Welcome to “what’s next,” a series of posts exploring potential startup ideas at the intersection of industrial control systems and cybersecurity. This is part 8 in the series, which will conclude in early August.
Idea #4: Starting a “managed security services provider” (MSSP) specializing in industrial control systems cybersecurity.
It was the most frequent thing I heard as I conducted over 100 interviews on the topic of industrial control systems (ICS) cybersecurity. From board members to CEOs, COOs and CISOs (not to mention my time coordinating these matters at the White House), time and again senior leaders routinely said to me, “I just want to pay someone to solve this problem for me.”
I had to ask: why not do just that?
Having looked at, and then decided against: (1) starting a company that would do insurance for ICS, (2) insurance technology for ICS risk management, and (3) risk-scoring for ICS networks, I decided to explore whether it was possible to just give folks what they wanted.
A managed security service provider (MSSP) provides outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and anti-viral services. MSSPs use high-availability security operation centers (either from their own facilities or from other data center providers) to provide 24/7 services designed to reduce the number of operational security personnel an enterprise needs to hire, train and retain to maintain an acceptable security posture. - Gartner
(1) Problem
Securing ICS from cyber attacks is a gnarly problem. Complex legacy systems. Outdated software and hardware. Precision timing. And since most ICS systems are designed to operate in a high trust environment, the engineering culture is more focused on “safety” than “security.” This is excellent in an analog world, but as more and more companies have connected their ICS to the internet, it has led us to where we are today: behind the 8-ball.
Layer on top of that the fact that there are just a few thousand ICS cybersecurity experts in the world. Numbers vary, but it’s safe to say less than 10,000 worldwide. Of those, a significant portion work for nation-states; many of the rest work for manufacturing and critical infrastructure firms and a smattering of startups and consulting companies.
It leads to where we are today: high demand, low supply. For those who took Econ 101 (or watched some YouTube videos on basic economics), it means high prices. Entry level ICS cybersecurity salaries start in the low six figures. Of the companies that know they have an ICS cybersecurity problem, the recognition of need is just the first step. Recruiting and retaining talented ICS cybersecurity practitioners is a whole different issue. Enter: MSSPs.
(2) Solution
A managed security services provider is a fairly straightforward way to solve the supply and demand problem. Go out and hire ten of the baddest ICS security experts you can find. Sign clients who can’t hire talent, offering them a mix of assessment, monitoring, and potentially incident response services. Then build a standard operating procedure (SOP) that creates a tight cycle of assessment, mitigation, monitoring, and response. Integrate the use of hardware and software into your operations that enable those ten practitioners to operate some kind of increasing scale. Apply that SOP to each client, and periodically revisit the SOP and improve it.
With some friends, including “secret weapon” and another friend (an ICS cybersecurity expert I’ll call “long bow”), I sketched out a quick team build from MVP (six hires, plus contractors), then a full “V1.0” company. It was certainly doable.
(3) Why now?
Beyond the increasing number of attacks against industrial control systems networks (a consistent “why now” for all of the startup ideas I’m covering in this series of posts), the explicit requests of senior executives, and the talent shortage struck me as the two most important and timely reasons why it could be the right time to start an ICS MSSP.
(4) Market potential
Looking at the DJIA and extrapolating the proportions to all publicly and privately held U.S. companies with more than $100m of annual revenue, I estimated that 20-40% of them have modest to significant industrial control systems cybersecurity needs ranging not only from manufacturing facilities and logistics chains, but also more mundane but critical things like building management systems. As the three of us talked it over, the focus for an ICS MSSP would be on companies in this middle range, with annual revenue somewhere in the $100m - $10b range. The market could further be narrowed down by focusing only on companies that have identified a senior leader responsible for security (perhaps a CISO or CIO), and are already spending on either manpower or services. Further slicing that down, we could cross-reference with job boards and other tools (like cyberseek.org) to focus on companies currently in the market for, yet unable to hire, one or more ICS cybersecurity experts. We started conducting granular research of companies in specific metropolitan areas using websites like Zippia, and realized that there was likely a lot of opportunity with companies making $1b or less a year in annual revenue.
