting. How many applications do you have on your cloud idp?

He said, well four, how many applications do you have in total? 1,200. So now if at attack happens and one of these 1,200 apps will be compromised and there was no MFA on the access of this user, the cyber insurance won't pay. So how do we spend the capacity then of the provider we have to onboard more applications because that should be in the interest of both sites by a security service provider that helps an organization to stay secure. And similarly to, for the company as well, to delegate this responsibility to someone who actually knows how to onboard bike of applications.

And that is same for the administrators or for pension vulnerability management. However, running a pitch and vulnerability management system is not that bad, right? But if you don't know who owns the asset, how do you pitch the system, right? So there is a consequence of an end-to-end process sinking required to actually run a proper service in the long run. And why that's a, and I hope that already explains why the managed security service market needs a twist. Yeah.

Because we cannot keep on coding the hell out of a tool and then, you know, living on the back of change requests, we rather should focus on providing the right value and spend the capacity of scarce resources, resources in the way that companies are actually staying super secure. And just as an example of, of this business process outsourcing. Yeah.

So if you delegate the process ownership, maybe not accountable, but functional to your provider with the right functional expertise, how to run and execute such an efficient process, you actually mandate him to improve the process in the long run and stay efficient for, for the entire time. Specifically a topic which I discussed yesterday with, with one of the Caesars who's running around here, what's a topic about data quality in an identity management tool?

No one cares, but if the process runs on a, you know, non-existing approver or on a, I don't know, yeah, on an, on an application that doesn't even exist and it just throws errors, no one is managing it, right? However, the identity expert, they actually should know which, which information should always stay with content and which one can stay without content because those properties are actually required to keep your process efficient.

And if they still charge you tickets because oh, we had to resubmit a new data owner because it was gone, then the process itself of the mover and the lever is not properly built. Right? So specifically on iga, it's quite easy to explain if you build the wrong process, it cannot be the part of the managed service provider even earning money on it. And now back to the regulatory industry expertise. Yeah.

So if, for example, in banking companies need to adhere to certain compliance regulations and a user account needs to be deactivated within two days, right? There should be a reporting on it that where the security service provider has the ownership and actually discuss actively, hey look, we have a couple of users who are currently not being deactivated specifically on those large critical applications like Bloomberg, which are loosely connected, et cetera. How do we handle it to your client?

Because we have the intel of the data that we are actually seeing right now and how can we help you at driving this and re rethinking this model of change requests? They are really charging on everything, which is inefficient.

You know, that that cannot be the case going forward because we are really, really wasting a lot of money and energy on both sides. Yeah. And the capacity is not used at all. So possibly rather figuring out how much capacity do I need for my DEF and my ops per year, per week, et cetera, and how can I scale it up and down depending on my needs per year instead of focusing on this, you know, little items of air, yet another change request, I need to adjust an email template or whatsoever, right?

Because that is just a silly process and I hardly believe, and I, I dunno how many of of you guys have run an identity management product yourself? I've seldomly seen that an identity management solution just breaks out of nowhere. So if you ask someone for 27 24 7 support, I can relate.

Yeah, that makes sense. Now, if this system is broken, and I don't know how many had such a broken system, you need to have the really senior experts trying to understand each business process. What was it? Was it the Kubernetes cluster that crashed was the wrong data from HR that came in? And you need to have a group of people, kind of an incident response war room who quickly figure out where is the problem coming from and how do we solve it?

Having a junior resource sitting somewhere and being charged for this, who anyway can't help you in a such a critical moment doesn't help you either, right? So we rather should focus on where are our problems and how do we solve them properly at which moment in time? Because also if you get a ticket which says, well we have an sla, you know, I recently also had this s a discussion with the client and they said, well Moz, we want you guys to accept a ticket within four hours, but we have a resolution time of five days.

I'm like, that's a, that's a nice discussion, but if it's a prior three ticket and I have five days to solve it, why should I click on it on, you know, in, in four hours? So there's no benefit for you having this discussion with me.

