Is Transitioning from an MSP to MSSP Worth the Risk?

With the rise in lawsuits due to mega breaches, it seems riskier than ever to get into the MSSP line of work. So why—and how--are MSPs making the shift?

5 Min Read

Many IT support companies, looking to make the transition from managed services provider (MSP) to managed security services provider (MSSP) pose the same question: Is it worth the risk? It’s a great question that anyone considering this transition should be asking themselves. The short answer: It is not worth the risk! This is often our response once we’ve peeled back the onion with our MSP client and asked a few more probing questions about what type of risk they’re talking about.

After digging in, we’ve learned that most MSPs know that the cybersecurity market is super-hot. There is a massive shortage of qualified cyber professionals in this country and abroad, and this creates a ripe opportunity for MSSPs to fill the void: providing these services to customers in critical need. Since cyber crime is only increasing, with fines growing for companies that aren’t protecting themselves prudently, most companies are in dire need. Many realize it. Sadly, the majority don’t have a clue about how exposed they are. So, yes, we all know the market is hot. If you play your cards right, a value-added reseller (VAR) or MSP can make an effective transition with minimal operational risk.

However, this isn’t the type of risk most companies are talking about when we dig further to understand the question, “Is it worth the risk to become an MSSP?” The question most are asking is: “Isn’t taking on the management of an organization’s security risky because you are exposing yourself to liability if the end user organization [your customer] is breached?”

With the rise in lawsuits due to mega breaches, where even investors sue because of the negligence of the organization to secure its infrastructure, it seems even riskier to get into this line of work. So why are companies making the shift? The reason is, they are setting things up properly, so they don’t have the liability if their customer is breached.

Don’t Be the Fool

It is not worth the risk, as an MSSP, to take on the liability if your customer is breached. As good as your company may be at providing excellent IT security, all it takes is one smart bad guy to break in.

Most highly skilled penetration testers (“white hat hackers”) can break into virtually any organization. The idea is for them to find the chinks in the armor so they can be fixed before the bad guys discover the chinks. However, it’s a never-ending process, because the customer’s environment is constantly in a state of flux: new employees added, employees terminated, new software added and deleted, new hardware added and removed, new updates to hardware and software continually being implemented, new increasingly sophisticated email phishing attacks … and the list goes on. All of these provide a moving target where a bad guy hacker can find the chinks in the armor. They are there. It is just a matter of time and persistence.

Therefore, you can be a very capable MSSP offering your service, but if you are taking on the liability if there is ever a breach, you are cooking your own goose. The bottom line is, most MSSPs do not take on this liability. We know–we work with hundreds of them. Their contracts clearly stipulate they are not liable for any breaches, loss of intellectual property, ransomware demands, etc. This liability falls on the customer. It is their business, they are responsible, and most MSSPs are not about to take on that liability themselves.

How, then, does an end-user customer protect themselves? If they know they don’t have the expertise in-house, and they hire a solid MSSP to secure their company, but the MSSP doesn’t take on the liability if there is a breach, what can be done?

Not All Insurance is Created Equal

Everyone knows that in the auto industry there are great auto insurance companies that really support you after an accident, and then there are the shady ones that reveal their loopholes by not having to pay after you file your claim. It’s no different with cyber insurance. Get a company with a good reputation and make sure you read or (if you are an MSSP) your customer reads the fine print.

If you’re an MSP, and you’re looking to make the transition to MSSP, it can be highly profitable and provide you with deep relationships and stickiness into your customer base. Just make sure your contracts protect you from liability and stress to your customers the importance of getting enough cyber insurance to cover a significant breach.

Reducing Operational Risk

Transforming any business carries inherent risk. Tech Data is in the business of helping our partners be successful; we have a number of programs that help make the transition from MSP to MSSP smoother and less risky, and help the business scale efficiently and rapidly when the big opportunities strike.

Tech Data is one of the largest global value-added distributors (VADs) for IT security products and services. We support over 8,000 security partners, many of which have made, or are in the process of making, the transition to becoming an MSSP. Our unique experience and perspective will help you secure your business transformation from an MSP or VAR to an MSSP. Learn more about our security solutions at

Prior to working for Tech Data as a cybersecurity consultant, Jade Witte spent more than 20 years in the IT industry in various sales, sales management and executive roles. Most of his career has been working for national VARs, as well as global service providers focused on providing solutions for midsize to Fortune 500 customers in IT security, networking, data storage, unified communications and cloud computing.  Jade founded a successful software development company that was one of the early pioneers of SaaS, working in conjunction with the U.S. Department of Labor. Jade is very concerned about the rapid growth and impact of cyber crime globally and passionate about the need for effective cyber security in businesses today. Jade has an MBA from the University of Southern California and currently resides in Phoenix, Ariz.

This guest blog is part of a Channel Futures sponsorship.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like