Should You Transition Your MSP To An MSSP? Here’s What You Need To Know Before Making The Decision

The explosive, global demand by businesses of all sizes for a focused set of managed services that can identify, investigate, and respond to security threats presents a huge opportunity for forward-thinking MSPs. Here, we look at the differences between a traditional MSP and a managed security service provider (MSSP), the advantages of becoming an MSSP, and how to start the transition.

Managed Security Service Provider (MSSP) vs. Managed Service Provider (MSP)

The managed security services market has grown to include a wide range of security and risk management services but is still often misunderstood by buyers and vendors alike.

To clear up any confusion, let’s start with the basic definitions. An MSP provides a technology stack and manages a customer’s IT and infrastructure issues while providing a remote help desk for IT support. Some MSPs, of course, offer cybersecurity and compliance offerings but are not considered an MSSP because they lack a security operations center, among other offerings.  

An MSSP is essentially an MSP, except an MSSP also specializes in security for their customers in addition to the standard managed IT services, like endpoint management and help desk support. The term is fairly new, and the majority of MSPs have not yet developed the security solutions they need to address this growing market.

Gartner defines MSSPs as:

  • The delivery of security operation capabilities via shared services from remote security operations centers (SOCs), not through on-site personnel or remote services delivered on a one-to-one basis to a single customer
  • The remote 24/7 monitoring of security events and security-related data sources
  • The administration and management of IT security technologies

Show Me The Money: Why Would An MSP Transition To An MSSP?

It’s clear the demand is there for more aggressive security services. Businesses have always been under attack, but the COVID-19 pandemic has unleashed a new wave of cybercrime, with hackers routinely developing malware variants and exploiting software vulnerabilities, intensifying the need for a strong security posture.

Datto’s Global State of the Channel Ransomware Report 2020 showed that ransomware is a huge cause for concern for any type of organization, particularly SMBs, finding that:

  • 89% of MSPs state that ransomware is the most common threat to SMBs.
  • 64% reported attacks against clients in the first half of 2019, representing an 8% increase year over year.

And recently, Kaseya’s Fred Voccola revealed during the company’s annual user conference that research showed that nearly 76% of SMBs will experience business disruption as a result of a security event in the next three years.

There is a golden opportunity for MSPs who take the plunge to become an MSSP. In fact, only 5% of MSSPs versus 87% of MSPs have lost business because their security offering was lacking something a customer needed, according to a TechValidate survey done by GreatAmerica. This large gap shows you clearly where the green field exists.

Transitioning your MSP to an MSSP can not only help with customer retention, but it also creates long-lasting MRR and can help you bounce forward and scale your business into 2021 by delivering higher margin services that are not as impacted by commoditization. It is easier to differentiate your traditional MSP by providing security services and branding as an MSSP. Lastly, it’s a great idea to invest in cybersecurity products and competencies in order to protect yourself — and your clients — from hackers and other malicious actors.

But hold on: It’s not as simple as changing your marketing language. It takes time and money.

How To Transition From An MSP To An MSSP

You may already be an MSSP and just not know it. Are you already offering MSSP-like services, and do you have a SOC offering? If so, congratulations! You have the easiest path forward. Focus on rebranding and expanding your products and resources to deliver a full suite of MSSP services to an even larger group of clients.

If you aren’t already in this category, you can build an MSSP from your MSP by hiring the right people, like security analysts and cybersecurity consults, and investing in integrated, top-of-the-line technologies. To be considered an MSSP, you will need to set up (or outsource) high-availability SOCs to provide round-the-clock security for your clients’ IT devices, systems, and infrastructure.

A SOC is a combination of people, processes, and technologies that handle the task of protecting clients’ networks, data centers, servers, databases, applications, websites, endpoints, and other technologies.

Other tools and resources you’ll need include the following:

  • Security information and event management (SIEM) tool
  • Intrusion detection and prevention systems
  • Threat remediation processes

Other business-related factors to consider include:

  • How strong is your current business? If you are struggling to deliver your basic managed services, now is probably not the time to expand. Go back to the basics of what you do best.  
  • Are your processes and documentation up to par? MSSPs need to have rock solid processes, so get those in line before you expand.

Security Operations Centers Explained

If the price tag of setting up your own SOC is a deterrent, as it very well may be when you factor in the on-prem costs of staffing it 24/7, dozens of vendors have introduced cloud-based SOCaaS (security operations center as a service) for MSPs. According to Markets to Markets, the SOCaaS is projected to grow from $471 million in 2020 to $1.7 billion by 2025, at a compound annual growth rate of 28.6% during the forecast period (2020–2025).

This is a huge opportunity for many smaller MSPs to position themselves as MSSPs and scale their cybersecurity business. Even larger MSPs prefer to outsource their SOC operations given the complexity and cost of operating their own.

When evaluating SOCaaS vendors, first consider if there are any integrations with your existing tool set — then, of course, consider pricing and reputation. Additional topics to ask about include:

  1. Staffing: Ask to see staff bios. Look for security veterans who have experience with major cyberattacks. People matter as much, if not more, than the technology.
  2. Location: Are offices spread out to follow the sun, or does the vendor focus on a certain geographic region? If you do business mainly in the U.S., it doesn’t make sense to hire a firm out of Central Europe. As you grow, can they grow with you?
  3. Tech Stack: Ask about their tech stack and how it was developed. Find out how many legacy SIEMs and service desk systems are supported. Do you need specific hardware, or is the service delivered?
  4. White Labeling: Does the vendor have a reseller or direct sales model? What marketing services do they provide to help you?
  5. Compliance: Some vendors provide audits as part of the package, some charge extra, and still others will refer you to a third party. Find out which model the SOCaaS provides (brownie points if the compliance audits are integrated with other tools you already use).

Another way to grow your MSP is to partner with an established managed SOC platform. As with any business relationship, take care in vetting the solution to make sure it can integrate with your offerings and fit in your environment.

Go Forth And Prosper

For MSPs who meet the above criteria and are ready to take on building or white labeling a SOC, there isn’t a better time to take on the mantle of an MSSP. The tools, processes, and demand are here to stay.

Becoming an MSSP, however, is not without added risk, nor is it for the faint of heart. As an MSSP, you are responsible for meeting any legal obligations, along with your clients’ expectations. In addition, you must be willing to invest in acquiring the right tools and people and in standardizing your operations and procedures. If done right, however, the ROI can be huge.