What gives an MSP the right to add the extra "s"?

Kris Blackmon, Head of Channel Communities

August 24, 2018

4 Min Read

I’ve spent the better part of 2018 asking a question that everyone has a different answer for: What qualifies a partner as an MSSP?

No one can agree on what gives an MSP the right to “add the s” and bill themselves as a managed security service provider (MSSP). Throughout this year, I’ve had cybersecurity professionals tell me it’s providing an end-to-end, detection-to-response solution, managing their own security operations center (SOC) or conducting security awareness training. Then there are the traditionalists telling me that any MSP that offers a managed firewall or managed antivirus is technically an MSSP, and I should stop asking a question that doesn’t need a strict answer.

But here in the Channel Futures newsroom, we tend to think words are important. In an age when “facts” are malleable and labels are erroneously applied on a consistent basis, it’s important to arrive at common definitions for our industry, and “MSSP” is a high-profile one. In the last few years, the total addressable market for managed-security services has grown by leaps and bounds. By 2022, it will be more than a $40 billion market, and when you’re talking about that much cash, there’s an understandable desire for a hard and fast answer to that pressing question: When has an MSP earned that extra “s”?

To arrive at our definition, we first dove deep into the data we collected in this year’s MSP 501 ranking list and survey to try to figure out which benchmarks absolutely must be met in order to qualify as an MSSP. It wasn’t easy, and there was more than one tense conversation as we all pushed for our own formula. Over the course of the year, we’ve sought the input of analysts, vendors, distributors and MSPs, all of which we took into account to inform our decision process.

First and foremost, we all agreed that a candidate for the MSSP designation had to have more than 35 percent of its revenue generated through managed services. While there are resale and consulting components of an MSSP model, by and large a managed security provider has to wheel and deal in ongoing services, since cyberdefense isn’t a one-hit wonder solution.

We were also quick to agree that applicants needed to work with at least three security vendors. No one vendor can do the trick. You’ve got your backup and disaster-recovery guys, your endpoint response and detection providers, threat-landscape intelligence gurus, and a ton of other solution-specific service providers that, when integrated into one MSSP solution offering, create a robust cyberdefense.

Of course, an MSP that didn’t see security as its biggest growth area probably shouldn’t be billing itself as an expert provider of managed security services. We went back and forth about which base-level focuses must be incorporated into a managed services growth strategy. At the end of the day, we reached a consensus that at a bare minimum, MSSPs should be investing in growing their endpoint-security and network-security practices, the bones of any security offering.

That brought us to products and services, and here’s where the discussion really ramped up. Everyone had an opinion, and they didn’t all match up. After a good amount of debate, we decided the following product and service offerings must be present in an MSSP’s practice:


  • Endpoint security

  • Identity and access management

  • Network security

  • Enhanced network monitoring

Managed Services

  • Managed security

  • Patch management

  • Managed anti-spam

  • Mobile device management

  • Network Operations Center (NOC) Services

  • Help desk

  • Remote monitoring

Once we landed on the criteria, we crunched the numbers. Considering how many MSPs claim to have a robust managed-security practice, we were slightly surprised that only 58 of our 501 met all of our benchmarks to qualify as an MSSP. Then again, considering the level of expertise required to qualify as a true managed security service provider, it might not be so surprising after all. The cybersecurity job market essentially has a 0 percent unemployment rate, and snagging the necessary skill set to support an MSSP practice requires a good deal of resources that many MSPs don’t have to invest.

We recognize that many out there will disagree with our criteria, and we invite you to give your feedback in the comments below or email us at [email protected]. The channel community can’t arrive at an industry-accepted definition without some discussion and debate, and we’re sure that our criteria will change and evolve along with the security market over time. But today, I’m happy to extend a very warm and special congratulations to our 2018 MSP 501 MSSPs. I hope to see you all at Channel Partners Evolution in Philadelphia in October, where we’ll be recognizing our 501 winners at a special gala.

You can find the 58 that made our list here.

About the Author(s)

Kris Blackmon

Head of Channel Communities, Zift Solutions

Kris Blackmon is head of channel communities at Zift Solutions. She previously worked as chief channel officer at JS Group, and as senior content director at Informa Tech and project director of the MSP 501er Community. Blackmon is chair of CompTIA's Channel Development Advisory Council and operates KB Consulting. You may follow her on LinkedIn and @zift on X.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like