James Henderson

The new MSSP mandate? Closing Australia’s cyber capability gap

For many years, the cyber security conversation in Australia has centred on technology. The widely-held assumption was simple – invest in more tools and organisations would become more secure.

That assumption no longer holds.

Today, security leaders face a very different challenge. Cyber threats continue to increase in frequency and sophistication, while economic pressures, skills shortages and growing regulatory obligations are forcing businesses to achieve more with finite budgets and leaner teams.

As a result, expectations are shifting beyond technology procurement towards operational resilience, measurable outcomes and trusted expertise.

The question is no longer what security products should we buy? It is how do we build and sustain an effective security capability?

That shift is reshaping both customer priorities and the role of Australia’s cyber security services market.

“Expectations have changed significantly in recent years,” observed Michael Demery, Managing Director of Seccom Global.

“Organisations are no longer selecting cyber security partners based solely on the technologies they sell or support. They’re looking for trusted advisers who can demonstrate deep technical expertise, proven delivery capability, strong governance and the ability to deliver measurable business outcomes.”

Michael Demery (Seccom Global)

During the past 12-18 months, the purchasing pendulum has swung from businesses simply buying cyber security solutions to expecting outcome-driven partnerships.

Rather than just deploying and managing technology, managed security services providers (MSSPs) must clearly demonstrate return on investment (ROI) in the form of reducing cyber risk, improving resilience, supporting regulatory compliance and maximising dollar value.

“Cyber security has become far more consultative,” Demery added. “Businesses increasingly seek expertise across governance, risk management, incident response and cyber resilience, rather than purely technical implementation.”

This is in addition to “greater visibility” across increasingly complex environments spanning IT, OT, IoT, cloud platforms and identities.

Businesses expect more mature managed services, including richer threat intelligence, risk-based vulnerability management, automated response and meaningful reporting that clearly demonstrates improvements in security posture over time.

At the same time, there’s a strong preference for cloud-delivered services that offer greater scalability, flexibility and operational efficiency.

“AI is accelerating this change,” Demery explained.

“Customers want guidance around AI governance, data readiness, information protection and how to adopt AI securely. Ultimately, they’re looking to simplify their security environments by reducing disconnected tools, increasing automation and visibility, and partnering with providers who deliver measurable business outcomes rather than simply managing technology.

“The challenge is they want all of that without increasing their security spend.”

Balancing security priorities with economic realities


The challenge of balancing that ambition against economic reality is playing out across Australia. Boards recognise cyber risk as a business issue, yet security leaders continue to operate under constrained budgets while managing expanding attack surfaces, cloud environments, AI adoption and growing regulatory obligations.

The result is greater scrutiny over every dollar of security investment, with organisations prioritising platform consolidation, automation and risk-based decision making over additional point solutions.

“The biggest challenge is balancing growing cyber security demands with limited internal resources and constrained budgets,” Demery added.

“Many customer environments now span traditional IT, cloud, OT, IoT, identities and remote workforces. Maintaining visibility, managing risk consistently and responding quickly to emerging threats has become increasingly difficult.”

In parallel, regulatory obligations continue to evolve, placing greater pressure on organisations to strengthen governance, demonstrate compliance and prove security investments are delivering measurable outcomes.

Organisations are also seeking practical guidance on adopting AI securely – asking how to protect sensitive data, establish appropriate governance and manage the risks associated with rapid AI adoption.

“Demand also continues to grow for automation, better threat intelligence, more mature vulnerability management and managed services that provide clear visibility into security posture and continuous improvement,” Demery highlighted.

“Ultimately, organisations are being asked to do significantly more without additional funding. They’re looking for trusted partners who can consolidate technologies, automate where possible, maximise existing investments and reduce cyber risk without substantially increasing overall security spend.”

In response, organisations are no longer looking for product-led engagements or isolated security projects. Cyber security is now viewed as an ongoing operational discipline rather than a one-off investment.

“Organisations are taking a more strategic, risk-based approach to cyber security investment,” Demery explained.

“Rather than implementing every available technology, they’re focusing on solutions that deliver the greatest reduction in risk while supporting broader business objectives.”

With budgets remaining tight, Demery said organisations are prioritising platform consolidation, automation and AI to improve efficiency while maximising the value of existing investments before introducing new technologies.

“Managed security services are becoming increasingly attractive because they provide access to specialist skills, 24×7 monitoring and advanced security capabilities without the cost and complexity of building those functions internally,” Demery continued.

One of the biggest disconnects remains between boardroom conversations and day-to-day security operations, however.

While boards typically discuss governance, compliance and enterprise risk, operational teams are focused on alert fatigue, skills shortages, vulnerability remediation and maintaining visibility across increasingly distributed environments.

Bridging this gap requires stronger reporting, clearer risk metrics and greater alignment between technical priorities and business outcomes.

“Boards want to understand the business impact of a cyber incident, whereas security teams often report technical metrics that don’t clearly demonstrate risk reduction or business value,” Demery detailed.

“We also see a disconnect between cyber strategy and operational execution. Many organisations have invested in security tools, policies and frameworks, but there’s often uncertainty about whether those controls are actually reducing risk or whether the organisation is genuinely prepared to respond to a real-world incident.”

In this scenario, Demery said meaningful reporting, governance and visibility become “critical” – boards and executive teams want insights that clearly demonstrate security performance and organisational risk.

