There have been growing opinions and perspectives lately around an interesting topic: the role of the Managed Security Provider (MSP) in security and whether or not MSPs should evolve into Managed Security Service Providers (MSSPs). There are many layers to this topic and just as many pros and cons to consider.
While there are some MSPs that have successfully made the leap to MSSP, they are few and far between. The ones that have successfully transitioned knew their customers, identified their needs, hired the right technical staff to support the business, picked best of breed technology, and are focused on continuously evolving their business practice.
Becoming a MSSP is a significant shift from where the MSP stands today. Not only are you now responsible for knowing security and compliance laws, the MSP goes from managing the daily tasks of the customer’s infrastructure to adding on the intricate tasks of pen testing, reviewing and/or writing policies and procedures, security assessments, creating strategic plans, and more—all while staying independent. Spinning up the managed security business isn’t quick or easy. With lack of quality cybersecurity talent in the market, the MSP either needs to spend significant resources to train up their current staff and reallocate them or pay above market prices to attract talent. Then you have to wrap that into a sound strategy and approach to the market you currently serve. Depending on the target customer market, it can be difficult for the MSP to invest in all these areas and get the ROI as an MSSP.
Many MSPs are doing some work around security today—firewalls, antivirus, anti-malware, RMM, patching, remediation, etc.—but it’s a big leap to provide the full breadth of cybersecurity services that modern businesses require. You need the right resources in order to develop policies and procedures, conduct security events like social engineering, manage phishing campaigns, conduct penetration tests and vulnerability assessments, perform security assessments, tackle incident response, and help evaluate security technologies needed for the environment independently. Plus, you want an independent perspective to keep the IT organization or MSP in line with the security needs of the company. This can be compromised if you have the fox always watching the inside of the hen house.
It can also be a challenge for MSPs to both manage the day-to-day customer needs and assess what security technologies are the best for the client—especially when you are only a reseller for a limited amount of technology suppliers. These constraints can limit the scope of what you can provide to your customer.
I am not saying that there can’t be some convergence of solutions—but thinking that there is one solution or one vendor that fits all is short sighted. There is a rising need for multiple vendors or partners to work together to effectively support the goals of your end customer and to protect their most valuable asset: data.
For MSPs looking to transition to MSSPs, consider these key questions before making the leap:
- How do you maintain objectivity and independence?
- Are you ready to invest in the appropriate staff?
- Can you educate yourself enough to fully address key compliance issues and frameworks?
- Are you prepared to add the responsibility of addressing the secure footprint of an organization and managing ongoing needs within security?
- Do you want to manage a SIEM or SOC with 24/7 operation?
I believe that the best approach is to find a good security partner to work with and act as your overlay. This will show your clients that you can’t be everything to them, but you can bring in the best-of-breed solutions to address their needs. Do this and you will have customers for life.
Here at IGI, we have a growing channel that understands the value of bringing in a partner who has experience in developing cybersecurity software and delivering key consultative cybersecurity services. Not only are we working with customers in partnership with the MSP and/or the internal IT team, we also bring work back to the MSP in the form of remediation, new security solutions sales, and other infrastructure upgrades that helps them grow. Our guidance and approach assist both the MSP and end customer to achieve their short- and long-term goals.
MSPs are now investing in and evolving their security know-how to establish a baseline before we come onto the scene. That ceiling continues to rise for the MSP, so there isn’t a shortage of work to be done. But, when it comes to advanced security solutions, they should consider whether or not it’s worth the investment to provide and maintain that service themselves.
IGI is thrilled to work with MSPs as a security partner to bring the best security solutions forward, creating a win-win-win scenario for the MSP, MSSP, and most importantly the customer.