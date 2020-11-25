High-growth security space calls to some MSPs

This is part 2 of a 2-parter based on material from a recent presentation by SolarWinds Vice President of Security Tim Brown.



With cybersecurity having become such a pressing concern, you may be wondering if hanging out an “MSSP” shingle could be a profitable move for your business.



The managed security service space, after all, continues to enjoy explosive growth as organizations of every kind look to both MSPs and MSSPs to help navigate increasingly complex networking and security landscapes. Mordor Intelligence, a market research firm, projects that the global managed security market will grow more than 15% each year over a six-year span, from almost $28 billion in 2019 to nearly $64 billion by 2025.



While there’s some overlap between managed service providers and MSSPs, the differences are pointed. An MSP focuses on managing clients’ IT infrastructures, ensuring the availability of IT systems, and addressing performance and usability issues. MSP services typically include remote monitoring and management (RMM), backup and storage as part of a coherent business continuity and disaster recovery (BCDR) strategy, and technical support.



Managed security service providers specialize in securing those IT infrastructures. Charged with protecting end users from data loss and compromise, insider attacks, malware, phishing, and a host of other cyberthreats, MSSPs provide very specific cybersecurity services, including security information and event management (SIEM), unified threat management (UTM), and 24/7 network monitoring and reporting, generally through a security operations center (SOC).



Ultimately, MSPs looking to add that extra “s” to their monikers have three options: They can buy, build, or form a partnership.



Buying into security. If you don’t want to spend the time building a security-centric practice, but you’ve got the financial wherewithal to fold another company into your own, you might want to consider acquiring a seasoned MSSP. This is a viable option for successful MSPs that are on the larger side, or for those backed by investors willing to make a big-ticket purchase.



Building your own security operation. The most time- and resource-intensive option, this isn’t a decision “to take lightly,” said Tim Brown, vice president of security at SolarWinds. “There are lots of hidden costs.” First, there’s the acquisition of the requisite skill sets – data loss prevention, firewalls, incident response, intrusion management systems, penetration testing, threat management, vulnerability scanning, etc. MSPs can train existing staff, recruit security experts, or do some combination of the two.

“A security analyst generally lasts about two years in a job until they move on to another, so you have to keep an inflow of new people getting into that role,” said Brown. “Otherwise, we could see a fantastic MSP turn into a failed MSSP.”



Aspiring MSSPs also have to build their operational capacity and product toolset. Full-fledged security service providers offer 24/7 monitoring via a SOC, which uses a lot of resources and involves significant cost. As for products, finding high-caliber vendors shouldn’t be too problematic. Brown said MSPs should look for companies that offer securely built products with mature processes; continuous improvement in the security of products, processes, and infrastructure; dedicated security ops, DevOps, engineering, and support; a standard incident response process; defined processes for the development, support, and maintenance of products; and external pen testing on a regular basis.



Looking for an ally. What to do if you’re not ready to lay out the cash for an MSSP or build your own security operation? Brown suggests forming an alliance. “There are lots of MSSPs that will want to partner with you, and a good partnership could present a great offering to your clients,” he said. By combining your own skills as an MSP and the specialized know-how of an MSSP, your end users will get an end-to-end IT experience that’s optimized, efficient, and secure.



Brown said MSPs with an eye on security specialization needn’t rush headlong into a decision. They can ride the MSP-MSSP fence for a bit and think things through. Or they can set themselves apart by becoming hybrids. “Start small. Hire a few people and start on the consulting side,” Brown suggested. “Do all the things you do today as an MSP, but with a security tilt.”



Competent service providers that want to inject some security services into their business models can be quite successful, Brown said. “The classic MSSPs have one mission – to keep the bad guys out – but that’s not enough. You have to let the good guys be good by giving them access when they need it and taking away access when they don’t,” he said. “A really good MSP can actually do both.”