CYBERSECURITY
The Great Debate : MSP vs . MSSP
As more MSPs dive into the deep end of cybersecurity , should they officially cross the lane to MSSP ? And can you even swim in both lanes successfully ? Our experts weigh in .
BY COLLEEN FRYE
What ’ s The Difference Between A Managed Service Provider ( MSP ) And A Managed Security Service Provider ( MSSP )?
About 20 % of EBITDA margin — according to Rob Stephenson , CEO of Thrive , a global MSP / MSSP with headquarters in Boston , who noted this during a panel discussion moderated by MSP Success and TMT CEO Robin Robins at TMT ’ s annual IT Sales and Marketing Boot Camp in April .
Lucrative margins aside , are there other differences in the service model ? Can a business be both an MSP and an MSSP ? And more importantly , should they ?
The Lines Have Blurred
MSPs and MSSPs used to have clear “ swim lanes ,” but MSPs are being asked to do more and more with cybersecurity for customers .
“ It really doesn ’ t really matter too much what ’ s in the client contract . If you ’ re selling them cybersecurity , they ’ re expecting you to deliver what they need , and if you do anything less , you ’ re really not meeting their expectations ,” says Neal Juern , CEO of San Antonio , Texas-based 7tech , which provides both MSP and MSSP services .
The line of demarcation used to be that MSSPs offered a 24 / 7 security operations center ( SOC ) and a security information and event management ( SIEM ) solution for real-time monitoring and alerting of suspicious activity and did not venture into the MSP-type duties of network management and help desk .
Panelist Jay Smith , founder of Security7 Networks and now VP of sales with Integris , a national MSSP / MSP , said the definition is what you decide it to be . “ We [ Security7 ] identified mostly as a security boutique and an MSSP . So we didn ’ t do Office 365 , we didn ’ t do managed patch management , any of those traditional types of MSP things . We really focused on firewall management , SASE , CISSP services , and the like .”
“ If you kind of peel the onion back enough , I think in the MSSP space , there is an expectation of a minimum table stakes of very deep , specialized , security-centric certification and experience and processes that may have nothing to do with keeping the blinky lights blinking ,” says Lawrence Cruciana , CEO of Corporate Information Technologies , based in Charlotte , North Carolina . “ On the MSP side , MSPs have robust processes and procedures and systems for end-user support for keeping the business technology operational , and [ they ] may not have that deep security experience and all of the runbooks they need that are security-centric .”
While Cruciana does offer a SOC and employs a security analyst , he only monitors for the tools in his own stack , so he deliberately does not call his business an MSSP .
Going Up Market And Scaling
Jeff Farr , managing partner and CEO of Sera Brynn , characterized his Chesapeake , Virginia-based company during the TMT panel as an MSSP with some MSP services . “ I don ’ t believe [ that ] in the SMB market , where most of us play , that there really is a difference anymore ,” he said . But when he targets larger companies , it ’ s “ very much a security play ” that includes
18 | MSPSUCCESS . COM