At the same time, there was also a significant amount of opportunity at the high end as well. Speaking with a friend (a cybersecurity leader at a Fortune 100 company), I asked him what his company’s plan was for ICS cybersecurity. “Good question,” he said, “Let me go ask my boss,” (the CISO). He came back a few days later. “Thanks a lot, asshole,” he said, laughing. There was no program. The CISO hadn’t even been thinking about the problem. My friend’s reward? Being put in charge.
(5) Competition / alternatives
As I started pulsing my industry contacts, it was apparent the trends identified above had not gone unnoticed by the major consulting firms (such as Deloitte and Accenture). They had already spun up industrial control systems cybersecurity practices, and many major companies had hired them to provide managed security services.
But these conversations also revealed that there was a lot of room for improvement. Perhaps this could be accomplished by creating an apprentice-journeyman-master training model, combined with on-the-job learning. But as the old adage goes, “nobody gets fired for buying IBM.” An established name (and their insurance policies if something goes wrong) make it easy for managers to have an answer when asked “what are you doing about this problem?”
Similarly, the top tier consultants I spoke to at these firms were frustrated as well; their customers were reluctant to do anything other than retain the consulting firm and consider their job complete, when in fact the company needed to take significant steps to genuinely buy down the cyber risk to their industrial control systems.
(6) Business model
I calculated that we could start small, with 5-7 people at a minimum to service between 1-3 clients, and work our way up to 20 people, and be able to handle up to 10 customers at a time. Two initial pricing models leapt out at me: pricing per FTE (which wouldn’t scale well), or pricing according to the complexity of the protected infrastructure (not just # of endpoints). The latter seemed to be the better way to go (with the consulting companies going for the former). Though we didn’t conduct price discovery, we looked at job openings at target customers and estimated that they would likely pay a 150% price premium for an outsourced service that would perform the same task as an FTE. Estimating a small ICS security team to be 3x personnel at somewhere around 100-150k each, the back-of-the-napkin math meant that an entry level contract would be for ~$500,000k a year at a minimum, and increasing with infrastructure complexity. So far, so good.
Additional considerations:
The good:
Seemingly high demand.
Clearly attacks the security problem head-on (vs other considered business models like risk scoring).
Ability to handle multiple customers with a single team. While not like software, our scratch math said that with 10-20 employees we could handle at least 10 customers (and possibly more), with effective use of technologies like SIEM consoles, etc.
Opportunities to serve as a reseller for a wide range of hardware and software.
The bad:
The model is ultimately “butts in seats,” which means that it can grow, but can’t exactly scale the way a software company can, and relies on talent coming in the front door.
Lots of highly specialized on-site work required; employees will likely need to be close to their customers, meaning the company is located near, and limited by, its early customer base.
There’s a similar “bank teller” problem that could emerge similar to the insurance model explored previously: a bad day where many customers need your help is a day when your entire company is overtaxed, and disappoints customers.
(7) closing thoughts (go/no-go)
Passed. ICS MSSP’s are a great business model, but not likely venture backable. Two weeks after I made this decision, I was introduced to a small, world-class team that had stood one up, and was doing very, very good work. Many of the dynamics were as predicted: focused on a single industry, located close to it, hired domain experts out of it, and were serving it effectively. They were building internal software to make their jobs easier. And we may just partner with them for the idea we ultimately decided to go with. But that is for a later post.
Walking away from the ICS MSSP idea was hard, since it seemed profitable and doable. But as I pitched it to a few VCs, one in particular was enthusiastic about the market segment we were targeting. For all of the companies outside of the Fortune 100, who was going to help them secure their industrial control systems, using software?
A second investor, an Angel, put it succinctly: “Why not build the TurboTax for Infrastructure Security?”
It was off to the next idea.
An ICS Managed Security Services Provider? (startup idea #4)