The Great Debate: MSP vs. MSSP

What’s the difference between a managed service provider (MSP) and a managed security service provider (MSSP)?

About 20% of EBITDA margin-according to Rob Stephenson, CEO of Thrive, a global MSP/MSSP with headquarters in Boston, who noted this during a panel discussion at a TMT event earlier in the year, moderated by MSP Success and TMT CEO Robin Robins.

Rob Stephenson

Lucrative margins aside, are there other differences in the service model? Can a business be both an MSP and an MSSP? And more importantly, should they? It’s the great debate, MSP vs. MSSP.

The Lines Have Blurred

MSPs and MSSPs used to have clear “swim lanes,” but MSPs are being asked to do more and more with cybersecurity for customers.

“It really doesn’t really matter too much what’s in the client contract. If you’re selling them cybersecurity, they’re expecting you to deliver what they need, and if you do anything less, you’re really not meeting their expectations,” says Neal Juern, CEO of San Antonio, Texas-based 7tech, which provides both MSP and MSSP services.

The line of demarcation used to be that MSSPs offered a 24/7 security operations center (SOC) and a security information and event management (SIEM) solution for real-time monitoring and alerting of suspicious activity and did not venture into the MSP-type duties of network management and help desk.

Neal Juern

Panelist Jay Smith, founder of Security7 Networks and now VP of sales with Integris, a national MSSP/MSP, said the definition is what you decide it to be. “We [Security7] identified mostly as a security boutique and an MSSP. So we didn’t do Office 365, we didn’t do managed patch management, any of those traditional types of MSP things. We really focused on firewall management, SASE, CISSP services, and the like.”

“If you kind of peel the onion back enough, I think in the MSSP space, there is an expectation of a minimum table stakes of very deep, specialized, security-centric certification and experience and processes that may have nothing to do with keeping the blinky lights blinking,” says Lawrence Cruciana, CEO of Corporate Information Technologies, based in Charlotte, North Carolina. “On the MSP side, MSPs have robust processes and procedures and systems for end-user support for keeping the business technology operational, and [they] may not have that deep security experience and all of the runbooks they need that are security-centric.”

While Cruciana does offer a SOC and employs a security analyst, he only monitors for the tools in his own stack, so he deliberately does not call his business an MSSP.

Going Up Market And Scaling

Jeff Farr, managing partner and CEO of Sera Brynn, characterized his Chesapeake, Virginia-based company during the TMT panel as an MSSP with some MSP services. “I don’t believe [that] in the SMB market, where most of us play, that there really is a difference anymore,” he said. But when he targets larger companies, it’s “very much a security play” that includes penetration testing, digital forensics, and expert testimony in court. Plus, he said, “when you start getting into some of the really complex compliance frameworks like FedRAMP, those are things that MSPs are just not going to play in very often.”

Jeff Farr

Juern built out the MSSP side of his business to target midmarket customers that have some IT staff but not necessarily cybersecurity expertise or a CISO. He does not supply those customers with any MSP services such as help desk or hardware, making those engagements more lucrative.

Indeed, the labor-to-revenue ratio for supporting MSSP customers is much lower (8%-10%) versus help desk (30%-35%), noted Stephenson. “So from an employee head count in a challenging labor market, it’s a lot easier to grow your business and your revenue through security,” he said.

A Split Personality?

Can a business successfully mix the MSP and MSSP models? Most say, “Yes, but . . .” They need to be treated as two different revenue streams or “service factories,” as industry expert Paul Cissel characterizes them. Farr believes that because you’re typically targeting larger companies or different verticals than your MSP customers, you can do both.

“We have an SDR [sales development rep] dedicated to MSP and we have an SDR dedicated to MSSP,” says Juern, “and we have a list cleaner that feeds both of those. What’s neat is our MSP clients need the MSSP services anyway, so it just kind of feeds in that direction a lot of times.”

Farr adds that you can’t be an IT service business today without offering some cybersecurity services, whether you partner with an MSSP or have your own SOC. “If your clients are absorbing and taking your cybersecurity subscription services, and they have your SOC and they have a business analyst and they have either a vCSO or someone helping them run a program, they don’t have as many problems,” says Farr. “They don’t have disasters. You don’t have 10 of your best engineers working all weekend to restore their environment. So it takes the load off your MSP practice. It makes them safer, and it also provides a lot of holistic cross-sell within the account.”

Pay To Play

An MSP that builds out an MSSP offering has to be prepared for the time and money it will require, however. Juern expects to hit breakeven this year or next, after a two-year-plus ramp up that included the following:

  • Acquiring more office space to house hardware and security staff and keeping access restricted from the MSP side of the house as part of their security protocols
  • New servers and storage to run the SIEM
  • Training and certifications for staff who wanted to upskill and transition to security along with salary increases
  • New hires with cybersecurity skills
  • Third-party consultants
  • CMMC and SOC 2 certification

With this investment made, “there’s really not anything that a company needs that we can’t provide,” Juern says, other than a security audit. And while he says the MSSP sales cycle is longer, they’ve already signed three clients representing about $12,000 MRR with “a lot more in the pipeline.”

Swim In Both Lanes

Given today’s cyber threat landscape, the security revenue stream shows no signs of slowing down. If you’re an MSP looking to become an MSSP, there are challenges and investments to consider, but the payoff may be worth swimming in both lanes. 

Share:

Author:

Colleen Frye

Colleen Frye is executive editor of MSP Success. A veteran of the B2B publishing industry, she has been covering the channel for the last 17 years.

RELATED ARTICLES

Get The #1 Media Source For MSPs!
Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends And Business Growth Strategies. Subscribe now!
 

Upcoming Events

Stay Up To Date

Thousands Of MSPs Trust
MSP Success Magazine
For The Best Industry News, Trends and Business Growth Strategies

Never Miss An Update