Datto Exec on What ‘Managed Security’ Actually Entails
If there’s one thing IT experts agree on, it’s that there’s big money to be made in security over the next few years as the world learns to deal with the risks associated with constant connectivity. Within the channel, that means there’s a lot of talk among traditional managed service providers (MSPs) evolving into managed security service providers (MSSPs) to take advantage of this top-of-mind opportunity.
It’s green fields, especially among SMBs, which are just now beginning to invest in robust cybersecurity solutions. These business owners and managers are coming to realize the devastation a breach can cause. Enterprises usually have resources to deal with malicious attacks after the fact, but if an SMB gets hit, it could very well mean the end of their business.

Henry Washburn
In addition, global regulations such as the EU’s General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. require many businesses to comply with strict cybersecurity rules. While some SMBs might think their businesses aren’t impacted by such regulations, managed service providers know that it’s to their customers’ benefit to ensure the highest level of compliance possible.
“I’ve read the whole, wonderful page turner that GDPR is,” says Henry Washburn, senior competitive intelligence manager at data-protection provider Datto.
Washburn says it’s important for MSSPs to keep governance in a managed-service mindset because none of us really understand the full impact these regulations will have yet.
“You don’t even know how evolved GDPR will be because it isn’t out in the world yet. It hasn’t been litigated by any means … an MSSP shouldn’t be blindsided by that.”
The risks associated with the Internet of Things (IoT) and trends such as bring-your-own-device (BYOD) policies present additional opportunities for MSSPs to provide value to customers. Business owners and managers can’t keep an eye out for every single endpoint and what’s outside of the protected bubble of a network defense, so they’re turning to partners to fill that need. That opens a door for traditional MSPs looking to transition to managed security, says Washburn.
“In the short term, straight MSPs already do some level of management and monitoring. That means they’re managing the desktops and servers and other endpoints. Let’s take it on the opposite side. Does that RMM software know when there’s something left unmanaged? If there is, how new is that on the network? Is it a potential threat?”
This type of security evaluation is something MSPs can dive into and show the value their expertise can provide without having to invest a ton of resources into technical training or additional certifications. Washburn says pointing out existing holes in customers’ security is low-hanging fruit for managed service providers. MSPs should already be doing quarterly business reviews to demonstrate their value and identify areas where they can beef up their service offerings, but as the security opportunity grows, partners can expand into a whole security service, complete with firewalls, threat detection and response, backup and disaster recovery (BDR) and security awareness training.
While the definition of managed-security service provider is still vague enough to be claimed by any partner that provides a firewall and access control, there are a few things that in Washburn’s opinion really differentiate MSSPs from their traditional managed-service provider brethren: education, hardware and software protection, and some sort of restoration procedure in case of a breach.
“I think [that definition is] a moving target,” says Washburn. “There’s no hard and fast, XYZ answer. It took a number of years before just ‘managed service provider’ was a well known term.”
Like cloud and AI, then, managed security is a term we can expect to see liberally used in the IT world. In the end, the definition doesn’t matter as much as the results do.