Should You Move From MSP to MSSP? The Answer Isn't Clear-Cut

It could really pay off, but it will cost you millions.

Kelly Teal, Contributing Editor

August 21, 2020

9 Min Read
MSSP
Shutterstock

The question of whether to transform a managed services practice into one with cybersecurity expertise does not feature a clear-cut answer. Each model – MSP and managed security service provider – holds its own unique advantages, both for enterprises and the channel partner itself. Yet as COVID-19 has opened the door for hackers to exploit peoples’ fears, organizations’ soaring security demands may compel many an MSP to think about turning into an MSSP.

Spending more money to expand a business model poses a risk during a pandemic, but the shift also can pay dividends. Making the move from MSP to MSSP calls for considerable analysis and exploration. Channel Partners Virtual will offer that guidance via the upcoming panel, “Debate 2020: To MSSP or Not to MSSP?”.

The session should prove lively, with two panelists falling in the “Yes” camp and two others saying “No.” Two of the participants are no strangers to the conversation. Mike LaPeters and Scott Barlow both took part in a similar session last year for Channel Partners Evolution.

This time, LaPeters, vice president of worldwide MSP and channel operations at Malwarebytes, will serve as the moderator. Barlow, vice president of global MSP at Sophos, will remain on the “anti-MSSP” side. Jason Duchnowski, product manager at Otava, and Jason Ingalls, CEO of Ingalls Information Security, will speak in favor of becoming an MSSP. And George Makaye, CEO and founder of Makaye Infosec, will team with Barlow.

For LaPeters, the most important aspect of his role will be helping attendees “explore both sides of this evolution,” he told Channel Futures. Not every MSP will want or need to morph into MSSP territory. At the same time, many MSPs should at least evaluate the pros and cons of offering cybersecurity internally.

Going MSSP Is Worth It, But ‘Prepare to Spend Millions a Year’

For Ingalls, the choice is obvious.

Ingalls-Jason_Ingalls-Infosec.jpg

Ingalls Infosec’s Jason Ingalls

“Being an MSSP allows your service business to focus on delivering cybersecurity risk management rather than IT support services,” he said. “If you’ve identified this as your desired niche, then it’s where you should be.”

Dozens of industry speakers will “take the stage” at Channel Partners Virtual. Our online trade show is Sept. 8-10. Don’t miss out on this one-of-a-kind event. Register now!

Plus, said Duchnowski, structuring as an MSSP brings financial, competitive and self-preservation advantages.

“Overall in the MSP market, revenue is increasing but profit margins are declining,” Duchnowski explained. “Security services can provide MSPs a way to deliver high-value, higher-margin services that are not as impacted by commoditization the way traditional MSP services are. From a differentiation standpoint, I recently saw a few statistics that seemed to make becoming an MSSP almost a no-brainer. There are more than 40,000 MSPs in North America. Roughly 17% of those firms are considered MSSPs, and almost three-fourths of MSPs that introduced security services saw revenue increases for those services within a year. Finally, [I say] self-preservation because MSPs are increasingly being targeted by cyberattacks. By developing competencies in security, an MSP can help prevent catastrophic incidents from impacting both their business and their clients.’”

Ingalls agreed that MSPs should assess the MSSP opportunity because hackers are growing so bold. MSPs, he said, “no longer are able to keep up with threat actors in the SMB space. Outsourcing or focusing solely on cybersecurity is the most cost-effective risk management strategy for this particular risk.”

All that said, making the move from MSP to an MSSP is no easy, or cheap, task. Indeed, even though Ingalls promotes acting as an MSSP, he knows …

… the drawbacks.

“Prepare to spend millions a year in order to break even,” he said. “This anecdote is from personal experience, having done it myself.”

What You Need to Run a SOC

To be sure, a number of investments factor into the MSSP model. Above all, an MSSP must set up a security operations center. A SOC requires not just physical security but a complete suite of the latest antivirus, antimalware, anti-everything technology. That’s expensive and complicated. As Gartner points out in its January 2020 report, “Tips for Selecting the Right Tools for Your Security Operations Center,” the list is extensive:

“To achieve a modern SOC … a set of technologies is needed that should cover:

  • Broad-based visibility and threat detection capabilities (e.g., a security information and event management tool)

  • Endpoints (e.g., endpoint detection and response)

  • Networks (e.g., network-based intrusion detection, network traffic analysis, full packet capture)

  • Management and operations (e.g., a SIEM tool, incident/case management solution or security orchestration, automation and response)

Any technologies on top of this set should be aimed at enhancing the coverage of the SOC, such as deception technologies, cloud access security broker tools, [operational technology] security technologies, etc.,” analysts write.

That’s not all, though. A newly minted MSSP will need to hire, and train, skilled cybersecurity staff. Those salaries tend to run higher than those of other employees. Roll in the extra overhead and benefits, and it could take a while to reap return on investment. Finally, an MSSP will need to carry special insurance to cover the extra liability assumed by monitoring customers’ cybersecurity.

None of that is intended to deter MSPs, just to set expectations. Again, MSSPs stand to rake in millions of dollars, particularly as COVID-19 rages on with no end in sight.

