From MSP to MSSP: a natural evolution or a bridge too far?

Featured blog posts
From MSP to MSSP: a natural evolution or a bridge too far?

From MSP to MSSP: a natural evolution or a bridge too far?

reaching-new-goals-mssp-banner

While you are undoubtedly motivated to include more security services in your offering, like many MSPs, you may be finding it challenging to add that extra ‘S’.   

One thing is certain. Security is a topic you can’t ignore. It is the hot issue for MSPs and their customers thanks to:

  • Unprecedented threat levels and media coverage thereof
  • Increased regulatory requirements in certain geographical or vertical markets (HIPAA and GDPR spring to mind)
  • Scarcity/high cost of resources with security certifications, making ‘in-house’ an expensive option for SMBs

With security high on your customers’ agenda, this is a significant opportunity for you to:

  • Add value and differentiate your services from other MSPs.
  • Command higher margins and increase recurring revenues.
  • Strengthen your role as a trusted adviser: moving towards being an MSSP involves getting to know the customer’s business in much greater depth.
  • Extend a familiar model from an already trusted provider: your customers are already experiencing the benefits of partnering for other IT services so taking a similar approach to security should be seen as a logical extension.

 
The opportunity is real

According to a 2017 SolarWinds MSP survey, some 80 per cent of respondents were planning to change the way they managed security in the following twelve months, of whom 49 per cent were planning to outsource their security for the first time. This represents an enormous opportunity for MSPs with the right credentials.

The security services opportunity is very real. What is less clear, however, is just how you transform your business and services model to deliver on the security promise.

MSP to MSSP: a natural evolution?

As an MSP, you have a head-start. You have an existing NOC infrastructure. You may be one of the three in five MSPs who already incorporate security services in their offering in some form[1] (typically patch management, anti-virus/anti-malware services, email/web security and disaster recovery). You should also be accustomed to following security best practices in managing your own and your customers’ systems.

Indeed, security is such an integral part of the IT landscape that many commentators believe that in a few years the distinction between MSP and MSSP will no longer exist.

Until then though, having that extra ‘S’ could make all the difference: some 70 per cent of respondents to the SolarWinds MSP survey said they would ‘look more favourably’ on a service provider that described their business as MSSP.

Of course, you can’t just proclaim yourself an MSSP; you need to earn that extra ‘S’.

To be a fully-fledged MSSP according to Gartner’s 2017 Magic Quadrant for MSSPs, you need to offer the following capabilities:

  1. Monitored or managed firewalls and multifunction firewalls, or unified threat management (UTM) technology
  2. Monitored or managed intrusion detection and intrusion prevention systems (IDPSs)
  3. Managed or monitored security gateways for web and email traffic
  4. Monitoring and/or management of advanced threat defence technologies, or the provision of those capabilities ‘as-a-service’
  5. Security analysis and reporting of events collected from IT infrastructure logs
  6. Reporting associated with monitored/managed devices and incident response
  7. Managed vulnerability scanning of networks, servers, databases or applications
  8. Monitoring or management of customer-deployed security information and event management (SIEM) technologies
  9. Distributed denial of service (DDoS) mitigation via a remotely managed service

 
And a further useful summary of what you need to do to transition to MSSP is provided by SolarWinds MSP’s ’12 core requirements of achieving MSSP status’, which combines scope of services required as well as ability to deliver these effectively.

The 12 Core Requirements of Achieving MSSP Status Four Categories of Security Services
Infrastructure Data Security Risk and Vulnerability Management Identity and Access Management
Endpoint security, NOC/SOC services, network firewalls, threat intelligence, perimeter-level security Antimalware, BC/DR, digital forensics, application whitelisting and data loss prevention email security Vulnerability scanning and patching, penetration testing, security policy reviews, intrusion detection User access and management rights, data governance services, authentication, and authorization

Three Pillars of Security
Service Delivery

Knowledge Strong, broad
expertise across
all technical and
consulting teams
Organizational Ability Robust internal
processes and
service delivery
management
Technology,
Tools, and
Resource
Comprehensive technical
infrastructure
and experienced
teams

Moving forward

While you may know what is involved in the transition, you may not be sure how to achieve it.

Start by being clear as to where you are now – where you currently sit on the MSP to MSSP continuum. Then, decide just how deep into security you want to go, given the huge level of investment required for some areas.

Adopting a multi-layered approach to network security can help you move forward. Layers should include:

  • Web protection
  • Patch management
  • Email security and archiving
  • Vulnerability assessment and analytics
  • Antivirus software
  • Data encryption
  • Firewalls
  • Digital certificates
  • Anti-spam and spam filters
  • Privacy controls

Leveraging the security features offered by your current RMM provider, along with any additional tools you may want to add to your armoury, can help you to expand the number of layers you offer.

MSP to MSSP: a bridge too far?

The transition to MSSP also requires a fundamental shift in focus: a move from purely executing security procedures to taking on more of a consultative role with your customers: understanding their business in greater depth, evaluating risks and making recommendations around policy and procedures, managing data protection and overseeing regulatory compliance where appropriate.

If you ultimately want to offer all the advanced capabilities expected of a true MSSP (such as intrusion detection and response, preventative security such as security information and event management (SIEM), governance and compliance) – it will take time and a not inconsiderable amount of cash to do this in-house.

And quite frankly, most MSPs would not want to build this kind of infrastructure themselves.

Partnering is an effective way of delivering specialist security services. For example, you may opt to partner with a business continuity specialist to give you access to the latest technology and expertise you need to bring an out-of-the-box solution to your customers quickly and profitably.

Now is the time

As we noted earlier, 80 per cent of respondents to the SolarWinds MSP survey were planning to change the way they managed security in the ensuing twelve months. Those decisions are being made now! Some 49 per cent of these are planning to outsource their security for the first time.

Many others will look to their MSPs to provide specialist advice.

So, even if your ambition is not to achieve full MSSP status, you can still get a foot in the security door. Make your customers aware of the changing threats and the potential risks they face. Get to know their security landscape and point out any mistakes being made.  Begin the education process.

This dialogue could open up a valuable new area of service opportunity for your MSP business.

Look out for my next blog that considers what you should be doing to make sure your clients have that first security conversation with you – not your competitor.

Contact us if you would like to find out how partnering with Inbay for NOC and Service Desk can help your MSP business.

 
 
[1] Source: CompTIA: Trends in IT Security, March 2015