The abrupt closing last week of Skybox Security took the cybersecurity industry by surprise, sending its hundreds of customers scrambling to find a new security vendor and its 300 or so employees suddenly looking for new jobs.
It also put its share of MSSPs into motion to find another vendor that can quickly replace the cybersecurity tools that Skybox, which was founded in 2002, provided them. In addition, it should server as a cautionary tale for MSSPs and MSPs offering security services about what they need to build successful businesses.
“A lot of MSSPs are sweating bullets right now, trying to figure out what their next move is,” Chris Gonsalves, chief research officer at Channelnomics, told MSSP Alert. “Most MSSPs are a collection of white-labelled XaaS services cobbled together into what they claim is a holistic security practice. You lose one of those outsourced services, particularly a big one like your firewall rules and security policy manager, and you're going to have a rough couple of months trying to plug in those same capabilities with all of the customized legacy configurations using a completely new vendor product and platform.”
“RIP your weekend plans from now until Memorial Day.”
The Lights Go Out
Skybox, founded in Israel and with its headquarters in San Francisco, had what appears to be a successful run. In a post on LinkedIn, Gidi Cohen – who co-founded and led the company as CEO until January 2023 – wrote that the company over the years had served more than 500 Global 2000 companies in more than 50 countries and amassed more than $500 million in revenue in its time. It raised more than $330 million over the years.
Now the co-founder and CEO of AI content security startup Bonfy, Cohen said even he was surprised by the abrupt closure.
Skybox executives notified employees and customers on February 24 that they were shuttering the company. It now reportedly owes almost $3 million – including employees’ February paychecks – and is in liquidation.
Tufin Steps In
Rival cybersecurity firm Tufin bought some of Skybox assets and its customer information, but not its contracts. It also isn’t going forward with Skybox’s support responsibilities. The Boston-based company is courting Skybox customers with its ExpressPath for Skybox Customers, a program to quickly transition to Tufin.
“I know how disruptive and frustrating this situation must feel,” Tufin CEO Ray Brancato wrote in blog post. “Your business, your team, and your security operations are all being affected by something you didn’t anticipate. That’s why we’re stepping up – ensuring you have the best possible path forward with a stable and trusted partner.”
Channelnomic’s Gonsalves said that’s a bit of good news for MSSPs. Tufin is one of “three scarcely-differentiated players left in this space,” ticking off Tufin, AlgoSec, and Firemon, with Tufin – given its purchase of Skybox’s IP in the fire sale – is in the best position to help MSSPs.
“But make no mistake, this isn't an acquisition in the normal sense,” he said, adding that “folks I've talked to tell me Tufin is not honoring existing Skybox agreements. Skybox's MSSP clients truly are hosed. They are going to need to pay someone, probably Tufin, for services they already paid Skybox for.”
There Were Warning Signs
While Skybox’s closing was sudden, it reportedly had been struggling for several years, unable to turn its software-as-a-service (SaaS) efforts into a going concern, increasingly relying on an existing customer base that was shrinking.
MSSPs understood this, Gonsalves said. It’s popularity with service providers was less about its technology and innovation and more that it delivered a basic level of service at a price point at which MSSPs could make a profit.
“Most of its users would tell you its UI was dated and its tech roadmap was pretty threadbare,” he said. “History tells us companies like that crap out after a while. As an MSSP, the more dependent you are on a collection of outsourced services you cannot possibly provide yourself, the more at risk you are to this kind of disruption.”
Managed Security Services a Volatile Business
Skybox shutting the doors and bailing on customers is not a normal even, but Gonsalves pointed to Kaseya's $6.2 billion acquisition of Datto – which built security and cloud-based software for MSPs – in 2022 showed how volatile managed services can be when so much of an MSSP’s business depends on other people's stuff.
And that’s what MSSPs need to understand, particularly in situations like the one created by Skybox. Gonsalves has argued for years – since managed security services became something MSPs wanted to start offering – that cybersecurity is not something an outsider can simply jump into. It’s a formal discipline that requires a lot of very specific, technical knowledge to keep clients safe.
“Just because you can do it, doesn't mean you should,” Gonsalves said. “Some MSSPs are great at it. Many are not. The difference is evident in how providers handle things like this Skybox snafu. The more dependent an MSSP is on outsourced subscription services that outstrip their own technical acumen, the more they'll suffer when a vendor goes belly up.”
“In some ways, these kinds of events are good for culling some of the weak links in the channel,” he said.
