Trends and M&A Opportunity in Managed Security

Managed security is a rapidly evolving sector and an area of focus for Harris Williams. Here, we discuss current trends and observations on the sector and broader cybersecurity with Lewie Dunsworth, CEO of Nuspire.  

Key Topics 

  • Modernizing a managed security business 
  • Identifying the right cybersecurity services to provide 
  • Technology-agnostic versus proprietary solution approaches 
  • Managed security needs by company size 
  • Key company attributes for M&A investors, and role of M&A in subsector evolution 

Basmajian: Let’s start with your background, and what drove you to join Nuspire.  

Dunsworth: I’ve been in technology for more than 20 years, where I’ve had the benefit of learning both telecom and IT operations and, for the last decade, have been 100% focused on cybersecurity. I’ve held a variety of roles across analysis, technical support, architecture, engineering, and monitoring, all in a 24/7 capacity. So, as the leader of a managed security services provider, it’s easy for me to understand and empathize with what’s involved in day-to-day operations. It’s definitely not for the faint of heart, but extremely rewarding when you do some good for the world, clients, and the industry.  

When I was at H&R Block 15 years ago, I led all of IT operations at over 13,000 offices globally. Never would I have thought that would be the easy part of my career, but our CIO at the time came to me and said, “What do you know about cybersecurity?” At that point, it was still an evolving domain in technology, but H&R Block had begun the transformation from pencil and paper tax returns to a more digital experience and needed someone to develop its first cybersecurity program. I stepped up to the challenge. It was the best and worst time in my career, as I had to intimately learn every aspect of building a cybersecurity program from scratch. That involved the technical side, business side, selling stakeholders on benefits, and more. As a result, there are very few cybersecurity domains, if any, that I don’t know well.  

In subsequent roles I led various cybersecurity functions at Cerner, Optiv, and Herjavec Group. At Cerner, I was responsible for corporate cybersecurity, cybersecurity for the healthcare hosting environment, and cybersecurity outsourcing. This is when I first got the “itch” to move to the provider side of the industry. So, in 2014, I made the leap over to FishNet Security, which merged with Accuvant to become Optiv, and handled a variety of lines of business across professional services, advisory services, and managed security services.  

Once I got that experience, it was time to take my show on the road at Herjavec Group, where I led all global security services for Robert Herjavec. These opportunities proved to me that I was pretty good at this cybersecurity stuff and that I wanted to help more than one company at a time. So, moving forward, I decided to focus 100% on managed security services, where I could help clients get more secure over time.  

It's easy for me to relate with our clients, and them with me, because I know how cybersecurity programs are built. I’ve been on the front lines and have the scars to prove it. I can empathize with them, ask relevant questions, get to the heart of the problem, and propose solutions that will help them get the outcomes they need—not mine. Overall, having the experience as a longtime consumer and provider really helped me prepare for my role at Nuspire. 

Naithani: How has Nuspire evolved under your leadership? 

Dunsworth: I came to Nuspire in 2019. The company was appealing to me because it was at an inflection point. At the time, Nuspire was a strong, healthy business, but I knew if we pivoted in the right direction, we could serve the industry in an entirely new way. I wanted to build a sustainable company that could stand the test of time, while leading with a foundation of core services tied closely to what our clients truly needed and expected from us. Effectively, we could continue building an extremely strong business and, at the same time, transform the experience clients would have working with Nuspire as their managed security services provider. 

A lot of traditional managed security businesses in the industry started out as VARs (Value-Added Resellers), added on professional services, and evolved to managing a variety of needs in a client’s environment. Each client served is a bit unique, and somehow you must customize at scale. Not everyone can do it effectively because clients are always asking us to provide different services or fulfill different responsibilities for them. Over time, it’s easy for MSSPs to lose a bit of their identity because they’ve spread themselves so thin, with a huge portfolio of services, that it’s hard to be great at any one thing.  

In Nuspire’s case, the company historically served the auto industry and developed a very industry-specific set of services over a couple of decades. I joined in 2019. At that point, our private equity investor, Abry Partners, had been involved with the business for a few years and had begun to recognize that there was a huge need, and market, outside of the auto manufacturing industry. They had made the decision to build out a direct sales organization focused on the middle market while enhancing how we provided services to our legacy auto-manufacturing clientele.  

