MSPs vs. MSSPs: What are the Differences, and Which One is Right For YOUR Business
By Jeremy Louise | August 23rd, 2019
While TSI has been working with local area businesses, with all of their technology support needs, for nearly three decades, I’ve always seen my primary job as an educator first and foremost. I don’t just want to help you get the most out of your technology – I want to help you understand why that technology is so important to begin with.
I was reminded of this again just the other day, when a client of mine called me to discuss something he’d been reading a lot about.
“Jeremy, I know cybersecurity is important,” he said to me. “So what exactly is this MSSP thing I’ve been reading so much about? Do I need one of those? What does an MSSP do for me that you don’t already do as an MSP? I thought you handled cybersecurity, too – is that not the case?”
In an industry filled with far too many acronyms, all of these are perfectly reasonable questions. Thankfully, they also have fairly straightforward answers, provided that you keep a few key things in mind.
The Importance of an MSSP: Breaking Things Down
Generally speaking, the major reason why a managed security services provider is so important has to do with the increasingly volatile cybersecurity landscape that we’re now forced to contend with. Not only are we now dealing with far more security issues than ever before, but the scope of even a modest incident is also growing at an alarming rate. According to one recent study, the average cost of a single data breach has now reached approximately $3.86 million – up an incredible 6.4% from just one year prior. If you limit that number to only the United States, the cost rises to a dramatic $7.91 million.
Because of all this, the stakes are incredibly high and the ramifications from even a single incident can be catastrophic- to put it mildly. When you consider all that, it’s no wonder that roughly 60% of all small businesses close their doors within just six months of a cyber-attack.
An MSSP, by design, is supposed to greatly mitigate a lot of the risk to that end. An MSSP operates by way of their clients’ vendor requests and regulatory driven requirements, meaning that not only will this type of organization take steps to safeguard your data, but it will also do so in a way that adequately addresses all of your compliance requirements moving forward. It doesn’t matter whether you’re dealing with DFARS, HIPAA, ISO27001, PCI or something else entirely – an MSSP is designed to keep you and your people safe in a way that maintains your compliance posture and keeps you moving forward- no matter what.
What are the Differences Between an MSP and an MSSP?
At this point, it should be clear that the number one difference between an MSSP and an MSP (managed services provider) can be summed up in a single word: expertise.
None of that is to say that an MSSP is somehow better or potentially less capable than an MSP. Far from it. They both have important roles to play within your organization – it’s just that those roles are different when you consider the very precise target that each type of organization is trying to hit.
An MSSP has a dedicated internal staff that is focused on nothing more than improving your security posture and/or addressing your regulatory compliance requirements. Every decision they make, every piece of software they implement and every recommendation they provide is focused on those two goals in particular. Similarly to an MSP, they’re also proactive and don’t just want to help you remain secure and compliant today, they want to make sure that you’re protected against the ever-evolving threat landscape tomorrow, a year from now and beyond.
An MSP, on the other hand, is focused on a slightly different objective. Typically, these organizations are dedicated more towards ensuring network performance, providing system health monitoring, infrastructure management, and strategic consulting. Their aim to bring about the strategic alignment between your business objectives and the technological solutions they depend on. In other words, an MSP wants to determine both A) where your business is, B) where it wants to be, and C) how you’re going to get there, so that it can use technology to connect those dots in the most effective- and cost effective- way possible.
However, although an MSP usually specializes in things like IT support, systems design and consulting, they often extend into the realm of cyber security, but in terms of expertise, an MSP is focused on “everything” whereas the MSSP is focused singularly on “security and compliance” – hence the name.
In a lot of ways, the differences between an MSP and an MSSP are a lot like the differences between a CIO and a CISO – two positions that also have an important (yet different) role to play in many mid-sized and large companies.
Usually, the CIO (chief information officer) has more of an information system and digital management focus. This is the person tasked with supporting the company in question with a wide array of technology solutions as well as the ones leading the charge to replace legacy solutions and outdated processes with more modernized alternatives.
The CISO, on the other hand, is all about information security. Their job is to mitigate IT security risk throughout ALL aspects of the data lifecycle, meaning that they need to know A) where crucial data is located, B) what the business’ risk tolerance is, and C) what they need to do to protect that data WHILE ALSO supporting a company’s daily and longer term support needs and objectives. In a typical environment, the CISO is accountable for the business’ security and compliance postures, and typically report to the CIO. One role has a security and compliance stance, while the other is very data-oriented and is all about that long-term technology vision. That said, this does not mean that they are mutually exclusive roles with no expertise overlap. It takes both of these important people to help a business put its best foot forward from an IT perspective, remaining as forward-thinking AND as protected as possible.
When Do You Need an MSSP?
One of the major and more prevalent reasons why a business would need to enlist the services of an MSSP oftentimes has to do with vendor-driven security verification requests to ensure their data is safely managed within your environment.
Technology is evolving all the time, and the threat landscape evolving even quicker alongside it. Compliance requirements like DFARS are in a constant state of flux and keeping up with all the mandatory changes can quickly become a full-time job. Enlisting the help of an MSSP can be a great way to relieve some of that pressure- and costs- so that you can both take care of what you need to AND focus the majority of your attention on your business, where it belongs.
The Path to Protection Begins Here
Again – absolutely none of this is to say that you have to choose between an MSP or an MSSP, but rather to encourage you to ask your MSP about their full capabilities to address your growing security and/or compliance requirements. As is true with so much of your technology strategy, this is a decision that must be dictated by your larger goals as a business and we sometimes see that the ROI to adhere to these requirements doesn’t justify the expense.
But for those organizations that DO need to take a more proactive approach to data security, and who are constantly dealing with a series of increasingly important compliance requests, an MSSP can absolutely help usher in the holistic, organic approach to security-related issues that SMBs need to put their best foot forward at all times.
It's Your Move!
If you're interested in taking a more forward-thinking, specific approach to cybersecurity, I encourage you to give either myself or one of my colleagues at TSI a call. Not only will it give us a chance to help make sure we're a good fit for one another, but it will also help us figure out how to mount the personal cybersecurity defense you need to make sure that data breaches and other digital disasters are NOT something you need to worry about any longer.