May 6, 2021

Last Updated on January 4, 2024

Managed Service Provider (MSP) business models have evolved from onsite, break-fix services to your-IT-department-as-a-service. Many MSPs now fulfill CIO/CTO type roles for their SMB clients, as well as covering all tactical IT positions—including security.

So are MSPs and Managed Security Service Providers (MSSPs) effectively synonymous? How do MSPs and MSSPs differ? How do they overlap? And how do they partner to meet customers’ security needs?

To discuss the full scope of security angles and implications for MSPs, a recent episode of The Virtual CISO Podcast featured Charles Weaver, cofounder of MSPAlliance. As always, hosting the show was Pivot Point Security CISO and Managing Partner, John Verry.

“If we look at this idea of the MSSP (and/or MSP, especially if they’re blended), being responsible for setting the security direction, executing the security direction, and validating that the security direction has been executed—that feels a little ‘fox in the henhouse;’ a little bit dangerous,” John observes. Do you see that as a concern? “How do MSPs walk that line? What would be your suggestions to both the MSP and/or the [clients] that are engaging in this space?”

“I feel the MSSP has a better business model argument to say to the MSP, ‘You need us,’” asserts Charles. “And here’s why—and now this is making a couple of assumptions.”

Charles continues: “You remember the old master MSP business model in the early 2000s where you had, chiefly at the behest of the RMM software vendors who are wanting these master MSPs to kind of offload their onboarding of new resellers. And they really were largely just outsourcing a NOC and a help desk to new fledgling MSPs. That kind of flashed out. It doesn’t happen that much anymore.

“Now MSSPs are saying, ‘We can provide a security operation center.’ And I’m not talking just about a help desk. I’m talking they can actually do log analysis. They can take all the stuff that you would think of as a SIEM. So SIEM-as-a-service, where they’re really doing threat intelligence, they’re doing some really detailed stuff behind the scenes that no reasonable, average-sized MSP would have the capabilities to do.

“I mean, it’s really next-gen type of stuff. And I don’t think any MSP could reasonably invest and create that in time to come to market. I think they have to partner. And I think that’s going to be something in the 10 years coming up that will be really exciting to watch. Because the stuff that I’m seeing is pretty revolutionary and it’s very needed in the market,” Charles shares.

“I’ve run SOCs [Security Operations Centers], and we’ve written SOC software and been very involved in incident response,” John replies. “One of the biggest challenges that we’ve always had is that there’s often a separation between the IT operations and the security operations. We’d be sitting there saying, ‘Hey, we have this alert that looks really serious, but you [the client] need to actually have somebody who’s got admin credentials log into this box and do X.’”

“So there’s always been this hesitancy to have the outsourced entity have that level of privilege,” adds John. “In a perfect world, in terms of purely incident response stuff, the MSSP being your MSP would kind of close that loop. Are you seeing MSSPs that are doing the MSP component as well? Where you’re basically outsourcing both your IT ops and security ops to a single vendor?”

“I can’t say because I’d be violating an embargo, but there’s going to be some big acquisition news coming up in our sector over the next couple of weeks with a software company,” Charles reports. “But I think you are seeing a consolidation at a certain level of these companies… There’s a massive gravitational force that’s pulling all technology related to managed services, including security, towards those types of companies. Should we think of that as something that’s going to continue? Absolutely.”

“Are we seeing the MSSPs do what you suggest and kind of consolidating both the security and the general IT?” Charles qualifies. “There are a number of legacy MSPs that have developed security practices that are fairly robust and that do both security and IT. And then there are some that that are saying, ‘I’m just going to stick to my wheelhouse and my focus. And I need security, but I’m going to partner that out. So I think you see both.”

But Charles has also observed a deeper issue that impacts SMBs’ security coverage.

“The issue I think is security controls have not filtered down to the end user yet… even though they’ve outsourced to an MSP,” notes Charles. “I think in their minds, they’re saying, ‘If I’ve outsourced, then this is taken care of. I don’t have any more risk.’ And that’s an understanding gap we have to cross.”

If you’re involved in outsourcing IT or security, don’t miss the first-hand insight in this podcast episode with MSPAlliance cofounder Charles Weaver.

To hear this episode all the way through, click here. If you don’t use Apple Podcasts, you can fine all our InfoSec podcasts here.

TPRM for SMBs guide

Through our 17 years of experience, we've collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).
Download our free TPRM PDF guide now!