MSP vs MSSP: Build it or Buy it?

Is being an MSP enough?  Should you build your cybersecurity up to MSSP industry standards, or partner with an existing MSSP?

By: Michael Contento, F12 Managing Partner, M&A Strategist

I’ll be the first to admit that in the tech world, we love our acronyms. As soon as a new one starts circulating, we jump all over it. VAR, MSP, SOC, ERP, MDR—you get the idea. So now that “MSSP” (managed security service provider) is taking centre stage, a lot of MSPs (managed service providers) are adding that extra “s” into their designation without necessarily earning it.

By now, you may be asking—what’s the difference between an MSP and an MSSP? F12 CTO Calvin Engen puts it succinctly: “an MSP works with and manages a company’s IT infrastructure; when it’s not working, you call them, and they fix it. An MSSP leans heavily on the ‘security’ part of their name: they are all about the protection of your data.”

Calling yourself an MSSP does not mean simply reselling security SaaS—but rather taking a foundational and strategic approach to cybersecurity, bringing organizations to where they need to be in today’s world of constant cyber threats. An MSSP is your direct cybersecurity team.

 

MSP vs MSSP: What’s in a name, anyway?

Maybe you’re wondering why this single-letter distinction matters. The answer is that cybersecurity is not something you should ever take lightly. In 2021, a whopping 85% of Canadian businesses were victims of a cyberattack. So it takes a whole lot more than adding a firewall to your service offering to be able to call yourself a managed security service provider. “Does it make you a subject matter expert simply because you’ve bought a product and now resell it?” prompts Engen. “Are you an expert simply because you’ve added CrowdStrike to your offering? No.” So what does an MSSP have that an MSP doesn’t?

 

Features of an MSSP

Advanced protection offerings: We’re way past the days of purchasing anti-virus software and calling it a day. A true MSSP needs proactive security solutions and early detection systems like MDR and other threat-hunting tools.

An internal team: An MSSP must have the in-house expertise to directly run their SOC (security operations centre) and SIEM (security information and event management). On-staff security experts are vital because they don’t just install the software; they go into a company’s system and run hacker-level attack methods to identify weaknesses and provide actionable recommendations. “If you outsource that,” says Engen, “then you’re probably not a security specialist.”

Certification and standardization: Anyone can claim to offer airtight cybersecurity services—but shouldn’t there be a way to prove you actually can? There is: By routinely running mock-attacks, training employees, and staying on top of every new security product, a real MSSP can provide proof of certification in cybersecurity like CISSP, SOC 2 Type 2, and CyberSecure Canada to demonstrate to clients that you’ve been rigorously tested and passed with flying colours.

 

To build your MSP business into an MSSP—or not to build?

As an MSP owner/CEO, once you’ve identified what the real differences are between an MSP and an MSSP, you are faced with the question of: do I build myself into an MSSP, or do I join an existing one so we can become collectively extraordinary? To answer that, you need to look at a range of factors:

Succession: Are you ready to reinvest in your business? Does it make sense to begin the long and arduous process of becoming a certified MSSP amid economic uncertainty?

Risk: Becoming an MSSP changes your risk profile; the stakes become much higher. An MSP is responsible for day-to-day operations and break-fix problems; an MSSP is on the hook for serious, potentially devastating ransomware attacks. Are you willing to risk the consequences of a security issue gone wrong?

Finances: It costs money to begin the journey to becoming an MSSP; investing in specialized talent, industry-approved software, and the necessary training and certification all require upfront and ongoing capital. This undertaking typically takes 3-5 years and, at a minimum, $500,000+ dollars.

 

You could beat ’em, but why not join ’em?

Our pioneering CTO puts it best: “Cybersecurity is never a one-and-done deal.” The landscape is constantly shifting and evolving; there are always new threats on the horizon, which means the technology to combat the attacks is always changing to meet the challenge. “The only way for a company to avoid being victimized,” Engen sums up, “is through 24/7, hands-on, highly-skilled protection”—and that costs time, money, and effort to be able to offer.

Take this real-life example: a 56-year-old MSP owner is starting to think about his succession plan. At a time when he should be preparing his business to carry on after he’s retired, instead, he’s faced with the mounting pressure of offering a complete cybersecurity package in addition to the respected IT infrastructure platform he’s built over the years. He considers the financial investment and sweat equity required to turn his thriving MSP into an MSSP, and it means pushing back his retirement by several years, as well as risking lowering the value of his business when it comes time to sell or be bought out. So, he turns to an established MSSP like F12 and negotiates an acquisition deal. Now, his loyal clients have the security services their businesses need to keep up with the global market—and he is free to pursue his succession plan without any added pressure.

Are you an MSP considering chasing after that elusive “s” designation? Contact me to better understand what the process of becoming an MSSP includes, as well as learn more about joining the F12 umbrella of IT service providers—and all the MSSP benefits that come with it.