MSP vs. MSSP: What’s the Difference?

It's been a long, strange trip for managed security services. When I stumbled into the market around 2008, most MSPs were just getting started with RMM (remote monitoring and management) services for PCs and servers.

Around the same time, big antivirus companies stumbled into -- and out of -- the market a few times. By 2012 or so, the market matured. MSPs had multiple endpoint security solutions from which to choose. Life was good. Or so it seemed.

Somewhere along the line, hackers moved the security cheese. Malware attacks extended from endpoints to networks and cloud services. Ransomware rose. Traditional managed services -- PC and server monitoring -- got commoditized.

MSPs Extend to MSSPs

Amid all those changes, the next major MSP opportunity emerged. Once again, it was security. But not your basic AV services. Throughout 2016 and early 2017, I suspect thousands of MSPs embarked on a mad dash to figure out their next-generation security services.

Lyf Widenberg
Lyf Wildenberg

In some cases, MSPs will fold those security services directly into their mainstream offerings. But in other cases, MSPs will launch dedicated MSSP practices, security operations centers (SOCs) and more. Among the companies to watch: Mytech Partners, an IT service provider in Minneapolis that has been building out MSSP capabilities over the past year.

MyTech President Lyf Wildenberg shared some of the early plans with me during HTG's IT Channel Summit in September 2016. By the time MSSP Alert launches in mid-2017, I suspect I'll have more updates from Wildenberg to share.

MSSPs: Specialized MSPs, Telcos, ISVs, CSPs & More

Scott Barlow, global VP of MSP and cloud alliances, Sophos

In the meantime, back to the core question: What's the difference between an MSP and an MSSP? The definitions will spark plenty of debate but...

  • An MSP offers a range of services -- typically managing on-premises and cloud services for customers. Somewhere within that service catalog, the MSP typically offers some security services -- perhaps endpoint, network and/or cloud security.
  • An MSSP focuses on one thing -- security -- and avoids the general purpose IT distractions. They go all in on security. In the MSP's case, it may involve building out a far more comprehensive security practice. It may involve building out a dedicated security practice or spinning off a business.
  • But the MSSP discussion isn't limited to the MSP journey. ISVs, CSPs and telcos also fit the MSSP definition in some cases. As Sophos VP Scott Barlow told me during CompTIA Annual Member Meeting (AMM) in March 2017, Sophos itself can be considered an MSSP -- offering end-to-end security solutions to VARs, MSPs and other types of partners.

Perhaps the MSSP definition is in the eye of the beholder. But I think we can all agree: MSSPs are passionate about safeguarding customer assets, no matter where those assets reside.

PS: Stay tuned. We'll be profiling MSSPs in the days and weeks ahead.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.