MSP vs. MSSP: Blending Both for Best-in-Class Risk Management

Managed service providers and managed security service providers are frequently confused.
A managed service provider (MSP) is not the same as a managed security services provider (MSSP). While the MSP may effectively function as an MSSP for a small and midsize business (SMB), they do so by bundling specific/narrow MSSP services into their general/broad outsourced IT offerings through MSSP channel programs.
This MSP reselling arrangement is the most cost-effective and efficient way of getting best-in-class risk management and security services (MSSP) from one provider. The same company also monitors, manages, supports, and secures all of your infrastructure and users.
When your MSP manages all of the moving parts through a single pane of glass, they gain visibility into every variable (and hiccup) that affects your quality of service. If something goes wrong, they own it and quickly effect a resolve.
On the other hand, the pure MSSP plays frequently featured in Gartner Group rankings are typically well-known technology brands (AT&T, IBM, Verizon) who sell directly to larger enterprises with in-house IT personnel.
The following three sections are quick summaries inspired by Nick McCourt, a
vCISO/Cyber Security Engineer/CISSP at Integris IT. Nick is quoted amply because his down-to-earth examples and commentary are easily digestible by non-technical types.

#1 – The MSP World

Pardon my time-saving oversimplification in advance. There are two kinds of MSPs: old school and new school.
The former is more reactive and break-fix in nature. They more than likely support clients who still have a significant number of on-premise servers and non-standard technology.
This setup requires a great deal of manual intervention and firefighting.
The latter is more proactive and strategic in its approach. Most of their client assets are in secure clouds with standards-based architecture that aligns with an established risk management framework like NIST.
This setup is more resilient, self-healing, automated, and less prone to hard fails that require an engineer to be in your IT closet in the middle of the night.
As I mentioned in a previous blog, Comparing MSP Services, forward-thinking MSPs are consistently weaving cybersecurity into every client conversation.
Each of the following products, services, topics, and initiatives are part of an ongoing dialogue:

• Microsoft 365 Business Premium
• Security Information Event Management (SIEM)
• Internal Vulnerability Scanning
• Managed Firewalls
• Content Filtering
• Anti-Virus, SPAM, and Malware Protection & Removal
• Regulation & Compliance
• NIST CSF, ISO 27001, ISO 27002, SOC2, HIPAA, and GDPR
• Backup & Disaster Recovery
• Microsoft Azure AD
• Duo Security
• Two-Factor Authentication (2FA)
• Single-Sign-On (SSO)
• Password Management
• Cybersecurity Awareness Training
• Acceptable Use Policies
• Network diagrams and IT roadmaps
• Projects to upgrade hardware, software, applications
• Penetration testing and GAP assessments

Does your MSP follow a framework? If so, there’s a good chance you’re currently taking advantage of several bundled MSSP services.
Learn More: NIST Framework Part One, NIST Framework Part Two, NIST Framework Part Three, NIST Framework Part Four, NIST Framework Part Five, The Best of Both Worlds, NIST & M365, Are You Getting Genuine Managed IT Services?

#2 – The MSSP World

One glance at the following MSSP websites will make one conclusion abundantly clear: security solutions are highly specialized software and consulting packages compared to standard MSP infrastructure fare, diminutively nicknamed “plumbing.”

• Alert Logic Managed Detection and Response
• Arctic Wolf Security Operations
• AT&T Managed Security Services
• Herjavec Group Managed Security Services
• IBM Managed Security Services
• Raytheon Managed Security Services
• Secureworks Managed Security
• Trustwave Managed Security Services
• Verizon Managed Security Services
• Wipro Cybersecurity

These companies sell Penetration Testing, GAP Assessments, Managed Detection and Response (MDR), Internal Vulnerability Scanning (IVS), SIEM, and more, directly to larger SMBs (200+ employees) and enterprises (1,000+ employees).
While the MSSPs mentioned above have offerings that integrate with and complement most standard MSP offerings, they don’t include:

