Michael Roth didn’t set out to build just another cybersecurity company—he set out to reinvent identity and privileged access management (PAM) specifically for MSPs. As the founder and CEO of Evo Security, which he officially launched in 2020, Roth saw that while large enterprises had solved identity at scale, the MSP space was underserved and vulnerable. Built 100% for MSPs, Evo consolidates six identity access management (IAM) and PAM tools into one multitenant platform.
In this conversation with MSP Success, he shares why identity is a key revenue opportunity in the cybersecurity stack, how Evo is flipping the script on PAM as a cost center, and what MSPs need to know about staying secure—and profitable—in the years ahead. This interview has been edited for length and clarity.
MSP Success: Tell us a bit about you and Evo Security.
Michael Roth: I’ve been studying identity and access management for a little over 15 years now. About 2018, cybercriminals were starting to look away from the big pot of gold underneath the enterprise and recognized that they can make the same or more with a bunch of smaller pots of gold by attacking the small to medium business.
I saw the biggest need long term was going to be in the MSP space. I looked around at other companies trying to solve this problem and found there were not very many, and they were only trying to solve this sliver of the problem. The enterprise has already solved this at scale; they’ve mashed together multiple products into one and solved the problem comprehensively. I think that’s the future for the MSP space. That was the journey that formulated the thesis around the business.
We’ve started with six major important identity and privilege access management capabilities, and we push them together into one single platform, 100% built for MSPs, top to bottom.
What we’re building is very complex. And because it’s something that users are engaging with on a regular basis all day long, we’re held to an extremely high standard. A lot of tools that MSPs use sit in the background; end users don’t engage with them. So we have to be really good at engineering. We have to be really good at user experience. It has to cost the right amount to be attractive to the MSP.
MSP Success: What problem are you trying to solve for MSPs?
Roth: Identity and privileged access management has been a cost center and an overhead for many MSPs. We are trying to invert that almost completely. The reason we can do that is because you can come to one place and pay Evo for privileged access management but resell all the rest of the tools and either break even or make money on identity and access management. So it’s a new opportunity that didn’t exist before for them.
MSP Success: There are other cybersecurity platforms that have identity management and PAM. What makes you different, and what’s the value add for MSPs?
Roth: There are lots of privileged access management solutions in the market. There are a very small number of privileged access management solutions that have been built for MSPs, and all of those are within 36 months old, and the majority of those are solving one specific problem or a small number of problems. Whereas we took a step back and we looked at [the problem] holistically. We said, No. 1, every single engineering decision that we’re going to make is going to have nothing to do with the enterprise. We want to know exactly how the MSPs think, what problems they need to solve, how they want to solve them. We want to talk to the technicians. We want to talk to the business owners, to big MSPs, small MSPs, midsize MSPs. We want to know on a very granular level how you want to solve PAM.
And we also wanted to bring in our expertise from the enterprise and say, OK, we need to marry the real security, not just because a lot of times MSPs want convenience and there’s a very hard security-convenience exchange rate. We wanted to figure out the right balance—the appropriate level of security and the appropriate level of convenience. Not just what is going to be best for the MSP today, but in 3, 5, 10 years from now they can anchor their company around this technology and rest assured that they’re going to be able to meet the compliance [requirements] and do the things that they need it to do.
We integrate with their tools. We don’t have all the integrations yet, but we’re still building them [to] make sure that we become an essential part of their stack.
MSP Success: MSPs might already be offering identity management in their cybersecurity stack, so why is this a new revenue opportunity?
Roth: It depends on how they’re pricing and packaging it. But it’s the checkbox everyone has to have. The No. 1 way that anybody gets breached is through authentication or an abuse of privileges. It’s actually the most important security tool in their entire stack and therefore it should be viewed as one of the most important ways that they can make money.
Microsoft has some of this stuff built into their P1 and P2 licenses. So sure, you can use Microsoft but you’re leaving dollars on the table. You’re going to probably resell that subscription for the same premium anyway above it, so why not also stack another tool on top that works and integrates perfectly with Microsoft, and add another few dollars per user? That’s the opportunity that we’re giving them. When you introduce another tool like Evo that just integrates nicely with Microsoft, now you’ve given yourself a legitimate way to go make more money.
On the privileged access management side of things, most of that is viewed as a cost center. I know that if I’m going to follow CMMC, for example, or NIST 800-171, you can’t accomplish any of that without having identity and privileged access management in your stack. So a lot of MSPs have looked at privilege access management and they’ve said, “I know I need to do this. But it’s going to cost me several hundred or even several thousand dollars a month.” Now you have an option. We’ve given you the ability to make up for that cost in a way you didn’t have before, so you at least come out net neutral, but you’ve given yourself an ability to go make money when you consolidate those tools.
MSP Success: How do you price your solution?
Roth: We price the identity side per user per month, and then the privilege access management side per endpoint per month. We do very simple bundles. They just really have to think about two line items and how many endpoints or how many users you have. We also have single cost pricing for the whole platform. Or if they’re a really large MSP and they want a la carte, we can break each of the six products out on their own.
It’s 100% month to month, so if we’re not performing and they’re not happy, then they can leave.
MSP Success: What’s on your road map?
Roth: Our road map is very aggressive. Our intention is to become the best of breed, period, for privileged access management and identity management for MSPs. That is our mission. Our road map is largely driven by our partners and what they need and their feedback and their guidance on how they want to engage with a product like this.
MSP Success: What are some of the challenges you’re hearing from MSPs around identity and privilege access management?
Roth: A lot of the challenges are around just accepting the fact that this is the new reality. You are, as an MSP, the weakest link to your customers if you don’t have identity and privileged access management in place. The No. 1 way an attacker is going to try and get the keys to the kingdom is attack the MSP. They’re going to leverage those privileged credentials, and then they’re going to go into all their customers, and that’s going to be a really bad day.
Part of their challenge is just understanding that. Part of it is the cost, if it’s not money making for [them]. Part of it is the nature of these tools—they’re high friction tools. Trying to sell identity is a harder sell in general because it introduces friction. The irony in this story, though, is that the thing that is going to prevent breaches with the most effectiveness, the most number of times, based on the number and types of breaches that occur every day, every month, every year, is actually identity and privilege access management.
Related: How To Mitigate The Risk Of Identity-based Cyberattacks As Digital Lives Merge
