Should You Move From MSP to MSSP? The Answer Isn’t Clear-Cut

The question of whether to transform a managed services practice into one with cybersecurity expertise does not feature a clear-cut answer. Each model – MSP and managed security service provider – holds its own unique advantages, both for enterprises and the channel partner itself. Yet as COVID-19 has opened the door for hackers to exploit peoples’ fears, organizations’ soaring security demands may compel many an MSP to think about turning into an MSSP.

Spending more money to expand a business model poses a risk during a pandemic, but the shift also can pay dividends. Making the move from MSP to MSSP calls for considerable analysis and exploration. Channel Partners Virtual will offer that guidance via the upcoming panel, “Debate 2020: To MSSP or Not to MSSP?”.

The session should prove lively, with two panelists falling in the “Yes” camp and two others saying “No.” Two of the participants are no strangers to the conversation. Mike LaPeters and Scott Barlow both took part in a similar session last year for Channel Partners Evolution.

This time, LaPeters, vice president of worldwide MSP and channel operations at Malwarebytes, will serve as the moderator. Barlow, vice president of global MSP at Sophos, will remain on the “anti-MSSP” side. Jason Duchnowski, product manager at Otava, and Jason Ingalls, CEO of Ingalls Information Security, will speak in favor of becoming an MSSP. And George Makaye, CEO and founder of Makaye Infosec, will team with Barlow.

For LaPeters, the most important aspect of his role will be helping attendees “explore both sides of this evolution,” he told Channel Futures. Not every MSP will want or need to morph into MSSP territory. At the same time, many MSPs should at least evaluate the pros and cons of offering cybersecurity internally.

Going MSSP Is Worth It, But ‘Prepare to Spend Millions a Year’

For Ingalls, the choice is obvious.

Ingalls Infosec’s Jason Ingalls

“Being an MSSP allows your service business to focus on delivering cybersecurity risk management rather than IT support services,” he said. “If you’ve identified this as your desired niche, then it’s where you should be.”

Plus, said Duchnowski, structuring as an MSSP brings financial, competitive and self-preservation advantages.

“Overall in the MSP market, revenue is increasing but profit margins are declining,” Duchnowski explained. “Security services can provide MSPs a way to deliver high-value, higher-margin services that are not as impacted by commoditization the way traditional MSP services are. From a differentiation standpoint, I recently saw a few statistics that seemed to make becoming an MSSP almost a no-brainer. There are more than 40,000 MSPs in North America. Roughly 17% of those firms are considered MSSPs, and almost three-fourths of MSPs that introduced security services saw revenue increases for those services within a year. Finally, [I say] self-preservation because MSPs are increasingly being targeted by cyberattacks. By developing competencies in security, an MSP can help prevent catastrophic incidents from impacting both their business and their clients.’”

Ingalls agreed that MSPs should assess the MSSP opportunity because hackers are growing so bold. MSPs, he said, “no longer are able to keep up with threat actors in the SMB space. Outsourcing or focusing solely on cybersecurity is the most cost-effective risk management strategy for this particular risk.”

All that said, making the move from MSP to an MSSP is no easy, or cheap, task. Indeed, even though Ingalls promotes acting as an MSSP, he knows …