As COVID-19 has opened the door for perpetrators to leverage the fears of people to serve their malicious ambitions, the rising security demands of organizations has driven many MSPs (Managed Service Providers) to seriously consider becoming MSSPs (Managed Security Service Providers). In addition, with profit margins declining from commoditized offerings, the need to provide higher-margin and value services is also a deciding factor in transitioning from MSP to MSSP.

According to ‘IDC’s Service Provider Pulse: 2Q20’, 16% of a service providers’ total revenue came from managed services, and from that, managed security services accounted for the highest percentage of revenue at 10%. With managed networks, app optimization and performance management growing year over year, it’s becoming more transparent for MSPs that developing broader areas such as security can aid their customers with their business.

But how do MSPs go about this? And is it beneficial for MSPs to become the next MSSP? To a large extent it depends on what end goal you have in mind and how much you are willing to invest. Prior to moving to a full MSSP model, there are several things to consider as transforming from MSP to MSSP is not as straightforward as adding an extra letter.

Is it time for MSPs to add security services to their portfolio?

MSPs face the same challenges as any other business when it comes to security: complex solutions to manage, a shortage of talent, and increasingly sophisticated attacks. But the risk of not addressing security is considerably higher for MSPs, because the future of their business depends on it.

Everything an MSSP does is focused on a ‘security first’ approach and they often focus on integrations between their security offerings to help automate their processes, while an MSP typically focuses on commoditized services such as managing email security, firewalls and intrusion prevention systems, rather than on security needs such as a MSSP. MSSPs must also consider liability issues as regulatory and compliance requirements have to be adhered to, including data sovereignty, privacy and sensitive data protection.

What investments are needed?

Cost of technology
When deciding on the technology you want to offer, upfront investment for the necessary appliances, software licenses, as well as providing unlimited cloud-based DDoS protection for large attacks need to be taken into account.

Cost of maintenance
Maintenance agreements for appliances should also be factored into the overall costs.

Cost of operations
There is a growing requirement for 24x7x365 response and support when it comes to security, therefore an MSSP must set up an Security Operations Centre (SOC) that can provide 24x7x365 capabilities. Apart from providing specialist support for both internal and external customers, an SOC should also be equipped with a complete set of technologies that cover:

● Comprehensive suite of mitigation tools to handle DDoS attacks
● Broad-based visibility and threat detection capabilities (e.g. a portal complete with visibility and analytics capabilities, allowing customers to view service status, DDoS attack information and more)
● Networks (e.g. network-based intrusion detection, network traffic flow analysis)
● Management and Operations (e.g. a SIEM tool, incident response management solutions)
● Endpoints (e.g. endpoint detection and response)

Cost of Go-to-Market
MSPs will also have to consider building their own pool of talent. Apart from hiring skilled cybersecurity staff, whose salaries will be higher than those of other employees, the team will also require complete productization and go-to-market support, including sales enablement training, to help them sell, manage and support their products and services.

Consider partnering with existing MSSPs