Of ConnectWise, Security, and Ducks
The managed services giant announces a stealth XDR solution. Plus: hard data on how PE-backed MSPs outperform others and advice from ConnectWise’s CISO for balancing safety and innovation in AI.
When is a duck not a duck?
Please don’t waste time on that ridiculous question until I’ve set it up for you a little.
ConnectWise made several product announcements at its IT Nation Secure event in Orlando this week, including a new MDR service for Microsoft 365, a security-specific version of its SideKick AI companion, and a variety of updates to its RPA tool. The biggest and most intriguing launch at the show, though, was a solution named Security360 that Ameer Karim, ConnectWise’s executive vice president and general manager of cybersecurity and data protection, described as a single pane of glass for all things cyber.
“Let’s face it, when it comes to IT security, relying on too many tools can be a recipe for disaster,” Karim (pictured) said during a Monday afternoon keynote. “With Security360, partners will be able to integrate all their security tools.”
Among other things, the system provides centralized access to an MSP’s security-related tickets, alerts, and threats, and assigns a security score (akin to Microsoft’s Secure Score) based on real-time, consolidated information about a client’s endpoint, network, vulnerability, identity, and data posture. Technicians can execute automated measures to improve that score based on the system’s prioritized recommendations, and features still in development will add email security and threat intelligence consoles to the system.
Significantly, though, when ConnectWise says Security360 integrates all of an MSP’s security tools, it’s not just talking about its own. The system aggregates, correlates, and acts on input from third-party security products too.
Hmm. Consolidated data from the endpoint and beyond. A cross-vendor view of the threat landscape. Automated remediation. This sounds familiar.
Is Security360 an XDR solution?
“It quacks like one. It walks like one,” Karim, grinning broadly, said when I asked him as much. “We didn’t call it an XDR tool, but in many ways it smells like one.”
Yes, but is it one? Not just yet, according to Karim, but stay tuned.
“You’re catching on to where we’re going with it,” he says. “We could have come out here and said, ‘hey, it’s XDR,’ but to me XDR is evolving, so we want to leave some options open there.”
Assuming it does eventually evolve into a full-blown XDR play, Security360 will have some powerful advantages going for it in a crowded market. For one thing, ConnectWise has existing relationships with many of the managed services world’s best known security vendors. Most of those companies are already integrated with Asio, the next-gen application platform that increasingly powers everything ConnectWise makes, including Security360, so integrating with the new system will mostly be a switch-flip.
By extension, Asio will enable newcomers to ConnectWise’s ecosystem to integrate with Security360, ConnectWise PSA, and ConnectWise RMM all at the same time. “A vendor just plugs in once and, boom, shows up in all three areas,” Karim says.
Unlike most security and IT management vendors, moreover, ConnectWise has not only a long list of MSP partners for vendors to sell to but a marketplace to sell through. Indeed, Security360 will let users not only manage third-party solutions but buy them, according to Karim, and partner solutions may be included in Security360 bundles as well.
“Today they have to go one-on-one through their own marketing, demand gen, all that stuff,” Karim observes. Once they’re part of Security360, ConnectWise can do a lot of that for them.
It’s a pretty compelling value proposition that already has Bitdefender, SentinelOne, Proofpoint, and Microsoft, among others, committed to being part of the new product. Additional vendors are in the pipeline, and others still are exploring more creative possibilities.
“Vendors are thinking of things that they want to bring into Security360 and opening up, I’ll call it, private APIs to do something unique that adds more value as part of their service and solution,” Karim says.
Exhibitors I spoke with at this week’s show mostly learned of Security360’s existence on Monday when everyone else did and still have a lot of questions about it. But most see little downside and plenty of potential upside in being part of it so far. One likened Security360 integration to a kind of OEM deal that would generate revenue without precluding other routes to market. None regarded it as a competitive threat.
“Barracuda, like many security companies, would love nothing more than our partners or customers using our entire stack,” says Jason Beal, vice president of worldwide partner ecosystems at Barracuda Networks, a security vendor with an XDR offering of its own. “At the same time, I think in the industry we have a collective duty as well representing and on behalf of the end customers to work together better and to strengthen collective security.”
ConnectWise, needless to say, would also love to sell MSPs every security product it makes. Going to market collaboratively with partners, though, is core to a strategy we’ve discussed before that Security360 aligns with neatly.
“We don’t have all aspects of cyber that they offer,” says CEO Jason Magee of MSPs. “Even if we did, not everyone would be leveraging 100% of our cyber stack. So what we’re solving for is making sure that they do have one aspect that will simplify the tool stack that’s needed to protect them and their customers.”
Partners will get their first chance to put Security360 through its paces next month, when ConnectWise opens an early access program. The rest of us will get a look at how much progress the company has made on inking integration deals shortly afterward.
“We’ll be providing more updates probably another 90 days from now on additional partners and solutions,” Karim says.