When I entered the business, we collectively determined that having a multi-pronged service delivery business would create a uniquely different provider in the space. Essentially, we could serve myriad clients from SMB to enterprise. But to do that, we needed to modernize operations, get the right people in place, and super-charge it with a modern technology stack. We would have the best people delivering the best services powered by the right technology. It’s been an incredible experience, and we’re excited about the future. 

Basmajian: How did you identify the right services to provide, and how do you see cybersecurity needs evolving? 

Dunsworth: We’ve intentionally and systematically reduced our solution offerings down to four. Nuspire’s core services include: 

  • Traditional managed security services, which includes managed gateway/firewall 
  • Vulnerability management 
  • Managed detection and response (MDR) service, powered by our internally developed or third-party security information and event management (SIEM) platform  
  • Managed endpoint detection and response and cybersecurity consulting  

Our portfolio of services for clients is built to protect the perimeter, understand where they are vulnerable and prioritize patching, monitor their environments 24/7, protect and monitor endpoints wherever they may be in the world, and provide consulting services to help clients understand where they are today, where they want to go tomorrow, and how to get there. Essentially, we help them get the most they can out of every cybersecurity dollar spent. We fundamentally believe these are the key services all customers need to appropriately manage, monitor, and secure their IT infrastructure today. 

Looking ahead, we see two horizons. The first big opportunity is cloud security and the future convergence of IT and security it brings to modern technology implementations. So many organizations are struggling with migrating effectively to cloud-based solutions from an availability, security, and cost perspective. There are so many benefits they can gain from leveraging cloud-based platforms (IaaS, PaaS, and SaaS), but they know they can’t put their businesses at risk.  

That’s where we step in today and where we are building for the future as well. We take the cloud expertise we have and help them protect and monitor their environments while continuously investing in other services like cloud security posture management, zero trust designs, and proactive monitoring of client environments for bad configurations. Like most organizations, we have ground to cover in marrying what clients need when it comes to cloud and what makes sense for us to provide them. Either way, cloud security is here today and is going to become an incredibly important part of our services portfolio for the foreseeable future. 

The second critical opportunity is identity management. With the explosion of the cloud, hybrid work environments, and the Great Resignation, clients have started to feel a lot of pain when it comes to managing user access to company systems. It’s no longer a question of what type of user, standard or privileged, but rather what they have access to, when they have access to it, from where, does it match their past access and behavior, etc.  

There are so many risks associated with a client’s ability to control user access and authorization, that it makes sense to have a strong approach to managing and governing identities and ensuring you monitor that access for any suspicious or malicious behavior. As we evolve, our strategy is to protect our clients wherever they are and with whatever they are doing. That requires significant focus on identity whether it is a user, device, or persona.  

Although we’ve been laser focused on four key areas, protecting clients’ cloud environments and identity throughout their network will be a key area of focus for all cybersecurity companies in the coming years, and we’ll be there to help them out. 

Naithani: Why did you take a technology-agnostic approach versus building a proprietary MDR or EDR technology like some of your peers? 

Dunsworth: Within managed security, only a small group of companies have stood the test of time, and many that have are no longer as relevant as they were 15 years ago. Technology is fleeting and, a lot of time, isn’t the root cause of why the client needs help. There’s a large amount of investment, scale, and people needed to stay ahead of the industry and compete on the technology front, and it requires a bit of luck here and there. A lot of MDR companies received a significant amount of capital or took on quite a bit of debt over the past few years to build out their platform and remain relevant, but have yet to generate profitable income. 

Over the next few years, that phenomenon will change as investors push for more consistent profitability associated with those investments. One thing that I’ve learned over the years is that good financial fundamentals in a business always attract people with money. Given the staggering number of companies in the sector and overall competition, companies that can be agile and stay in lockstep with their clients and industry evolution will have an advantage in the future. There are many companies that are married to their homegrown technology suite and the service it provides. They will struggle to capture additional market share without significantly investing in new services, in resources to support those services, and in technology required to keep up with the “bad guys.”  

