We know that for today’s IT professionals, you have to be adaptable and responsive to the rapid changes in the industry. Otherwise, you could find that your more nimble peers get ahead of you and win the best clients. So now might be the time to move from the MSP model to becoming an MSSP.
Many tech business owners are still making the transition from break/fix to managed service provider (MSP). But the more forward-looking are moving past that. They’re now in the MSSP (managed security service provider) space. And they know that the easiest way to do it well is with an expert partner.
Adding the extra ‘S’ allows MSPs to stay competitive in today’s landscape but before upgrading your service offerings and transitioning from an MSP to an MSSP, you’ll need to build a skilled team, acquire the right cybersecurity partner and invest in a cybersecurity and multi-tenant automation solutions that will help you increase efficiency.
What is the Difference Between an MSP and an MSSP?
A standard MSP will offer helpdesk support, monitoring, patching and other updates. Their services ensure efficient IT systems and smooth day-to-day business operations, and manage the overall infrastructure for their clients’ systems. They will use a NOC (network operations centre) and provide tech support, often remotely.
An MSSP has a clear focus on security, and will tend to have a SOC (security operations centre) as part of their provision. This will actively monitor and deal with cybersecurity threats. Depending on the client requirements, this may be delivered 24/7.
MSSP services can be more expensive, so there is also the option to offer a collaboration with another MSP to give them additional, white-label support. This is often a good way for them to have out-of-hours monitoring.
Of course, for the end user, both the MSP and the MSSP are third-party outsourcing partners, so you must be confident in explaining the benefits of becoming an MSSP to your current customers.
So, you might talk about your security awareness training offer, your pen testing solution or how you keep them compliant. It may be that you need to help clients see that they are at risk of a cybersecurity attack, even if they don’t think they are.
Tech and Upskilling Requirements for MSSPs
Depending on the size of your current team and the solutions your MSP provides, you might need to think about upskilling. Or you may even be in a position to recruit talent with specific knowledge of cybersecurity.
It’s best to sit down and look objectively at what you have now, before you make any major changes to your services. What are the cost implications for upskilling and recruiting? Do you need to invest in new software or other solutions? What about any compliance requirements for your business?
For instance, you might need to invest in a SIEM (security information and event management) tool. This will give real-time security alerts of both hardware and applications and analyse the risks. A SIEM can manage zero day threats, complex cybersecurity breaches, threat intelligence and behavioural analytics.
Consider Outsourcing and Processes
We’ve mentioned 24/7 monitoring – will you outsource this? Perhaps to someone with global offices so your clients can be reassured that there’s a real person proactively keeping an eye on their systems.
Plus, you might need to invest in analytics and reporting tools, so you can keep your clients informed and demonstrate that you’re looking for patterns and changes in their networks.
If you operate in a number of verticals, there may be specific requirements there. We’ve already considered governmental and military contracts, but anything involving healthcare or sensitive information needs to be approached thoughtfully.
And once you’re clear on this, make sure you update all of your business processes. Then, fully brief your employees and make sure they’re on board and have had any questions answered.
Once you’ve done that, speak to your clients. Give them plenty of notice. And if they’re not keen on working with you as an MSSP, signpost them to a trusted MSP and send them off with no hard feelings. This is key for your reputation, future recommendations and the possibility of them coming back.
Key Frameworks to Know for MSSPs
Where your MSSP and your clients are based, as well as the industries you support, will have an impact on the frameworks you need to be aware of.
For instance, if you’re a USA-based MSSP, or you support clients in the States, you need to understand NIST. The National Institute of Standards and Technology has outlined a cybersecurity framework to help organisations ‘to better understand and improve their management of cybersecurity risk.’
They outline five core functions to make this management more structured; these are identify, protect, detect, respond and recover. NIST offers support and guidance to companies of all sizes.
Also for the US, you may be required to provide services for sensitive industries that must operate within a defined compliance framework such as HIPAA (Health Insurance Portability and Accountability Act) or SOX (Sarbanes-Oxley Act) for example. Make sure you identify relevant frameworks for your target customer.
In the UK, the National Cyber Security Centre (NCSC) recommends Cyber Essentials accreditation, at two different levels. First, the self-assessment allows companies to evaluate their own information security policies and processes.
Secondly, there is a ‘Plus’ option, with the system independently tested and verified by a third party affiliated to NCSC. Depending on the sectors you support, there might be a legal requirement for Plus accreditation.
Also bear in mind that a smaller company that’s part of a supply chain has a responsibility to all the other businesses within that chain, as well as the end client. This is vital for government or military contracts.
There are also a range of international ISO standards that might be relevant to your customers. For example, ISO 27001 is designed to improve information security management systems.
Potential Challenges for Microsoft Users
If your MSSP clients use Microsoft Office products, it’s important to be aware of the unique problems they might face. Because the Microsoft shared responsibility model states that customers are responsible for their own data in the case of MS Cloud services like 365 and the fact that Microsoft doesn’t accept liability for any data loss, the responsibility falls to the customer or their trusted IT partner.
So you need to consider what measures you’ll put in place for security, monitoring, BDR (backup and data recovery)..etc, and have a proactive approach to cybersecurity threats.
Email, phishing and ransomware attacks are ever-evolving and becoming harder to spot. If you or your clients aren’t prepared for that, it’s only a matter of time before something goes wrong.
Furthermore, Microsoft SLAs don’t offer coverage for zero-day attacks or viruses / malware that are not “Detectable by popular Antivirus software”, and as cybersecurity experts at Hornetsecurity warn, modern cybercriminals now operate in large organisations and look to use zero-days at every opportunity.
Another consideration in Microsoft environments is the fact that permissions sprawl is a very real thing. The most vulnerable part of any business is the people, and the more staff who have Microsoft admin permissions (or at least “elevated” permissions), the greater the risk of human error is.
So look at what you can do to limit this by better data management, greater security systems and optimising operational processes and costs. If you’re making the transition to MSSP now, research potential partners who can support you with this.
Hornetsecurity Solutions for MSSPs
To help make that research a little easier, check out the offer from Hornetsecurity!
They’ve specifically developed their comprehensive 365 Total Protection offering which offers an all-in-one solution for M365 security, including email security, backup, compliance, and security awareness training. This unified suite simplifies security management, reduces risk and safeguards your clients’ data and communications, ensuring business continuity.
And it’s designed to integrate seamlessly with M365 to provide much-needed layers of additional security and data protection and offers value to both IT administrators and end users.
Alongside that, Hornetsecurity’s 365 Multi-Tenant Manager ensures settings consistency throughout your customer base. This is an important feature for MSSP users looking for a streamlined approach to managing Microsoft 365.
Plus, a central console makes management easy and convenient, giving the perfect blend of data privacy and ease of use. Via the control centre, IT employees can switch directly from email to backup management and more. So this option makes monitoring, controlling, and optimising filters and configurations much easier. An absolute MUST for MSSPs.
What do you think? Can you see the benefits of moving away from the MSP model and finding new opportunities as an MSSP?
You Might Also be Interested in
Richard Tubb is one of the best-known experts within the global IT Managed Service Provider (MSP) community. He launched and sold his own MSP business before creating a leading MSP media and consultancy practice. Richard helps IT business owner’s take back control by freeing up their time and building a business that can run without them. He’s the author of the book “The IT Business Owner’s Survival Guide” and writer of the award-winning blog www.tubblog.co.uk
All PostsYou might like:
Comments