Should MSPs Become MSSPs? Security Channel Chiefs Debate Question at CPE
Pictured above, left to right: Moderator Kris Blackmon of Channel Futures leads the MSSP discussion with Malwarebytes’ Mike LaPeters, Sophos’s Scott Barlow and Flashpoint’s Ayesha Prakash.
CHANNEL PARTNERS EVOLUTION — Should managed service providers (MSPs) strive to become managed security services providers (MSSPs)?
Absolutely not, according to Scott Barlow, VP of the global MSP distribution at Sophos. MSPs can provide the same services as MSSPs by providing and outsourcing security monitoring and management, said Barlow, responding to the question by Channel Futures senior editor Kris Blackmon during a panel discussion at this week’s Channel Partners Evolution conference in Washington, D.C.
The two other panelists in the session didn’t share Barlow’s view. Mike LaPeters vice president of worldwide MSP and channel operations at Malwarebytes and Flashpoint’s head of worldwide channels and partnerships Ayesha Prakash argued that there’s money to be made by MSPs who become MSSPs.
Barlow contended that rather than investing to become an MSSP, MSPs should ensure all the services they offer are secure and offer a full breadth of necessary detection and protection capabilities. “I just don’t think it’s worth the MSP looking to transition into MSSP,” Barlow said. “Same thing with the data center market. How many MSPs launched their own data center 10 years ago? Where they now?”
The investment in becoming an MSSP, which includes integrating different products and building and operating a security operations center is not warranted, Barlow added. “The RMMs, PSAs and security vendors are all doing that [integration] for you,” he said. “You can outsource a SOC and pay $3-$4 per user per month.”
Nevertheless, becoming an MSSP can be lucrative, Malwarebytes’ LaPeters responded. “While I hear what you’re saying, I do think that if you’re willing to make those investments, there’s so much money to be made as an MSSP,” LaPeters said. “I think that you can really crush it in that space right now because there are so few of them. And if you do it right, you may have a gold mine.”
LaPeters, who joined Malwarebytes in July, referenced a recent survey by his former company AT&T Cybersecurity, which indicated that there are approximately 7,000 MSSPs globally, a relatively small figure considering there are “hundreds of thousands” of providers that characterize themselves as MSPs.
“I will tell you, MSSP is a hot market,” Flashpoint’s Prakash added. “The as-a-service model in the security world is where everything is shifting and it’s going to continue to shift to it. That’s a big push MSPs should look at. It doesn’t have to be next year — it can be five years from now — but think about it, as there is a lot of money there.”
Still, Barlow maintained that MSPs should focus on shoring their security practices, expertise and certifications, a point LaPeters and Prakash didn’t dispute. “There’s a huge disparity between the definition of an MSP and an MSSP and CSP,” Barlow said. “But really, at the end of the day, we want to just make sure that partners are successful in….