Is Transitioning from an MSP to MSSP Worth the Risk?
Many IT support companies, looking to make the transition from managed services provider (MSP) to managed security services provider (MSSP) pose the same question: Is it worth the risk? It’s a great question that anyone considering this transition should be asking themselves. The short answer: It is not worth the risk! This is often our response once we’ve peeled back the onion with our MSP client and asked a few more probing questions about what type of risk they’re talking about.
After digging in, we’ve learned that most MSPs know that the cybersecurity market is super-hot. There is a massive shortage of qualified cyber professionals in this country and abroad, and this creates a ripe opportunity for MSSPs to fill the void: providing these services to customers in critical need. Since cyber crime is only increasing, with fines growing for companies that aren’t protecting themselves prudently, most companies are in dire need. Many realize it. Sadly, the majority don’t have a clue about how exposed they are. So, yes, we all know the market is hot. If you play your cards right, a value-added reseller (VAR) or MSP can make an effective transition with minimal operational risk.
However, this isn’t the type of risk most companies are talking about when we dig further to understand the question, “Is it worth the risk to become an MSSP?” The question most are asking is: “Isn’t taking on the management of an organization’s security risky because you are exposing yourself to liability if the end user organization [your customer] is breached?”
With the rise in lawsuits due to mega breaches, where even investors sue because of the negligence of the organization to secure its infrastructure, it seems even riskier to get into this line of work. So why are companies making the shift? The reason is, they are setting things up properly, so they don’t have the liability if their customer is breached.
Don’t Be the Fool
It is not worth the risk, as an MSSP, to take on the liability if your customer is breached. As good as your company may be at providing excellent IT security, all it takes is one smart bad guy to break in.
Most highly skilled penetration testers (“white hat hackers”) can break into virtually any organization. The idea is for them to find the chinks in the armor so they can be fixed before the bad guys discover the chinks. However, it’s a never-ending process, because the customer’s environment is constantly in a state of flux: new employees added, employees terminated, new software added and deleted, new hardware added and removed, new updates to hardware and software continually being implemented, new increasingly sophisticated email phishing attacks … and the list goes on. All of these provide a moving target where a bad guy hacker can find the chinks in the armor. They are there. It is just a matter of time and persistence.
Therefore, you can be a very capable MSSP offering your service, but if you are taking on the liability if there is ever a breach, you are cooking your own goose. The bottom line is, most MSSPs do not take on this liability. We know–we work with hundreds of them. Their contracts clearly stipulate they are not liable for any breaches, loss of intellectual property, ransomware demands, etc. This liability falls on the customer. It is their business, they are responsible, and most MSSPs are not about to take on that liability themselves.