Why, why I haven't clicked on it? Because it's nonsense. Yeah. You should rather focus on, hey, let's have a daily report, how many tickets are coming in, how effective we are, how can we actually lower the number of tickets because it's a, it's a process problem or it's a data problem where we talk to HR or whomever instead of measuring, you know, nitty gritty details, which are pretty it related actually. And last but not least, the innovation for a company will be key. Yeah.

So if you, we recently spoke to a customer that said, well I wanna onboard a new supplier to my, to my procurement system. And the guy from it said, well that's not possible.

I'm like, why? It's a chap on site, you know, just take single sign on and make another group of people who can access it.

Oh, this guy said, well I don't have time and I actually don't want to do it. So I spoke to the guy, he said, well, you know, I don't wanna change my system at all anymore because it's somehow stable, you know, and, and that's easy. So onboarding a simple application to provide business value needs to be the right discussion instead of, you know, blocking yourself in a conversation which is, which is going nowhere.

So my ask basically to the suppliers as well as to to companies that resource RFPs, but also to the product vendors, rethink the cybersecurity managed service model into a way that you basically outsource a cyber business process for larger companies. That might be a option for smaller companies, mid-market companies for example. It must be a must option maybe because they only have one cso. Yeah. And he doesn't even get security people because people don't want to join the company.

They'd rather go to the modern tech startups and say, well I want to be a, an security engineer in a large organization. Right? So I think that is important to actually stay a secure, which is I think nowadays for identity management specifically important in the first place, stay compliant because otherwise my PWC auditor colleagues go hard after them and stay effective in the process that you design in the first place to make sure you don't have problems day in, day out with hundreds of tickets. Thank you very much.

Wow, Thank you. So this is quite revealing that actually not changing things, but treating upgrades as a change request and maintenance even as a change request and it's the sort of distortive extortion type of business model. Do these customers know what's happening to them?

Well, I, I think they know, but I think it's currently option less because there's not so much offerings in the market that actually solves the solution. It's different to escape and, and, and can, what can they do to escape?

Well, I I, I think at the end the, the market demands what the need is, right? It's not the supplier dictates what the demand should be, right? So actually if you re-sync the way how you do cybersecurity today or run your identity governance solution, it would be a different way of doing it. Right? Yeah. I have some questions from the audience as well. What commercial contractual models do you recommend entering to with MSPs that incentivize optimization for both the customers and the MSPs To incentivize What type?

Yeah, when will it be better for both of them? What type of contract models?

Well, at the end I think the contract more or less stays the same, right? But you move your criteria of it SLAs to a B criteria maybe and rather move design the A criteria to the needs you actually have. And if for example, someone really improves the way how your identity project, and I hope your all identity guys in here. Yeah. Yes. Runs and you have less tickets, you have a nice interaction with your peer groups in your company with all your business stakeholders that actually sheds very good light on yourself on the tk, you know, on everyone.

And I think that should be kind of the, the gain for both sides, right? Yeah, It sounds like that. Yeah. And then there's one, how to curb increasing costs from your managed service provider as you onboard more applications and more effort is required to run. That's a good one. And there are different ways of doing it, right? Because there's also always a tendency and a risk that the supplier always says, it's always like, oh, this connector costs 40,000, this connector costs 50,000 and you can't really judge. Yeah.

So possibly you even have one or two suppliers that help you running through the process and say, okay, you know, we know how the connector type actually looks like we know how to build it and we gain more efficiencies how to run it. Secondly, if those managed services providers are doing this for hundred clients, there are so many SAP connectors in the world that already have been built. So there should be some efficiencies out of assets that someone can just bring.

So I, I can only speak for myself. We are running a, a library of 250 connectors that we just reuse and don't charge extra for the client and say, well that's part of the project that we are delivering as a value because we are doing this in 15 years. Right? So I think there should be a discussion of how often are you're reusing this connector going forward.

This is now a custom application that your internal gives, Actually your architectural design is, could be more cost consuming or less taking, more or less a running cost and development cost depending on how you are scheduling your whole setup. Correct. Well this is very insightful, at least to me. Thank you very much Maurice. Thank you.

And well, I hope we all have a good lesson learned from this and that we can move to better constellation for these contracts. Alright, bye-bye.