“A relative of mine works as a health care consultant,” Duchnowski said. “To comply with HIPAA regulations, when working from home, their work devices and materials were kept behind a keycode locked door to a room that only they could enter. These types of controls simply cannot scale for the relatively quick switch that the average worker had to make from working in an office to working remotely. Because of this, there are tremendous cybersecurity risks that need to be addressed now and for the foreseeable future.”

The Other Side: Stick to Operating as an MSP

Still, chances are high that Barlow and Makaye will cite costs and liability as key reasons not to embrace the MSSP model. For some MSPs, aligning with a cybersecurity vendor that already has infrastructure and resources in place will do the trick. It’s simpler than building a new company from the ground up, Makaye said. Makaye operates as an MSSP, so he knows the ins and outs.

“I would like MSPs to come out of the debate educated about what it would really takes to build an MSSP practice,” he told Channel Futures. “Cybersecurity is more than security tools and services. Cybersecurity is a lot more than technical security controls. To truly drive cybersecurity outcomes, we go beyond IT into implementing policies, providing cybersecurity leadership and governance, ensuring the cybersecurity program complies with the ever-evolving regulatory requirements, legal aspects of cybersecurity, etc.”

MSPs pondering the potential change to MSSPs also will want to be aware that most customers will make incorrect assumptions. That makes for another set of challenges.

“Most SMBs do not understand what we do,” Makaye said. “They assume MSPs or their IT guy already do what we do.”

He further noted that MSPs on their own can make cybersecurity mistakes, which leaves …

… clients more vulnerable. It’s better, he contends, to partner with an MSSP. And with COVID-19 making cybersecurity matters worse, MSPs should act sooner rather than later.

“The pandemic has definitely solidified my opinion and confirmed that I made the right decision to start an MSSP,” Makaye said. “We have onboarded many new clients who got breached because MSPs migrated to a remote setup without any cybersecurity considerations.”

Second, he said, “with the significant increase of cyberactivity and sophistication, due to the COVID-19 pandemic, MSPs do not have the expertise nor the mindset to fight the cybercriminal of today.”

Unfortunately, a lot of MSPs prove that within their own firms, Makaye said. Too many “can barely implement cybersecurity programs” to protect their own assets, he said.

“It is disingenuous to sell a service you can’t implement within your own organization.”

Other Challenges to Consider If You’re Thinking of Making the Move from MSP

But just as importantly, an inherent conflict of interest arises when an MSP administers cybersecurity to the same client, Makaye said.

Makaye-George_Makaye-InfoSec.jpg

Makaye InfoSec’s George Makaye

“It’s similar to a bookkeeper auditing their own work,” he said. “If a client has a breach caused by the MSP’s IT person making a system vulnerable – for example, not configuring the firewall properly – it’s very likely that they won’t self-report themselves. The client loses. The client wins when MSP and MSSP are provided by separate firms. This model provides built-in checks and balances between the MSP and MSSP that benefit the client.”

That’s because the MSSP enforces the cybersecurity policies and keeps the MSP accountable, Makaye said.

“If the security policy says that critical security patches must be performed within 24 hours of being released, the MSSP ensures this is being done by the MSP,” he noted.

MSPs also need to understand that being an MSSP requires a different skill set.

“MSPs bring divided focus to their security efforts,” said Makaye. “The nature of MSP service is very reactive and customer IT needs come first; cybersecurity needs always get pushed to be background.

It takes very different mindsets to be an IT person vs cybersecurity,” he added. “An IT person is rewarded for responding to IT support issues as fast as possible and being as helpful as possible, while a cybersecurity person is rewarded for keeping things locked down and less vulnerable. It’s very hard for an MSP to balance these two conflicting approaches.”

For his part, Barlow stated at 2019’s Channel Partners event in Washington, D.C., that MSPs can position themselves as MSSPs by offering outsourced security monitoring and management.

“I just don’t think it’s worth the MSP looking to transition into MSSP,” Barlow said a year ago. “Same thing with the data center market. How many MSPs launched their own data center 10 years ago? Where are they now?”

Get Ready for a Lot to Think About

LaPeters-Mike_Malwarebytes-2019.jpg

Malwarebytes’ Mike LaPeters

Regardless of which way an MSP chooses to go, “Debate 2020: To MSSP or Not to MSSP?” will give attendees substantial food for thought — and that’s LaPeters’ intent.

“With the combination of a global pandemic and the rapid evolution of the threat landscape, this topic is more important than it’s ever been because customers are struggling to secure their infrastructure,” LaPeters said. “Relying on service providers is one of the most efficient ways to solve this, and understanding the value of an MSP or an MSSP is critical when making this decision to outsource.”

Join the session on Tuesday, Sept. 8, at 12:10 p.m. Eastern/9:10 a.m. Pacific.

Read more about:

MSPs

About the Author

Kelly Teal

Contributing Editor, Channel Futures

Kelly Teal has more than 20 years’ experience as a journalist, editor and analyst, with longtime expertise in the indirect channel. She worked on the Channel Partners magazine staff for 11 years. Kelly now is principal of Kreativ Energy LLC.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like