Build, buy, or partner: The bottom line on 3 paths into cybersecurity

The global cost of cybercrime is expected to skyrocket, exceeding US$23 trillion by 2027. In the United States, the cost of a data breach already averages more than US$9.4 million, which is over twice the global average. If a small or mid-sized business were to take that kind of financial hit, it could easily end up closing its doors for good.

It’s not surprising then that recent research from ConnectWise found that most SMBs (94%) would consider using or moving to a new managed service provider (MSP) if they offered the “right” cybersecurity solution. For most SMBs we surveyed, the definition of “right” means a solution that gives them confidence in their ability to respond appropriately to cybersecurity incidents.

We also learned through our research that SMBs would be willing to pay a new MSP 39% extra each year, on average, for the right solution. So, the revenue-generation opportunity for MSPs is significant. But before you step into the highly competitive cybersecurity space, you’ll need to make a critical decision: Should you build, buy, or partner to meet these growing demands from SMB customers?

Here’s a closer look at these three options and the pros and cons of each:

Option #1: Build—Start your cybersecurity practice from the ground up

Creating your own cybersecurity practice sounds ideal—and it can be. This approach lets you build out your practice exactly as you like. You can handpick your team, assemble a portfolio of skills and expertise to differentiate your business, and choose your own tools. You can also position your budding security practice in a way that aligns best with the needs and expectations of the verticals and customers you serve. On top of it all, you get the deep satisfaction of building a business from scratch.

The downsides of this approach? In addition to the sheer complexity of building your own cybersecurity practice, and the time and focus you’ll need to devote to doing it, the endeavor will be very capital-intensive. Consider that the cost of setting up a dedicated, 24/7 security operations center (SOC) could easily run you as much as $2 million to $4 million.

And, of course, finding and retaining skilled cybersecurity talent is tough—and that situation isn’t likely to improve anytime soon. From 2021 to 2022, the global cybersecurity workforce gap increased by 26.2%, according to the 2022 Cybersecurity Workforce Study from (ISC). And that same research found that more than 3.4 million more workers are needed to secure assets effectively.

So, the upshot is that unless you’re a large and more operationally mature MSP with strong cash flow and a pipeline of skilled cybersecurity talent, the “build” option will probably be too risky.

Option #2: Buy—Acquire your cybersecurity practice through M&A

Mergers and acquisitions (M&A) in the MSP space are common—and for that reason, most MSP owners are highly conscious of business valuations (as they should be). 

Many mature and security-focused MSPs—often called managed security service providers or MSSPs—are already operating in the United States and other parts of the world. So, acquiring a security-focused MSP is definitely possible if you’re game. Just be sure that you’re ready to go the distance with your search because it likely won’t be easy to find an MSSP that:

• Aligns with your specific cybersecurity objectives
• Is in a favorable geographic location
• Is available when you want to buy them—and at a price that makes fiscal sense

These challenges are why so many MSPs in growth mode are continually on the hunt for other MSPs and/or MSSPs. The reality is that it can take a significant amount of time and effort to find the right M&A candidates. And for these transactions to deliver the value you’re seeking, you’ll need to be vigilant about making sure the post-acquisition integration goes smoothly.

Despite the heavy lift in making an acquisition successful, the “buy” option can still offer your MSP business the fastest path to becoming an MSSP.

Option #3: Partner—Choose the right cybersecurity partner

For most MSPs, partnering with a global TSP solutions provider, such as ConnectWise, will make the most sense both fiscally and operationally. And it will be a lot less risky. Here are a few ways that a partner can help ease the challenges MSPs typically face when trying to break into the cybersecurity space:

• Partnering allows your MSP business to offer and fund MSSP services through monthly cash flows (OpEx) instead of writing massive, account-draining checks (CapEx).
• You can quickly stand up and deploy cybersecurity services—and realize superb profit margins.
• A large company can offer automation and economies of scale that a smaller company simply can’t, especially when it comes to SOC services

Partnering with a SOC provider typically means you benefit from unlimited support and can expect a predefined monthly expense. You can easily manage and monetize security-as-a-service—and take advantage of a tremendous opportunity to grow your customer base and revenue.

In fact, a Forrester Total Economic Impact™ study commissioned by ConnectWise, found that MSPs that partner with ConnectWise and use our Cybersecurity Management solutions to enhance their preexisting managed services offering realize an annual gross profit from cybersecurity-managed services worth $1.90 million .*

*Forrester defined the “composite organizations” in its TEI study as MSPs with 20-30 employees generating between $3 million and $5 million in revenue; for additional characteristics of these businesses, please see the full report.