The Difference Between an MSP and an MSSP: The Extra “S” Really Does Make a Difference!

Posted in: Resources » Services

Now that Turkey Day is done and we are waiting for a COVID-free Santa to visit our homes (because surviving quarantine should put us all on Santa’s Nice List), it’s time to answer a common question I receive this time of year. As people prepare their 2021 budgets and evaluate their annual contracts, I frequently get asked about the difference between an MSP (Managed Service Provider) and an MSSP (Managed Security Service Provider).

For anyone who has been in technology services for more than five minutes, you will realize that there are many reused acronyms. To make sure we are on the same sheet of paper, here are some common synonym-acronyms (SA – see what I did there?) to these terms:

MSP – Managed Services ProviderMSSP – Managed Security Services Provider
IT Managed Service Provider
IT Support Provider
Managed IT Provider
Managed Network Services (MNS)
IT Service Provider
IT Solution Provider
Office technology provider
Managed Security Services Provider
Managed Security Service
Managed Cyber Security Services Provider

Technology really does have its own language.

Common Questions People Have About MSP Versus MSSP

Is there really a difference?

Yes. An MSP is focused on network management and making sure the IT environment is operational and meeting its functionality and availability targets. An MSSP is focused on securing and monitoring that environment from threats that not only endanger system availability, but also protect those systems from data breaches that can impact the confidentiality and integrity of data (such as ransomware).

Is it a good idea to have my MSP do both network and cyber security management?

Anyone providing routine network management in the same environment are frequently “too close” to see the cyber security risks that are sometimes right before their eyes. Even for cyber security professionals it can be overwhelming, as the cyber risk landscape changes daily (sometimes by the minute), but people with a cyber specialty have the knowledge, tools, and resources to identify trends and manage risks to the environment.

Example: Think of your MSP and MSSP as two doctors and you have a heart condition (because a data breach can kill the heart of an organization in minutes). An MSP is going to be like your general practitioner. They are the ones you go to because they know a little bit about everything. They can prescribe treatments for common maladies and conditions. However, if they identify that you have a heart condition, they’re going to refer you to a cardiologist, who has the specialty knowledge and skills to understand and treat you using the latest information, techniques and tools.

Just like doctors aren’t a monolith of knowledge, neither are IT practitioners. You need the right skills for the job.

My MSP says that they do cyber security as well. Why should I even consider an MSSP?

In our experience, there’s a “conflict of interest” that can arise when MSPs also handle cyber security. For instance, many of the vulnerabilities we uncover stem from IT MSP personnel executing unsafe security practices. While you’d hope your IT MSP would own up to these issues, it’s not always the case, which can lead to some dire outcomes. An MSSP independent of the MSP doesn’t have that conflict and is a good checks and balances to have in place – their only imperative is to keep your systems and networks safe.

What is the big deal? What can happen to me?

We have seen a significant increase in the number of MSPs that are untrained and ill-equipped in cyber security selling customers cyber security services along with their regular network management services. We frequently get called in after a data breach or ransomware outbreak. After we get the environment restored and start our investigation, we find that many of these IT MSPs did not have the proper cyber security management practices in place, or they used outdated tools already exploited by hackers. We also regularly find that MSPs use subpar tools for things like antivirus because it keeps their margins high. That antivirus software you pay $5.00 per month (or more) may cost the MSP as little as $0.89. More sophisticated tools are going to cost more because they are far more effective.

The best scenario, of course, is to have your IT MSP and MSSP work together. We partner with IT MSPs all the time and we complement each other like peas and carrots, peanut butter and jelly, milk and Ovaltine…er…you get the picture. They focus on what they are really good at – network management – and we focus on what we are really good at – cyber security.

Until next time…

Stay agile. Stay safe. Stay sane.

The Disaster Lady (Karen)