How to build an MSSP inside your MSP

| By:
Frank DePrisco

Do you feel like you’re missing an opportunity in not being able to capitalize on the demand for cybersecurity? Expanding your offerings to include MSSP security services is a great way to scale your business, help more clients and bring in more revenue.

While MSPs focus on providing a broad range of IT services, MSSPs have a security focus. Cybersecurity may be a small part of what MSPs do, but for MSSPs, it’s all they do.

Any MSPs looking to serve a client’s potential cybersecurity needs must have an MSSP component to their team. Your current services may touch on cybersecurity, and align with industry best practices, but you won’t be able to provide clients the in-depth cybersecurity services they need without an MSSP division.

What is an MSSP and why is it important?

The acronym MSSP stands for managed security service provider. These IT professionals operate much like MSPs, but MSSPs only deal with security. Threat detection, incident response, and cyber threat resolution are all services MSSPs provide.

Organizations worldwide are scaling their digital presence and use of network services. The more time we spend in the digital realm, leveraging concepts like cloud technology and the Internet of Things, our need for cybersecurity becomes more pressing. It’s becoming increasingly difficult for companies to meet this demand internally as the global cybersecurity gap becomes more apparent.

Without the ability to build out their teams to accommodate these needs, corporate executives and IT managers are looking for an alternative solution. MSSP security teams and other managed service providers are becoming more viable options by the day. In fact, many MSPs should take stock of their current structure to see if they can accommodate this growing need for MSSP services. 

MSSPs vs. MSPs

Looking at MSPs vs. MSSPs, many areas overlap. MSPs do often cover some cybersecurity services, but not to the level an MSSP would. 

MSPs are typically aware of cybersecurity best practices and work to provide their services within that framework. MSSPs handle security on a more granular level and provide in-depth services like threat detection and response. As a result, you won’t experience the same level of protection from an MSP vs. MSSP protection.

Building out your own MSSP

Constructing a separate MSSP arm within your own internal team can be challenging and labor-intensive. You’ll need to decide if the “juice” is worth the squeeze of building an entire MSSP, meaning you’ll have to take time to strategize and assess whether there is a need for the full build-out of an internal team. Ultimately, if you decide building an internal team is the right decision, here are some things you’ll want to consider.

Integrating your MSSP into your operations

Most MSP operations offer a basic level of cybersecurity protection. While it can be effective, this layer of protection is mostly a byproduct of operating their other services within the framework of cybersecurity best practices.

The level of protection MSPs traditionally offer is far from that of an MSSP. To provide MSSP-level security, MSPs will need to integrate more complex cybersecurity workflows into their operations. This means acquiring the tools, skills, and sometimes talent necessary to build intricate cybersecurity workflows.

Additionally, cybersecurity threats don’t appear in an orderly fashion or on a standard 9-to-5 schedule. As such, in-depth cybersecurity protocols and procedures will need to fit into the framework of other services. Internal technology, workflow, and your workforce must all come together to keep things running seamlessly as you bring your MSSP online.

A chart comparing the different options for obtaining MSSP services as an MSP

Essential MSSP staff

Staffing your SOC will be a massive part of getting your MSSP to a point where it’s operational. Here are the key roles you’ll need to fill:

  • Security Analysts. Analysts report to the CISO (chief information security officer). They’re responsible for identifying threats and taking action to protect your client’s system. Security analysts are typically considered the “first line of defense” and work to catch threats early.
  • Security Engineers. Engineers can specialize in either hardware or software. They are responsible for updating and maintaining whichever tools fall under their purview and providing important documentation other team members might need, like digital security protocols.
  • SOC manager. The SOC manager is responsible for the orchestration of the entire team. They oversee analysts, engineers, and directors to ensure they all work in seamless harmony. SOC managers also hire and train staff and influence overall cybersecurity strategy. 
  • Chief information security officer (CISO). This C-level team member is responsible for establishing and updating cybersecurity strategies. A big part of their job is keeping the CEO informed of cybersecurity policies, procedures, and performance. Ultimately, they will report their findings to the CEO and other management stakeholders.
  • Director of incident response (IR). Director of IR positions are usually found in larger MSSP organizations. They’re responsible for managing incident response as a threat occurs and communicating with the larger team to prevent a data breach from growing.

To learn more about the most effective way to gauge talent during the interview process, check out our blog on the top 10 cybersecurity interview questions. 

