With cybersecurity services in strong demand because of rampant ransomware, software supply chain and critical infrastructure attacks, many managed service providers (MSPs) have moved into the managed security service provider (MSSP) space. And many more are considering it.
While security can be a lucrative market, it also isn’t for everyone. Here are five reasons why an MSP might NOT want to transition into the MSSP sector.
The Cybersecurity Skills Shortage
If you already have skilled security analysts and personnel, great. But many MSPs don’t possess them. Getting them is expensive. Many command six-figure salaries. And depending on the service, the MSP might need several of them to cover all shifts and all areas of expertise. A 24-7 security service is a lot to take on.
“Organizations that do not plan to hire skilled resources to support their added security services should stay away from the MSSP market,” cautions Alexandre Blanc, Strategic and Security Advisor at VARS. “The knowledge baseline required to provide quality MSSP services is evolving way faster than IT knowledge.”
IT and Security Must be Kept Separate
Some MSPs believe that all they need to do is add a couple of staff that are responsible for planned security services to existing resources. But this misses the point that security needs to remain separate from IT in order to monitor existing processes.
“When switching to security, you can no longer handle operations, as the focus is totally different,” said Blanc.
A good analogy is a live event. Those providing the lighting and sound have plenty to do during the event. There will inevitably be problems to troubleshoot, issues with wiring, component failures, and more. Imagine if that unit also had to deal with the security of the speakers and celebrities as well as the general physical security of the building at the same time. The focus and emphasis of these teams is quite different, and the processes and actions don’t mix well. It is the same with IT and security.
Besides, the constant alerts alone – multiplied across all of your customers – precludes a security team from doing anything else. They need to be ready to respond at the first sign of genuine trouble.
Financial Investment Can be High
In addition to personnel, security services require a good support presence and plenty of hardware, software, and security tools. Further, existing staff need to be regularly trained to upgrade their knowledge and keep them apprised of the latest developments and threats. It is quite common for a company to start delivering what appeared to be a relatively simple security offering only to find they need more personnel, more tools, more bandwidth, and more compute resources to deliver with high quality and at scale.
“Oftentimes, the resources, headcount and financing required to make the pivot are underestimated and this can be a serious barrier to entry,” said Scott Barlow, Vice President of Global MSP and Cloud Alliances at Sophos, a security vendor with roots that date to the 1980s.
“MSPs should ensure they do ample research in order to make the decision whether or not they should pivot to become a full MSSP,” Barlow added. “Aggregating disparate technologies and alerts into a centralized data lake and providing 24-7 active threat hunting also requires security experts with hands on keyboards.”
Aversion to Risk
When services are being delivered, there is always risk. But many MSPs have managed to contain it. They are comfortable with their own responsibilities and their own risk perimeter. They know exactly what they are responsible for and what their clients must deal with. Customers get pretty unhappy with downtime; now try to imagine them in the midst of a business-threatening ransomware attack.
Security changes the risk profile completely. Some MSSPs take much of the responsibility for detecting threats, preventing those threats from causing significant damage, and mitigating the impact of a ransomware or malware incursion. Others manage to find a middle ground where they share the load with their customers. Cloud vendors are a good example – yes, they are responsible for the data once it arrives on their platform. But it is up to the customer to ensure that there is no malware in the data they send and that they transfer it in a way that avoids the possibility of a breach.
The bottom line is that there is no easy or comfortable way to take on security services and avoid some of the risk. Therefore, any MSP that is relatively risk averse has no business monkeying with new security services. Yes, they can partner with other MSSPs to make life easier. But risk remains.
“MSPs should consider the risks of taking full responsibility for a client’s security posture, as this could leave them open to a lawsuit in the event of a breach and damages,” said Chris Crellin, Senior Director, Product Management at Barracuda.
MSPs and VARs New to Services
Relatively new MSPs or those VARs just beginning the transition into a more services-oriented business model should definitely not jump into security before they have learned the ropes.
“A reseller, for example, entering the MSP market should stay well away from security services, as they have not yet mastered how to operationalize and build profitability around services,” said Lamon Gorman, Director, Service Provider Channel, Trend Micro.
Still Interested in Becoming an MSSP?
If, after reading all this, you’re still interested in becoming an MSSP, incident response is probably the best place for an MSP to start, as you’ll be one of the first places clients look to for help after a cyber attack.
Here are other resources to help you on your journey: