As your MSP practice matures, you will tackle everything from hiring to firing, marketing, vendor relations, and growing your offerings. And while every MSP realizes that security is their oxygen and without it, they die, at some point, they will have to make the call as to whether to go all-in on security or to outsource that expertise.
That “build or buy” choice happens across many lines of business, but no such decision carries more weight. How many of us have considered making the leap from a security generalist to a specialist; and how many should?
First, what is an MSP?
There is no right answer here, but in the context of this discussion, we can agree that MSPs offer a broad range of services from help desk to virtual CIO services and more. But usually, as an MSP, your job is to find a way to “get to yes” by solving existing challenges and preventing new problems.
MSPs also generally interface directly with their customer base, rarely working for other MSPs. And MSPs must be generalists, supporting hardware, virtualization, applications, peripherals, hosting, and more. Even if they specialize in a single vertical, they must be broadly knowledgeable.
Next, what is an MSSP?
MSSPs tend not to work directly with end-users and often serve other MSPs. They are, of course, heavily focused on security and compliance and rarely offer help desk or other MSP services. Managed Security Service Providers also tend to deal with larger firms. Many also provide SOC (security operations center) services as well. And unlike MSPs, many MSSPs have to say no more often than yes. It may sound pretty good to a lot of us that toil in the MSP trenches; no more password resets, adds, moves, and changes or explaining how to “right-click.” But not every MSP wants to be an MSSP.
Related reading: Cybersecurity tips for MSPs
Should you become an MSSP?
There are two primary questions to ponder here. First is whether you are reasonably confident that you can succeed in going after that niche, and the second is whether you can deliver on your commitment. You to address the first question by analyzing your market and existing competition, though MSSPs and SOCs are surely not geographically limited.
The question of whether you are or can become qualified to be a Managed Security Service Provider is the bigger one. Becoming an MSSP requires a significant investment in expertise, staffing, training, and tools. And if you offer SOC services, you will also need a 24x7 operations center, some very serious talent, a commitment to ongoing education, and more. Building a SOC is an all-in commitment with no half-measures.
Why remain an MSP?
Beyond the challenges discussed above, there are other compelling reasons to continue your practice as an MSP. Going vertical has been touted as a direct route to profitability for as long as I have been in IT (over 30 years). But such focus can also lead to risk. The only Managed Service Providers I know of that failed in 2020 were those that had specialized in food, hospitality, and travel.
Speaking of risk, the stakes for Managed Security Service Providers are also higher. For the most part, when a Managed Service Provider makes a mistake, the cost is reasonably well contained, at least with proper contracts in place. MSSPs, by their nature, deal with larger issues, larger clients, and larger risks. I am not claiming that MSPs are not exposed to risk, just less of it. Operating costs for MSSPs are higher too, for insurance, salaries, training, and more.
Maybe just partner?
For most of us that enjoy the variety of client types and sizes, services, and tasks that being an MSP brings, partnering with an MSSP (and SOC) makes more sense. But for those of us with the business acumen, the technical nous, and the drive it takes to specialize and execute at a very high level, becoming a Managed Security Service Provider can be an alluring proposition. Be sure to perform a clear-headed analysis of your market and yourself before you dive in. Familiarize yourself with the challenges that will confront you (from expertise and staffing to higher risks and costs) if you decide to go “all in” and become the MSSP of your dreams.