What’s the difference between MSP and MSSP?

| By: Geoffrey Willison

It seems like every day we see the term MSSP, which stands for managed security services provider, arise more frequently. This is generally due to the rise in IT services providers beginning to dabble in cybersecurity. However, what exactly does this term entail, and how does it differ from the traditional MSP?

Whether you’re looking to learn more about incorporating security services into your offering, or fully make the transition to MSSP, this post will be your guide to the various roles, responsibilities, and functions of a managed security services provider.

Work your way to cybersecurity expertise.  MSP+ Cybersecurity Framework >>

The MSP’s role

I think it’s safe to say that we all understand the role of an MSP today. As an MSP, you’re selling IT services to your clients in a fixed-fee model that is either based on per device, per user, or some sort of combination. Additionally, these services are typically dominated by tools such as remote monitoring and management (RMM) and ticketing systems that drive business, monitor your clients’ systems, and keep clients happy.

When we get into providing security services, however, the focus then shifts to providing more consulting services. Instead of simply executing a firmware update or patching a server, MSSPs are also looking at the data and making decisions around policy, procedure and evaluating risks to their clients’ environments.

An MSSP is focused on providing a security solution based on what is happening in these environments and how data flows in and out of the client’s network. This information is then created into actionable intelligence that can be remediated by the MSSP or a third party. The key piece here is the ability to provide the insight needed to proactively make changes to policies and procedures in order to prevent security incidents that might result in breach, data loss, or any other incident that could negatively impact a business.

Core components of an MSSP

Now you might be asking yourself, “do I want to be an MSP who offers some security services, or do I want to make the shift to become a true MSSP?” Well, let’s focus on the latter and discuss what it takes to become an MSSP by highlighting three of the major components.

1. Implementing security internally and externally

The most important element of an MSSP is to practice what you preach. As an MSP, we’ve all provided services to our clients that we don’t necessarily use internally, but this is not really an issue. A quick example of this could be patching and updating your OS or third party applications. It’s something you do for your clients from a centralized interface, but you may not always do the same for your own staff.

Unfortunately, this kind of practice will not bode well in the world of the MSSP. In this world, it’s becoming extremely difficult to show how you handle governance risk and compliance within your own organization, and it’s near impossible to provide evidence to support it. Therefore, you need to ensure you are implementing security both internally and externally as an MSSP. If you’re not, how will clients and prospects be able to trust you?

2. Going beyond the bare minimum

As you begin to transition to MSSP, you need to ensure you’re providing security services that go beyond simple protection, such as firewalls or antivirus. This means that your security solution needs to be more robust and comprehensive, but how can you achieve that?

First, you have your foundational security layer, which includes elements like antivirus updates, OS patching, backups, and the like. Next comes the more wholesome layer, which gets into managing Bring Your Own Device (BYOD), asset control, unified threat management (UTM), remediation, as well as computer system hardening. This is where things get more complex because there is less automation involved. These types of security services will require people to act and make decisions, meaning there needs to be a certain level of expertise at hand. Finally, there comes a more advanced layer that covers items such as security information and event management (SIEM), or governance and compliance. Typically, more mature MSSPs will fall under this security level as it requires deeply-trained employees and resources, depending on what area or vertical they are focusing on.

3. Fully ytilizing resources

The final component of an MSSP is how they define themselves and communicate the value of their security services to clients and prospects. Essentially, what makes them different? For MSPs, this is typically based on factors like price or the number of features that are rolled up into their offering. Then, we start seeing terms such as “vCIO” or “trusted advisor” added as a differentiator for these businesses.

While this is no less important for MSSPs, the one key difference is in how they utilize their resources. Cybersecurity today is not only about the power of technology, but mainly the power of the people behind it. As we begin to see more MSSPs emerge, the focus will shift to how effectively these businesses can use their resources—including their own staff or partnerships. Perhaps we will see a rise in the importance of a Security Operations Center (SOC) and the role it could play in an MSSP’s success. Essentially, the major differentiator for MSSPs is how they utilize their resources to provide clients with the information, analysis, and risk assessment needed to make educated decisions around risk tolerance and how to bolster IT security company-wide.