“The organisations that perform best have strong governance, align security initiatives with business objectives and translate technical activity into measurable business outcomes that executives can understand and act upon,” Demery advised.

Skills in short supply, new MSSP demands


Market pressures are also accelerating demand for managed and professional services. Rather than attempting to build every capability internally, many organisations are augmenting teams with specialist expertise.

Managed detection and response, 24×7 security operations, incident response, threat hunting, vulnerability management, identity and access management, governance, risk and compliance, cloud security and security architecture are among the services seeing the strongest demand in Australia.

Michael Demery (Seccom Global)

“The cyber security skills shortage remains a major challenge, particularly across specialist areas such as security operations, threat hunting, incident response, cloud security, governance and OT security,” Demery noted.

“Recruiting, retaining and continually developing these capabilities internally is becoming increasingly difficult and expensive.”

Organisations are also expected to maintain around-the-clock security operations while meeting growing governance and compliance requirements.

Rather than building these capabilities internally, many businesses are partnering with MSSPs to access experienced security practitioners, mature processes, advanced tooling and 24×7 monitoring capabilities that would otherwise be difficult to justify financially.

“Importantly, organisations aren’t simply outsourcing security,” Demery qualified.

“They’re looking for partners who act as an extension of their internal teams by providing strategic advice, specialist expertise, operational support and additional capacity when required. That allows internal teams to remain focused on business priorities and strategic initiatives.”

According to Demery, the capabilities most commonly outsourced are those requiring specialist expertise, continuous monitoring or significant operational overhead.

Security Operations Centre (SOC) services, Managed Detection and Response (MDR), Security Information and Event Management (SIEM), vulnerability management and incident response remain the most frequently outsourced functions.

“We’re also seeing growing demand for governance, risk and compliance services, including virtual CISO engagements, risk assessments, policy development, security awareness training and regulatory compliance support,” Demery expanded.

“As boards, regulators and insurers place greater scrutiny on organisations, customers increasingly seek independent expertise and governance guidance that doesn’t exist internally.”

More recently, demand has also expanded into cloud security, data governance, AI governance, OT security and identity security. These are highly specialised disciplines where skills remain scarce and continue to evolve rapidly.

“Rather than building large internal teams across every security domain, organisations are partnering with specialist providers to access expertise on demand, accelerate security maturity and respond more effectively to changing business and security requirements,” Demery added.

Advanced security status, deep expertise


To meet new market requirements, Seccom Global has been recognised as an Engage Preferred Services Partner (EPSP) within Fortinet’s Engage Partner Program – reinforcing the Sydney-based MSSP’s ability to deliver advanced cyber security services across increasingly complex enterprise environments.

The designation recognises expertise in designing, deploying, operating and supporting end-to-end Fortinet security solutions, providing businesses with “independent assurance” of technical capabilities, service delivery maturity and experience delivering complex cyber security outcomes.

“This is a significant milestone for Seccom Global and reflects more than two decades of investment in building deep Fortinet expertise,” Demery outlined.

“As one of only a small number of organisations in Australia to achieve this recognition, it validates our technical capability, service delivery maturity and longstanding commitment to delivering successful customer outcomes with Fortinet technologies.

“For our customers, EPSP status provides independent assurance they’re working with a partner that has demonstrated the highest levels of technical competency, proven delivery experience and the ability to design, implement and support complex cyber security environments.”

The EPSP designation also provides Seccom Global with direct access to Fortinet’s specialist technical resources, advanced training and implementation support. This enables closer collaboration with Fortinet Professional Services, access to best-practice deployment methodologies and continued investment in specialised security capabilities.

“Importantly, this recognition is about far more than a badge,” Demery added.

“It strengthens our ability to deliver better customer outcomes through specialised expertise, closer vendor engagement, enhanced support pathways and the experience gained from delivering some of Australia’s most complex security projects. Ultimately, it reflects our ongoing investment in our people, our capabilities and our customers’ success.”

To achieve EPSP status, Fortinet assesses partners across a broad range of criteria, including technical certifications, proven project delivery, customer outcomes, professional services capability, support maturity and the ability to deliver complex security solutions at scale.

“It’s not an accreditation that’s easily achieved – it requires demonstrated expertise and a consistent track record of successful customer engagements,” Demery explained.

Maintaining this level of recognition means continually investing in highly skilled technical teams, advanced certifications, mature delivery methodologies and ongoing training to stay ahead of rapidly evolving cyber threats and technologies. It also requires strong governance, operational processes and disciplined project management.

“For customers, the benefits are tangible,” Demery added.

“They gain access to independently validated specialists, reduced project risk through proven implementation methodologies, faster time to value and confidence that solutions are designed and delivered in line with industry best practice.

“They also benefit from deeper vendor engagement, stronger escalation pathways and a partner capable of supporting their entire cyber security journey – from strategy and design through to implementation, optimisation and managed services.”

In short, Demery said businesses are increasingly favouring partners who can help “reduce risk, improve resilience, navigate regulatory requirements and support long-term security strategies” – rather than simply implementing and managing technology.

Because as cyber threats become more sophisticated and organisations face increasing pressure from regulators, boards, insurers and customers, “proven capability” has become a key differentiator.

“Organisations are conducting far greater due diligence during partner selection, looking for evidence that providers have the skills, experience and operational maturity to support critical security environments,” Demery concluded.

SIGN UP FOR INSIGHTS VIA MOXIE MAIL

Inform your opinion with executive guidance, in-depth analysis and business commentary.