MSSP Valuation: Information For Selecting An MSSP

What is an MSSP worth and if someone wanted to buy a business like this how much should they pay? This was the topic of two great presentations I attended at MSPWorld yesterday and an important question for Forrester’s IT clients because the rules of valuation can help IT clients evaluate potential partners.  Financial stability and the intermediate and long-term plans of the MSSP should factor into the decision of selecting an MSSP.  In any negotiation it’s also always good to know what the other side is thinking. Here’s the list:

1.     Recurring Revenue – What is the firm’s recurring revenue profile? What are the sources of revenue and how much of this revenue comes from long-term (multi-year) contracts?

2.     Service Agreements – What is the nature of the service-level agreements the firm has in place with other clients?  Do they address risk management and risk sharing? How much liability is the MSSP willing to accept for regulatory compliance and information breaches?

3.     Service Revenues – What percentage of the MSSP’s revenue comes from what types of business?

4.     Service Margins – Being an MSSP is actually a reasonably profitable business when the firm is well managed. Forrester, however, is seeing a move towards commoditization in the space (please see our upcoming Wave on North American MSSPs to be published in March, 2012). This is placing pressure on margins (good for end-users but this puts pressure on the MSSP and could potentially affect quality of service).[ii]

5.     Client Relationships – Who else does the MSSP serve?  Can you speak to them and are they willing to provide references?

6.     Revenue Distribution – What is the breakdown of their revenue? How much of the MSSP’s revenue comes from managed services, consulting, and or product sales? Firms that focus on managed services tend to be more valued in the market, and from the client perspective will perform better as an MSSP as compared to companies that do this is as a side-line.

7.     MSSP Efficiency – How many clients do they service at their current staffing levels?  Getting the balance right is a great indicator for how well your potential partner is managed.

8.     Vertical Specialization – Does the MSSP specialize in your vertical industry? Do they have the necessary certifications and accreditation to understand the regulatory compliance issues for your business? For example, what is the firm’s understanding of these common regulatory requirements such as HIPAA / HITRUST, and GLBA?

9.     Intellectual Property – What intellectual property does the MSSP bring to the table?  How does this intellectual property make the firm more effective in protecting your business?

10.     Geographic Location (New York vs. Mississippi vs. Paris vs. Warsaw) – Where is the firm’s SOCs located? This says a lot about the firm’s ability to hire and retain necessary talent. It also indicates the relative cost structures the MSSP has to deal with, as well as their ability to support you as a client. It also may aid / hurt employee retention.

11.     Client Retention – How long has the MSSP had their clients? How satisfied are these clients? This really does not require any explanation.

12.     Strategic Partnerships With Other Vendors – What strategic partnerships does the MSSP have? This is an important factor because most MSSPs have very little proprietary technology. While the Tier 1 providers (Forrester defines these as companies with revenue in excess of $1B) develop their own SIEM and monitoring technology, smaller players generally rely on technology provided by others for their monitoring capabilities.

13.     Downstream Reseller Network – This is an interesting factor because some MSSPs and Telcos white label their MSSP services. Understanding who is actually delivering the service is an important question and one that should be asked if there is any concern that you are working with an “agency relationship.”

The MSSP market is growing rapidly. Many of the firms (albeit smaller players) reported phenomenal growth at the conference. This supports Forrester’s position that the significant gains in the MSSP market will come from the SMB space. Most mid-size companies do not have the capability to put security management in place. These very needed services will come from the MSSP firms.