That’s why Nuspire intentionally pursued a technology-agnostic approach. We could partner with a range of technology companies while spending our time, money, and resources developing a platform that allows those technologies to work better together. If a client wants to switch technology solutions, they have the flexibility to do so because we can deliver any technology from our platform while providing ongoing services with that solution. It’s essentially plug and play. This approach allows us to focus 100% on the client, the client experience, and their expected outcomes without having to always worry about the relevance of a product over time. 

Basmajian: How are managed security needs different between small, mid-market, and large organizations?

Dunsworth: Smaller organizations want “one throat to choke,” have very limited resources, and are looking for the most benefit per dollar they can get from a services provider. They look for providers that can do basic infrastructure management (routers, switches, servers, endpoints, etc.), manage firewalls, and offer some sort of endpoint security. This is typically an area where we partner with IT MSPs to provide security services on top of what they supply their clients. However, smaller organizations typically don’t have a large security technology stack or the desire to monitor their environment 24/7.  

As a client grows into the mid-market, the need for more security services increases, and regulatory and compliance requirements grow, but they still want a singular provider capable of delivering everything. It starts with gateway management (FW, IPS, content filtering), vulnerability management (scanning and prioritization), program consultation (VCISO), and ultimately pulling it all together from a 24/7 monitoring perspective with managed detection and response. Some of the other services they expect are risk assessments against control frameworks (ISO, NIST, etc.), compliance assessments (PCI, HIPAA, etc.), technical assessments (penetration tests), and finally, when something goes bad, incident/breach response capabilities.  

The challenge is that most MDR providers spread themselves too thin. Instead of focusing on what they do best and partnering with other companies where they don’t have a strong capability, they try to do it all themselves, which ultimately dilutes their service delivery experience. It’s all about the approach: You either try and deliver everything in a mediocre way, for the sake of revenue, or you partner with others and share in the success of the client. We are 100% in the latter camp.  

Large enterprises have the resources to use who they want, when they want, and how they want. Often, budgets are distributed across a variety of different organizations, leaders, and business units. Business divisions typically invest in different products to address acute pain points. For example, one business unit could have a problem with endpoint security, and another business unit could be grappling with monitoring their entire network. So rather than worrying about finding a singular provider for all their needs, enterprises approach the provider they believe can best solve that specific problem—the provider that is best at that particular service. 

In the future, I expect customer needs will change quite a bit as enterprises begin to centralize investment decisions and gain economies of scale across the business. It’s a cycle of life scenario: Small businesses like to use one provider, mid-market businesses realize they want to have one provider but their needs are evolving beyond their partner’s capacity, large businesses have the flexibility of using best-of-breed, and, ultimately, enterprises eventually come back to reaching the same outcomes by centralizing investment decisions to reduce costs. 

Naithani: With many new entrants coming from adjacent sectors, the competitive set in the industry has increased. Who do you see as competition, as a broader group of companies are now providing security services?

Dunsworth: It’s a market share strategy versus a client outcome strategy. Many organizations opportunistically provide managed security offerings to do more for a particular client. I had a CEO of a security services provider tell me one time that “he’ll build it when he sells it.” While that’s not a bad approach, it puts a lot of pressure on the operational teams to provide a great service and produce happy clients. Without a more strategic approach, the managed security services industry has developed a bit of a bad reputation. Clients know they need it, but it’s not going to meet their expectations.  

It’s like someone needing a car to get back and forth to work. They can only afford so much, so they settle for a vehicle that they know may have issues, and there will be times they’re standing outside by the side of the road in the rain with a broken-down ride. Unfortunately, too many providers create services in a reactive rather than a proactive way; tactical instead of strategic. Very few are thinking about where they want to take the business, the specific pain points they are trying to solve, and the outcomes expected from the client. 

Our approach to our services portfolio is 100% around creating happy clients by meeting them where they are in their cybersecurity journey, helping them become more secure over time, and helping them achieve their expected outcomes, not ours. If we do right by our employees and clients, we will always be successful as a business.  