Hard data on private equity-backed MSPs
Fortunately for me, IT Nation Secure coincided this year with the publication of Service Leadership’s latest IT solution provider industry profitability report. As a result, I got to discuss the data—all 350 glorious pages of it—with Peter Kujawa, who runs the ConnectWise consulting unit.
The headline metrics look good. MSPs in aggregate grew revenue 13.3% last year and adjusted EBITDA 27.8.%. Valuations for all partners, including VARs, rose 22% to their highest levels since Service Leadership began measuring them in 1999.
The most interesting data in the report, though, is in its six special sections, which cover topics never studied before. Some confirm what we long assumed to be true but couldn’t previously prove.
Turns out, for example, that high customer satisfaction really does correspond with high profits. Service Leadership compared newly collected Net Promoter Score data with business performance figures and discovered that while MSPs in the bottom quartile by profitability have pretty good NPS numbers, those in the median quartile do 14.8% better, and those in the top quartile do 16.8% better than the median ones.
“We’ve long argued that the most profitable companies not only charge the most but also have the highest degree of customer satisfaction,” Kujawa (pictured) says. Now he has evidence.
Other findings fly squarely in the face of widely held beliefs. Would you have guessed, for example, that big fat private equity-owned MSPs have higher NPS scores than smaller counterparts? Despite their reputation for personal service, Kujawa explains, smaller MSPs are less operationally mature on average than bigger ones, and high operational maturity is closely correlated with customer satisfaction.
Perhaps less surprisingly given both their maturity and the economies of scale they enjoy, PE-backed MSPs grew gross margins nearly 2.2 times faster than PE-free peers between 2022 and 2023 and EBITDA close to 2.3 times faster. The EBITDA gap between PE and non-PE providers is expanding, moreover. At the start of 2022, it stood at 4.1%. By the close of 2023, it was 6%.
Sales budgeting, according to Kujawa, is part of the explanation. PE-owned MSPs are obsessive about setting sales goals, and tracking them monthly. “If it looks like they’re going to miss on revenue, and therefore they’re going to miss under their EBITDA target, they’re going to move faster to make expense reductions or to delay maybe a new hire that they were planning on adding,” Kujawa says.
At first blush, none of this looks good for the many thousands of mostly smaller MSPs that neither have private equity funding nor want it. Their PE-backed competitors are growing margins and earnings faster and despite their potentially impersonal scale have higher customer satisfaction.
Still, Kujawa cautions against concluding that giant investor-funded MSPs (which, for reasons we’ll explain in an upcoming post, are about to get significantly giant-er) will inevitably sweep everyone else aside. Private equity-owned MSPs don’t outperform others in everything. MSPs without PE backing in Service Leadership’s best-in-class quartile have higher gross margin percentages than PE-backed peers, for example, and are growing those percentages faster too.
PE-owned MSPs also do less well on adjusted EBITDA growth on average than best-in-class MSPs. The gap shrank from 6.2% to 1.7% between Q1 of 2022 and Q4 of 2023, but that it still exists at all should offer MSPs without private equity behind them hope for remaining competitive.
“I don’t think the smaller MSPs should be afraid,” Kujawa says. “They should be looking at what’s driving success for those that are doing really well and figuring out how they can emulate that.”
AI’s delicate dance with innovation and safety
ConnectWise wasn’t the only vendor with an event this week, or even the only one with a security-related event. CrowdStrike, Cisco, and Veeam all hosted conferences too.
Barracuda, meanwhile, held its Global MSP Day, during which it published research revealing that 77% of MSPs feel pressure to offer AI insight and tools to end users and 87% believe their knowledge and use of AI could stand some improvement.
Indeed, many companies are understandably hesitant to deploy AI internally or sell it to their customers, notes Patrick Beggs, ConnectWise’s CISO. “They’re nervous about taking the first step,” he says.
And rightly so, it appears. Fully one third of IT and security professionals polled by HackerOne a few months back reported experiencing an AI-related security incident at their organization in the last year.
Given how carefully ConnectWise has sought to balance innovation with safety in its own AI endeavors, it’s no surprise the company dedicated a serious hunk of Monday’s IT Nation Secure general session to that topic. On the one hand, noted VP of Cybersecurity Initiatives Jay Ryerse (pictured left), AI is too rich an opportunity to ignore out of fear.
“Many of you have already begun hyperautomating and are well on your way to applying it within your walls to supercharge your organization,” he said. “Don’t stop.”
On the other hand, Beggs (pictured right) stressed, AI is too big a threat to pursue without forethought.
“Make no mistake,” he said, “AI is a runaway train, and you can’t be left standing on the tracks.”
Unfortunately, getting out of the way isn’t easy. Beggs presented a top 10 list of AI-related security considerations that spanned all the way from software supply chain security to training data quality and bias. It was only a partial list too.
“I shared 10 things,” Beggs says. “It probably could have been a hundred things.”
Where then to begin? First, Beggs emphasizes, get the cyber hygiene basics right. “MFA is table stakes,” he observes.
Next, map your infrastructure. “Know your attack surface,” Beggs says. “What do you have externally facing that could be exploited?”