Essential MSSP tools

There are 5 primary tools you’ll want to focus on when building your own MSSP:

  • A security information and event management (SIEM) tool. A SIEM tool helps to synthesize all of your cyber threat data and reporting in one place. Think of it as a one-stop shop for monitoring and managing security incidents. Proper use of a SIEM tool can result in a large bank of data your team can use to spot security trends, gain powerful insights, and launch actionable remediation steps for your team.
  • Threat intelligence (TI). Threat intelligence feeds will work in conjunction with your SIEM tool. These feeds will leverage cutting-edge algorithms, AI, and systems to analyze threats in real time against a database of existing malicious code. Security analysts can also leverage TI to identify cyber threats that are seemingly unrelated before they become significant breaches. 
  • Customer service tools. There are two tools to focus on here: a ticketing system and a customer portal for ticket submission. Organizing tickets allows security analysts to categorize and address cybersecurity issues quickly. Teams can also use tickets to easily communicate and track how much time is invested in each cybersecurity incident. 
  • AI or security automation tools. Automation is critical in order to scale and MSSP services for a large number of clients. Thousands of incoming threats are launched every day. There is no chance of keeping up with that manually. Without automating data aggregation, case management, and reporting, your analysts could begin to experience burnout. Automation will also help you to alleviate human error. Implementing managed detection and response tools is invaluable in this regard. 
  • Heuristics and advanced analysis. These tools work to improve your SIEM and TI feeds. By leveraging heuristics and advanced analysis, MSSP techs can get ahead of advanced cyber threats like polymorphic malware and detect most threats as early as day zero. You’ll also be able to identify emerging behavior patterns and use those to trigger future security alerts.

Merging or acquiring an MSSP

Some MSPs may already offer a portion of the cybersecurity an MSSP would offer. If that’s the case, they may be able to reposition themselves by offering a few more services to build out their cybersecurity offerings. The process may be slightly more challenging for other MSP teams starting from scratch.

MSP professionals starting their cybersecurity offerings from ground zero may want to consider a merger with an existing MSSP company or purchase one outright. Building out your own MSSP services internally may be enticing, but it can be time-consuming and involve mastering various cybersecurity skills and disciplines.

The technicians who provide MSSP services usually bring a wealth of experience to the table. If your internal team members don’t have enough experience with the necessary cybersecurity practices and tools, it may be challenging to provide MSSP security on your own. Furthermore, proper MSSP configuration requires a security operations center (SOC) that stays online 24/7. 

In addition to the technical knowledge and SOC requirements, there is also a library of tools MSPs need to be familiar with if they’re going to support MSSP cyber security. You’ll also need to devote time and energy to outlining frameworks for your MSSP workflow, as well as the appropriate policies and protocols. Clients requesting cybersecurity services may also have their own industry-related compliance requirements you’ll need to be aware of. 

Acquiring an existing MSSP business

As you can see, creating and operating your own internal MSSP operation can be an uphill battle if you’re not prepared for it. Acquiring an existing operation may be more feasible if you’re looking to expand your MSP business to include MSSP services.

The challenge with acquiring an MSSP business is the price tag. You’ll want to search out and purchase an MSSP entity that can match the operational maturity of your MSP services. An operation in that condition could come with a hefty price tag. Subsequently, acquiring an existing MSSP company may be a move reserved for larger MSP businesses with investment capital or a deep financial “war chest.”

Merging with an MSSP

Merging with an MSSP security team establishes a strong connection between your two entities and enables you to offer MSSP-related services. However, one aspect of a merger you should be aware of is that it’s somewhat formal.

When you merge with another company, no matter the industry, your operations become formally entangled with the operations and management of the other party. Think of the merger as a marriage. It’s crucial that you “date” the other party for a while before merging. You need to ensure that they fit your company’s core values, culture, and service offerings before you agree to join forces. 

If done correctly, a merger can offer all the benefits of MSSP services without much downside. You’ll instantly gain access to an operationally mature security operations center and be able to expand your service offerings. 

Since a merger with an MSSP happens on a much shorter timeline than building your own team, it enables MSPs to quickly adapt to the growing global IT skills gap. The need for cybersecurity services continues to grow, and an effective merger can allow you and your team to fill that gap for your clients. 

If you’re curious how to find the ideal merger/acquisition match as an MSP, check out our webinar on the subject, Mergers and Acquisitions: A Matchmaking Process for MSPs.

Partnering with an MSSP

While building an MSSP or merging formally are some of the most common options, they aren’t the only ones. Partnering with an MSSP operation is a much more informal setup than a merger. This may be the best play for MSP outfits looking to add MSSP security services quickly.

Choosing an MSSP team as your business partner is essentially the same as a third-party vendor agreement. MSP companies can take advantage of all the skills and services an MSSP can provide while not compromising or changing their internal structure. 

If a potential MSSP partner requires you to change your internal structure or download additional software tools, this should be a red flag. Partnering is typically the most accessible mode of collaboration with an MSSP and shouldn’t require much of a lift from your internal team. 

Working with an MSSP in a partnership framework should be simple and flexible. As an MSP, you’ll be able to access all the skills, technical expertise, and tools necessary to grow your cybersecurity offering. You’ll also be able to scale as you see fit through the different packages and pricing most MSSP partners provide.

Naturally, ConnectWise is always here to help. Contact us anytime or visit our cybersecurity center to see the tools necessary to protect your clients in the modern-day digital landscape. We can guide you toward the proper setup for you and your clients and show you how our innovative cybersecurity tools can help you grow your MSSP offering.