From MSP to MSSP: Have you got what it takes?
Managed security services are much hyped as an opportunity for MSPs to scale up their business and increase profit margins. The potential rewards are tantalising. But unfortunately, you can’t just flick a switch and morph into a managed security service provider (MSSP) overnight.
Even if you already include a level of security within your managed services offering, becoming a ‘real deal’ MSSP requires a significant investment; an investment that not every MSP is able or willing to make – at least not at this stage.
Eric Rockwell, an MSP veteran who grew an innovative MSP business through to MSSP, has spoken about this journey and the lessons he learned along the way. His insight and comments are invaluable for MSPs embarking on the same path.
While Eric believes that offering managed security services is the big opportunity for MSPs today, he qualifies this by advising them to ‘be very, very careful’ if thinking about making this transition. The risk is you might bite off more than you can chew.
If you are thinking seriously about becoming an MSSP, start by asking yourself the following three questions about your current MSP business. The answers could help you to decide if you are ready to make that move or not.
- Are you struggling to deliver current managed services efficiently and profitably?
You need high levels of process maturity to deliver security services: sound processes and established, documented procedures. Less mature MSPs can often struggle to deliver existing managed services profitably. If they take on managed security services too, this could bleed away margin rather than adding to it.
If you have ambitions to become an MSSP, you should have reached a certain level of operational maturity – ideally OML 4 and above, as defined by Service Leadership’s proprietary Operational Maturity level© (OML©) model, where MSPs at OML 1 typically display low or negative financial performance and inconsistent service quality, while those at OML 5 enjoy superior financial performance and the ability to deliver highest value and quality services.
Other observations also suggest that the more mature the MSP, the greater the likelihood of their leveraging IT more effectively, delivering services more consistently, more profitably and from a more stable business base. Their processes are standardised and well-documented. They are able to deliver services more proactively. Their business has clearly defined roles. They can hire the most qualified and experienced engineers so have access to a pool of expert resources. They are more likely to operate 24/7 – an absolute prerequisite for managed security services.
- Do you fully understand what you will be held accountable for?
If done properly, the potential margins on managed security services are enormous. But don’t ignore that caveat: if done properly.
MSPs may be tempted to take on the role of MSSP because their customers are asking them to without fully appreciating beforehand just what they will be held accountable for, both in terms of legal liability and customer expectations.
Managed security services should not be entered into lightly. The stakes are much higher as MSSP than MSP – after all, your customers are entrusting their business reputations to you.
The 2112 Group’s Larry Walsh expressed this beautifully in a blog on the topic:
“Security isn’t a product you just sell. If you misconfigure a server, a customer may temporarily lose access to files. If you misconfigure or poorly deploy a router, you may have unstable connectivity. If you don’t do security right, you could lose everything.”
Even if you emerge with your reputation unscathed, in the event of a major security incident, you will have had to throw all your resources into the mix to resolve the situation – and this will obviously detract from service levels experienced in the rest of your managed services business.
- Is your own security house in order?
It goes without saying that you have to practice what you preach: walk the walk, not just talk the talk.
You need to demonstrate that your own house is in order security-wise before you have that first conversation with customers or prospects. Everything you are advising them to do – you should already be doing yourself. If you are not, how can you ask others to trust you with their security needs?
The start of Eric’s own MSP to MSSP journey involved writing a security policy and using it within his own MSP business and learning about security tools available along the way, before approaching any customers to discuss their security requirements.
He suggests the following steps should be covered:
- Determining security stance
- Assigning security roles
- Writing/approving the security policy
- Determining the tools required
- Determining the processes needed
- Planning for the implementation of these
Having your own house in order is particularly important if you are operating in the US healthcare or life-sciences vertical. Here, your managed services business will already be subject to regulatory requirements, particularly around data protection. Take on managed security in this sector and you will be scrutinised by auditors looking for proof of compliance to industry standards such as NIST, ISO and SANS.
MSP to MSSP – will the decision be out of your hands?
My intention in writing this blog is not to deny the huge potential opportunity by managed security services. I am with Eric in believing that the future of managed services is inextricably linked to that of managed security and that MSPs who are strong in cybersecurity will have a huge advantage over MSPs who “don’t do security beyond anti-virus and firewalls”.
In any event, the decision may ultimately be out of your hands. Such is the importance of security in every business today that industry commentators are already pointing to the blurring of the distinction between MSP and MSSP. At some point in the future, you may very well have to ‘do’ security just to survive.
If I have made you pause before making the leap to MSSP; made you assess your current capabilities and evaluate what needs to be done before you rush off in search of the holy grail of managed security services – then this blog has achieved its purpose.
Contact us or chat now to find out how we can help you manage your current services while you focus on transitioning to MSSP.