• Strategic Account Management & vCIO
• 24/7/365 Coverage & Support
• Mobile Device Management/BYOD
• Backup and Disaster Recovery/Business Continuity
• Cloud Monitoring, Management & Support
• Server Monitoring, Management & Support
• Workstation Monitoring, Management & Support
• User Help Desk
• Network Monitoring, Management & Support (Switches, Firewalls, Wireless Access Points & UPS)
• IT Process Automation (Systematic Patch, Software & Security Updates)
• Vendor Technical Assistance (Microsoft Azure, Microsoft 365, Google Apps, Telecom, Internet, VoIP, & Document Solution Providers)
• Equipment Procurement & Technology Life-Cycle Management

In the next section, we’ll tie everything together with real-world guidelines to help you maximize the complementary nature of both services and minimize potential conflicts.

#3 – Notable and Quotable Risk Management Insights from Nick McCourt

vCIOs like Nick provide strategic consulting services to their SMB clients. This requires a combination of business, consulting, technical and communication skills.
Nick and his peers need all four to explain how various MSSP offerings work within an MSP service offering. Nick is equally comfortable with diverse audiences: CFOs, CIOs, Software Developers, Network Engineers, Operations Executives, HR, Office Managers, and more.

Nick’s Insights

IT services and security solutions are mutually inclusive and should be designed and implemented according to your organization’s preferred risk and compliance management framework.
Risk Management is not a project. It’s a continuous program that requires generalists and specialists to understand an organization’s exposure and move leadership in the right direction. Any practical risk management program has five steps:

• Identify the risk
• Analyze the risk
• Prioritize the risk
• Treat the risk
• Monitor the risk

The risk management piece is the trickiest part of the puzzle. Figure this out, and everything else falls into place.
MSPs with a high level of operating maturity can help create this foundational sheet of music. MSPs with lower levels of operating maturity usually cannot. This circumstance creates three problems:

• They will have a hard time selecting the right security tools to assimilate into your IT environment
• They will struggle to support the applications on your behalf
• They will not be able to make a compelling business case for you to spend the extra money

MSSPs have a vested interest in working with MSPs who understand their services and lower their support overhead as a result.
MSPs are generalists and translators for many different industries, which makes them a powerful ally when managing risk for an organization.
Managing risk much more than a Penetration Test. A Penetration Test only provides a single snapshot for one moment in time. Nothing stays the same. IT environments are a moving picture.
The act of assessing and managing risk for an organization requires cooperation from multiple departments and includes:

• Policies
• Procedures
• Plans
• Rosters
• Technology
• Security

You can always purchase MSP and MSSP services separately, but tensions may arise between vendors who don’t have 100% visibility into the nuances of each other’s offerings.
For instance, an MSSP may identify a gap the MSP already mentioned to the client six months earlier but couldn’t get them to approve the remediation project. Understandably, the client forgets this detail and gets upset at the MSP for being negligent.
MSPs often require organizations to have specific security services BEFORE they agree to monitor, manage, support, and secure all of their IT systems and users. This arrangement lowers the risk for both the client and the MSP.
When an MSP makes security recommendations, they’re not only trying to protect you and your clients, but they’re also attempting to protect themselves and all of their clients.
An attack on the reputation of one organization can lead to damage for all. And the reputations of the various MSSPs the MSPs recommend and support.
This detail makes MSPs valuable risk management assessors and demonstrates that they don’t just “fix computers.” Their services may be stereotyped as “plumbing,” but everyone knows plumbers do a lot more than fix toilets. They have expertise with faucets, sewer lines, water heaters, sump pumps, piping, and more.
In many cases, the MSP recommends MSSP tools they employ in their corporate environment, so they have real-world experience dealing with all the bits, bytes, speeds, feeds, and 3 AM alerts. It’s personal.

What’s Next?

Is your MSP providing the risk management expertise you require?
Are you clear on the business rationale for all of the extra security tools they recommend?
Do you have documentation that everyone on your IT Steering Committee can understand?
Are you currently using an MSP and an MSSP, and suspect you may be overpaying for duplicate services? We welcome a conversation to help you better understand all of these details.