You may have heard that many managed service providers (MSP) are making the transition to becoming MSSPs – Managed Security Service Providers. Is it as easy as adding an extra S into your business cards, or do you need a whole new range of certifications, knowledge and experience to become a successful MSSP?
This article will look at the differences between traditional MSPs and MSSPs, the trend to add security to the MSP toolbelt, and how you can present yourself if you’re ready to make security your differentiator.
What’s the Difference Between an MSP and an MSSP?
While an MSP focuses on making sure all of your endpoints, assets and data are available at all times for your employees and customers to utilize, an MSSP takes a more defensive approach, making sure that no-one outside of those categories can access your network.
Primarily focused on IT security, an MSSP doesn’t necessarily look at the administrative side of a customer’s business, for example they might not concern themselves with a PSA or Helpdesk software to support customer service needs. A traditional MSP is engaged with performance issues, cost-reduction, efficiency and broad business processes.
Targeting security needs with more granular attention, an MSSP might offer threat detection, endpoint protection and response, identity and access management, authorization tools, and help customers to align their business strategy and processes with compliance frameworks.
Why the Need for MSSPs?
Most MSPs do offer some level of security, whether that’s back-up options for if a customer’s business is hit by an outage or ransomware, or antivirus that scans for malware and protects the network from phishing scams. You would also expect them to have best-practice security tools in place to protect customer information, such as enforcing MFA on all devices. However, an MSSP will offer a much tighter level of security, as this is the focus of their offering. Because of the growing sophistication and number of cyber-attacks, an MSSP might offer:
- A deeper range of cybersecurity tools, such as firewalls, cloud firewalls, email security, access control, and more.
- Security expertise in-house, or a security center of excellence, so they can analyze for security threats ahead of time and create a targeted roadmap to shore up customer defenses.
- 24/7 monitoring and guidance to protect systems, employees, data, and ‘crown jewel’ applications.
Regular penetration testing, security awareness testing, or blue and red teaming processes to ‘drill’ customer staff and systems in case of threat.
- Robust incident response plans, with a playbook for different cyber events and stakeholders who are ready for action in case of an event.
In contrast, an MSP without the added focus on security would probably operate more in the realm of IT network management, ensuring a customer system is in good health operationally, focusing on keeping your business running smoothly and machines at peak performance in terms of CPU, memory or compute power. They might provide advice on processes and systems such as whether a customer moves to the cloud or updates hardware or software.
They should be offering a robust patch management strategy for updates and be able to remotely access customer endpoints to make changes and updates. If a problem occurs in terms of availability and reliability, they will troubleshoot any problems and performance issues.
In some cases, MSPs will be able to utilize Professional Service Automation to streamline customer and staff communication and take their service to the next level. This can include automating tickets and scheduling, contract management, technical support, device management and more.
What if I Want to Add Security to My Managed Service Offering?
It’s not surprising that many MSPs are looking to add security expertise to their MSP offering, as hackers are increasingly looking to reach customer data through the service providers who serve them. The U.S Secret Service even announced a rise in MSP-based cyber attacks such as ransomware, point of sale attacks and Business Email Compromise or other phishing scams.
As customers gain more awareness of these threats, they are looking for service providers with a deep knowledge of the security landscape, and the tools and knowhow to keep themselves safe as well as protect their own customer network.
It’s no surprise then that the global MSSP market is projected to be worth $46.4 billion by 2025, growing at around 8% each year. If you’re looking to move from being an MSP to an MSSP – here are a few ideas:
Upskill: Look to take security courses and certifications to ensure that you have the hands-on skills necessary to protect your clients on a deeper level. The SANS institute for example offers a security skills roadmap that starts from core techniques of preventing, defending and maintaining in both security essentials and understanding hacker techniques.
By the end of the learning path, they offer advanced management of technical security certifications. These kinds of certifications prove to your customer and the market that you have a level of knowledge and awareness.
Strategically Hire: If you want to get there faster, consider onboarding new staff who are proficient in security awareness and technical skills. You could even split your business into two sections, with technicians that offer a more bespoke, white-glove security service for those customers with complex security needs or who need more confidence.
Stay Aware: Cybersecurity is a fast-changing industry, and new attack vectors and challenges arise all the time. Make sure that you’re continually learning, reading, and practicing security best-practices under your own roof so that you can keep pace with the latest threats. Remember, when your clients see that your systems and processes are secure, they are much more likely to trust you with their own!
Want to learn more about MSP security best-practices? Check out our recent MSP Minds Webinar from 4 rockstar cybersecurity experts, A Cybersecurity Deep-dive for You and Your MSP Customers.