From there, it’s a matter of slowly working your way through that top 10 list. “It’s the elephant. Bite it one piece at a time,” Beggs advises.
Finding and eliminating unapproved apps is a good appetizer. Back in the early days of genAI, for example, Beggs shut down the public version of ChatGPT inside ConnectWise to prevent employees from feeding IP to OpenAI’s training model. “Folks weren’t happy I did that, but I knew our own instance was coming,” Beggs says.
Ultimately though, adds Karim, the most important lesson is to start somewhere and keep going. Now.
“The bad guys are just as much moving as fast as they can using the same set of tools,” he says. “We don’t have time to think about this. We have to embrace and lean in, but do it with obviously responsibility.”
AI, security, and PitchIT
Security and AI go together. They need each other. They fuel each other’s growth.
No wonder then that at a time when venture capital firms are investing cautiously overall, the top 35 VCs announced 51 AI-related funding rounds in the first quarter of the year, according to S&P Global Market Intelligence, up from 31 a year ago. They’ve also doubled the share of dollars they pour into AI versus other sectors from 10% to 20%.
The future looks pretty bright for security vendors as well. Businesses worldwide will spend $87 billion on cyber software, hardware, and services this year, according to Canalys, up 9.9% from 2023. For context, Canalys expects all forms of IT spending to grow 6% in 2024, and sees no other market category—including IT services—outgrowing security.
One small but interesting way to see these trends in action is to peruse the list of contestants ConnectWise recently admitted to its 2024 PitchIT competition. As we wrote back in March, PitchIT is designed to help promising young vendors realize otherwise latent potential. Companies admitted to the program are eligible to win a $70,000 first prize and $30,000 second prize, but everyone participates in a 16-week accelerator program offering a crash course in sales and marketing, product design, secure coding, M&A, and more.
Now in its seventh year, PitchIT attracted a record number of applicants this year. Guess which two markets dominated the field?
“Literally forty, fifty percent were cybersecurity- and AI-focused companies,” says Sean Lardo (pictured), the ConnectWise evangelist in charge of PitchIT.
Those that placed among this year’s 26 contestants (including Cavelo, CrushBank, INFIMA Cybersecurity, SeedPod Cyber, and ThreatMate) can take pride in that accomplishment alone. According to Lardo, the applicant pool was not only bigger than ever but deeper with talent too.
“The competition has improved,” he says. “Some of these people are on their second, third business now.”
Separating the great from the merely very good took extra effort as a result. “We had to look for reasons not to put them in,” notes Lardo, who says the selection committee carefully scrutinized online customer reviews, media coverage, and social media activity.
“We boiled it down to really digging into their digital presence, because to us a strong digital presence is usually strength in the business,” he explains.
Contestants are in the early stages of accelerator training now. Toward the end of August, they’ll make two pitches, one to a panel of ConnectWise employees and another to the MSP community at large via a livestreamed broadcast hosted by Channel Program. The combined results will result in the naming of three finalists who will make a final pitch live and in person on day one of ConnectWise’s IT Nation Connect event this November. The winner and runners-up will be disclosed a few hours later in front of thousands during the conferences’ opening general session.
Also worth noting
Hail to the chief, as in chief commerce officer and president, the twin titles Pax8’s Nick Heddy now holds. See you in Denver at Pax8 Beyond next week, Nick.
See you in Denver as well, Dave Nankervis, to discuss your new job as CRO of cyber warranty vendor Cork.
See you in Denver too, Daniel Bernard, where you’ll presumably talk up the new Falcon for Insurability, which lets carriers provide CrowdStrike protection at preferred rates.
Wish I could have been at Cisco LIVE to learn about Cisco’s first post-acquisition integration with Splunk and the new AI-era Cisco Hypershield security architecture.
Would have liked to attend VeeamON as well to hear about its new Data Cloud Vault, a new encrypted, immutable, offsite storage service.
Josys now has a multitenant version of its SaaS management app for MSPs.
N-able’s Cove Data Protection solution can now boot up standby images in VMware ESXi.
SaaSAssure, an interesting backup solution from Asigra that protects the many SaaS workloads most cloud-to-cloud backup solutions ignore, is now generally available.
Speaking of backup, Axcient now protects macOS endpoints.
Speaking further of backup and per hints dropped earlier right here, Object First has added storage capacity options to its immutable storage appliance for Veeam backups.
One last backup story: N2WS now has multicloud BDR capabilities for AWS and Azure. Back it up here and recover it there in seconds.
The Forescout Envision partner program now lets MSPs earn solution-specific specializations in network security, OT, cyber risk exposure, and more.
Eaton has a new line of Tripp Lite UPS devices with cloud-based monitoring and a new set of NetDirector KVM over IP switches for managing rack-level devices remotely.
ManageEngine has added passwordless, phishing-resistant FIDO2 authentication to its in ADSelfService Plus solution.
Granite Telecommunications has a new network ops management platform named NOCExpress and available in the Granite360 all-in-one service portal.