By Edward Tuorinsky, Managing Principal and Founder, DTS
Outsourcing can help your company grow, handling specialized tasks, often for less than the cost of a single annual salary. IT and cybersecurity are two areas where niche knowledge is essential, so it’s no surprise that 81% of companies use third-party vendors to handle part or all of their cybersecurity needs. As technical needs have evolved, two distinctly different kinds of providers are called on: manager service providers (MSP) and managed security service providers (MSSP).
The difference between an MSP and an MSSP is the scope of their offerings. Understanding your service provider’s area of expertise, the scope of services they provide for you, and the delivery model is critically important. Not knowing can lead to assumptions about data storage, application costs, and information security. But with knowledge comes power; executives need a better understanding of MSP vs. MSSP to fully utilize the services they are paying for and make educated decisions about their security posture.
The Difference Between MSP and MSSP
IT operations and infrastructure management are only two of the many services that can be outsourced to a managed service provider (MSP). Ongoing and routine maintenance and active administration on-premises, in a hosted data center, or in a third-party data center may be provided for application, network, infrastructure, and security.
MSSPs are companies that offer nothing but cybersecurity services. From scanning for vulnerabilities and detecting threats to managing virtual private networks, they handle and monitor it all. MSSPs provide around-the-clock protection and are often based in a SOC.
Knowing their difference leads many companies to determine that they need both types of service―to cover IT operations and handle cybersecurity. And this is where things get muddy.
In an effort to keep customers satisfied, many MSPs have begun offering security add-ons. They might offer security patch updates, multi-factor authentication, or other subscription services without having the expertise, certifications, or comprehensive approach needed or cybersecurity, leaving people, data, and transactions at risk.
Similarly, you might hire a general contractor to put an addition on your building. They sub out the work and make sure that everything comes together and works as it should. That doesn’t mean that you turn to a general contractor to handle the ongoing security of your building. For that, you may want someone with more specialization.
The Services You Need
The easiest way to decide if your business needs an MSP or MSSP, or if it would benefit from both, is to consider your existing capabilities.
Choose an MSP if:
- You have no in-house IT capabilities/talent
- You require assistance with computer, network, and server setup as well as equipment acquisition.
- You’re looking for someone to “fix” issues on demand
Choose an MSSP if:
- Your IT staff is not certified in cybersecurity
- Your company needs to robustly protect data or networks
- A cybersecurity framework, such as NIST 800-171 or ISO 27001, must be adopted.
Choose both if:
- Internally, you don’t have much of an IT department.
- You need your IT staff free to handle core responsibilities
- You need remediation or holistic cybersecurity
Many companies don’t have to choose between managed service providers and managed security service providers since they use both to receive the specialized technological solutions and services they require with the least amount of hassle.
Types of MSP Contracts:
Too Small for an MSSP
Small businesses often believe they are too small to be at risk of a cyber-attack, and they are reluctant to hire an MSSP or budget for any cybersecurity. The truth, as we have seen, is that SMBs are a prime target for ransomware. They have what hackers want: intellectual property, customer data, and access to other company partners or suppliers.
To right-size cybersecurity services and spend, shop multiple MSSPs, looking for those that offer tailored services instead of packages or service levels. Reputable MSSPs will start any consultation by assessing your risk and current posture before prescribing services.
Anticipating the Future
In modern times, few companies need IT support but not cybersecurity. Even non-technical and cash-based businesses require security controls and procedures to protect employees, customers, and supply chains.
When it comes to cybersecurity, the US government is paving the way for widespread adoption of standards. The National Institute of Standards and Technology (NIST) provides cybersecurity frameworks, including NIST 800-171, which is being used by the DoD for its Cybersecurity Maturity Model Certification (CMMC) program. NIST standards can be used by any organization, and many in the industry predict that these frameworks and related security standards will spread to the private sector as companies find themselves within the national supply chain.
All of this is to highlight the need for advanced planning when it comes to cybersecurity services. Meeting standards or implementing controls can take months. Those businesses that require certifications should have an MSSP to help them lay out plans to address the most serious risks immediately, work towards other milestones and budget accordingly, and implement a culture of security with employees as a front-line defense.
MSP and MSSP providers can play a critical role in your company, helping support operations, budgets, strategy, and priorities for years of growth or change. Independently assessing your company’s current and future needs; identifying the niche expertise and services your company receives from third parties; and assessing satisfaction with current services is a good place to start.
Edward Tuorinsky has more than two decades of experience in management consulting and information technology services, and he is the founder and managing principal of DTS, a government and commercial consulting organization.
Featured image provided by Christina; Unsplash; Thanks!