Pictured above, left to right: Moderator Kris Blackmon of Channel Futures leads the MSSP discussion with Malwarebytes’ Mike LaPeters, Sophos’s Scott Barlow and Flashpoint’s Ayesha Prakash.

CHANNEL PARTNERS EVOLUTION — Should managed service providers (MSPs) strive to become managed security services providers (MSSPs)?

Absolutely not, according to Scott Barlow, VP of the global MSP distribution at Sophos. MSPs can provide the same services as MSSPs by providing and outsourcing security monitoring and management, said Barlow, responding to the question by Channel Futures senior editor Kris Blackmon during a panel discussion at this week’s Channel Partners Evolution conference in Washington, D.C.

The two other panelists in the session didn’t share Barlow’s view. Mike LaPeters vice president of worldwide MSP and channel operations at Malwarebytes and Flashpoint’s head of worldwide channels and partnerships Ayesha Prakash argued that there’s money to be made by MSPs who become MSSPs.

Barlow contended that rather than investing to become an MSSP, MSPs should ensure all the services they offer are secure and offer a full breadth of necessary detection and protection capabilities. “I just don’t think it’s worth the MSP looking to transition into MSSP,” Barlow said. “Same thing with the data center market. How many MSPs launched their own data center 10 years ago? Where they now?”

The investment in becoming an MSSP, which includes integrating different products and building and operating a security operations center is not warranted, Barlow added. “The RMMs, PSAs and security vendors are all doing that [integration] for you,” he said. “You can outsource a SOC and pay $3-$4 per user per month.”

Nevertheless, becoming an MSSP can be lucrative, Malwarebytes’ LaPeters responded. “While I hear what you’re saying, I do think that if you’re willing to make those investments, there’s so much money to be made as an MSSP,” LaPeters said. “I think that you can really crush it in that space right now because there are so few of them. And if you do it right, you may have a gold mine.”

LaPeters, who joined Malwarebytes in July, referenced a recent survey by his former company AT&T Cybersecurity, which indicated that there are approximately 7,000 MSSPs globally, a relatively small figure considering there are “hundreds of thousands” of providers that characterize themselves as MSPs.

“I will tell you, MSSP is a hot market,” Flashpoint’s Prakash added. “The as-a-service model in the security world is where everything is shifting and it’s going to continue to shift to it. That’s a big push MSPs should look at. It doesn’t have to be next year — it can be five years from now — but think about it, as there is a lot of money there.”

Still, Barlow maintained that MSPs should focus on shoring their security practices, expertise and certifications, a point LaPeters and Prakash didn’t dispute. “There’s a huge disparity between the definition of an MSP and an MSSP and CSP,” Barlow said. “But really, at the end of the day, we want to just make sure that partners are successful in….

….selling the products and services and making sure they go through the certifications and training.”

LaPeters lamented that there are too many partners that don’t want to go through each vendor’s training and certification programs, which reflects poorly on the service provider industry. A recent example is an MSP who was reportedly breached, believed to be the source in ransomware attacks affecting municipalities in Texas.

“I know a few of the partners that were engaged in that whole thing and they are not looking good right now,” LaPeters said. “And it has a lot to do with their investment that they chose not to make.”