For example, ransomware is one of the biggest threats for any client today. There are so many companies out there pitching how their technology can solve the ransomware problem. However, it’s not a technology problem; it’s a risk and process problem. This is where we step in with clients on our vulnerability management service. We will scan their environment and prioritize their results for them. But that’s just half the battle; how do you do that consistently? What process do you have in place for periodic (monthly, quarterly, etc.) patching? What controls do you have in place to protect vulnerable assets?  

Essentially, we go into the guts of a problem to help guide our clients appropriately. So, in short, we know clients need a vulnerability management service. But, as we build it, we truly consider the people, process, and technology components on both sides: Nuspire AND the client. Then, as we evolve the service, we know the changes we make are rooted in achieving client outcomes versus capturing more dollars.  

More broadly, when you start to think about the competitive nature of the industry 10 to 20 years from now, most of the IT infrastructure and software applications will be in the cloud. Security has always “followed” IT to a certain degree, but in this case, security is becoming more part of the conversation. We will see a convergence of sorts, meaning clients will begin to expect that security and compliance are part of the equation/design in the cloud/software versus being bolted on after the fact. The companies capable of addressing both of those trends will be the businesses that endure.  

Basmajian: What should buyers and investors be considering as they look at potential MDR and managed security service provider (MSSP) assets?

Dunsworth: The managed security industry has proven that it can be very profitable for a lot of people in a variety of ways. Investors are focusing much more consistently on underlying fundamentals for a business as well as scalable operational capabilities. Top-line growth is great, EBITDA shows you are managing that growth appropriately, and gross margin is effective in telling you whether the cost of revenue is in line with that growth. It’s difficult managing across all of those metrics, so for most investors, it’s an “eye of the beholder” situation. What are they looking for, and how do they think they can help? For an MDR provider, I would typically dissect certain parts of the business to better understand the state of that component. 

First, I’m looking at the leadership. Are they security practitioners or salespeople? If the latter, do they surround themselves with subject matter experts on the services they are providing to clients? Do they have a good mix of external hires and promotions into leadership? 

Second, I would specifically look at the efficacy of a company’s technology stack. What are you getting from the investment? Is it a modern technology stack? Is it native to the cloud? Is the infrastructure scalable? Where have they cut corners? How did they come to some of the design decisions they came to? What does the roadmap look like? What is the cost of keeping up with the competition? And, most importantly, is it designed and built to support a business 10x larger than what it is today? 

Finally, from my experience, I don’t think investors spend enough time unpacking the operational side of managed security businesses. From a true practitioner perspective, is the service being delivered in a way that meets the expectations of it when it was sold? Are there good operational metrics? How is automation being used? How do they eliminate noisy work (i.e., false positives)? Is the resource model scalable? Are they hiring the right types of skillsets to do the work required and expected by the client? Is the model efficient? Are there clear lines of accountability? Are the clients really happy with the service or just satisfied against lower expectations? 

Naithani: How will M&A shape the industry over the next decade?

Dunsworth: The MDR space is extremely fragmented and, more specifically, the landscape is incredibly noisy for clients to navigate. As an industry, we do a horrible job of educating customers and a wonderful job of confusing the client through marketing, fancy terminology, and how we are different, when a lot of times we do the same things but just frame it differently. It’s very difficult for clients to truly be confident that, when they sign a contract, they are 100% sure they’re getting what they expect to get. 

I would also say that very few MDR providers do all of the following very well: operations, technology, growth, and strong financial management. At that point, it comes down to rapport, what means most to the acquirer, the tail for effective integration and how it feeds into the business overall, and pre-determined strategy. 

In my opinion, to do M&A the right way, you must invest in the right set of capabilities that complement your core cybersecurity strategy. While scale is important, building the right foundation and capability set in the right manner is even more important. When Nuspire thinks about scale, we think about understanding where the industry is heading, and we consider how to pursue and acquire capabilities that help us get ahead of the market opportunity.  

 


To learn more, please contact our senior bankers. 

In addition to cybersecurity software and services, Harris Williams has deep expertise in many segments of the managed service provider sector. Learn more:  

Business Services 
Technology 
 

Register to Download

All fields with an asterisk (*) are required.