MSP vs MSSP: Assembling Your IT & Security Team

Many small businesses decide that they aren't ready to full-time IT professionals, but still realize that they need professional help to manage their IT and IT Security needs.  One click deeper into that research small businesses often end up asking themselves what the difference is between MSP vs MSSP.  If you are in that very spot, you've come to the right place -- in this post we'll discuss the difference between those two types of service providers.

When Small Businesses Shop for MSPs

There are over 6,000 MSPs (Managed Service Providers) in the U.S. -- they are sometimes known as Managed IT providers.  Some industry analysts also refer to these types of providers as IT-as-a-Service providers, although that term has some formality that feels more appropriate for a research report than daily use.

Whatever you call them, the often-heard story around companies that engage MSPs is as follows.  An entrepreneur building a new company starts off purchasing and configuring their own laptop and other technology resources.  Over time, they expand their team with a handful of early employees that have the patience and willpower to manage through configuring their own workstations themselves.  But eventually, the company expands to a point where an experienced hire joins the company and says "managing our own IT is a distraction" -- and urges the founder/owner/CEO to seek out a Managed Service Provider to take over that responsibility.

We're not saying that the above is always the way that Managed Service Providers enter the picture, but it is a storyline we've heard so frequently that it is worth telling here... as an illustration of the completely natural evolution of how companies evolve their IT practices.

What comes next?  Some of the tasks that small businesses are most eager to offload to their newly-onboarded MSP are (often) as follows:

• Provisioning of new laptops/workstations
• Provisioning of new-hire accounts for widespread dependencies (e.g. O365 or G Suite accounts)
• Configuration/installation/maintenance of printers
• Installation/configuration of network infrastructure such as the contents of the "telecom closet"
• Installation of "agents" on each workstation, to monitor workstation health and assist with troubleshooting
• Installation/configuration of phone systems

We're not saying that MSP services "stop" there -- and in fact, for MSPs that do stop there, they are probably at risk of being displaced by more comprehensive providers.  However, the above examples are very typical of what a small business might have at the top of their wish list when they engage an MSP.

Let's move on to how this storyline differs from the story that we hear (time and time again) about how businesses end up in pursuit of professional IT Security help -- and thus sometimes end up learning more about MSP vs MSSP differences than they ever wanted to know.

When Small Businesses Shop for MSSPs

As a company specializing in small business cybersecurity it pains us to say this, but it's important context.  Very few small business operators wake up one morning and just spontaneously say "today's the day I'm going to get my IT security under control" -- it happens, but it's rare.

More frequently, a small business operator experiences one of the following:

1. A cyber attack occurs on their company, leading to a heightened awareness (and usually a high degree of pain), and a strong desire to improve security going forward.
2. A regulatory obligation arises (see also our articles about HIPAA, FedRAMP, FTC Safeguards Rule)
3. A customer requires them to demonstrate stronger security practices (see our articles on Enterprise Security Questionnaires)
4. A voluntary compliance standard arises in their industry, and becomes the norm (see also our articles on SOC 2)
5. An insurer issuing a cybersecurity insurance policy (a "cyber policy") requires the company to improve their security practices

These are some of the top reasons why a company suddenly searches for (and learns a ton about) the difference between MSP vs MSSP, in their quest to augment their current MSP provider with one or more additional providers that are more specialized in security.  Unfortunately, hiring an MSSP (Managed Security Service Provider) is typically the wrong path to solving the security and compliance challenges that led to the search.

When MSP vs MSSP is the Wrong Question to Ask

The list in the prior section of motivations that often drive small businesses to learn about the MSP vs MSSP distinction, and often cause them to seek out an MSSP, needs more discussion.

The lineage of the MSSP industry comes roots that are deeply related to the way we previously worked, prior to COVID-19.  It was a world where "everyone" went into the office and connected to elaborate highly-tuned corporate network infrastructure.  Remember?  And, a security-related configuration mistake in that network infrastructure could suddenly let an outsider (we're being kind: what we mean is a cyber attacker) gain access to dozens, hundreds, or thousands of corporate-managed workstations, servers, and devices.

Then COVID-19 happened.  Most companies sent their teams home.  A whole new class of emerging security issues suddenly came to the forefront, leaping ahead of corporate network infrastructure as the #1 security topic amongst small business IT teams.  Some of those issues that hopped to the forefront, were:

• Shadow IT: when throngs of office workers "went home" many employees forgot all about any IT approval processes associated with bringing in technology they needed for their job.  From webapps unknown to the company, to computer accessors, to home wi-fi systems, employees did what they felt they needed to.  Everyone scrambled to find a way to make their home workspace functional from a technology perspective, with IT approval being an afterthought, if even that.
• Phishing: an upheaval of existing communications norms in companies meant that phishing attackers were able to send emails to employees, asking them to take privileged actions that would not normally be requested via email... but since all of the norms in the company's communications suddenly changed, it didn't feel so strange to see the CEO send an email asking for ACH information to be changed in an internal system (and example of a common phishing fraud).
• BYOD:  not all companies were equipped to instantaneously issue every single employee a laptop for home use, and because of that, BYOD (bring your own device) became instantly acceptable in many companies.  The new security exposure on this one, was massive.  Suddenly computers that employees just happened to have on-hand at home (if they were fortunate) ended up being used for a mix of personal activities, work activities, and activities by other members of the household (for example, a child doing e-learning... and potentially installing chrome extensions and downloaded apps of their choice).

These are just a representative set of examples of the top issues that quickly came up when teams went remote.  And, unfortunately, for those asking whether these problems are better addressed by an MSP vs MSSP... that's entirely the wrong question.  The experience built up by the supermajority of MSSPs is incredibly useful for the types of nuanced corporate network security configuration that we discussed earlier, but not particularly helpful for some of the new-age distributed team security concerns that rapidly came to the forefront over the past year.

That's where Havoc Shield steps in. Whether you are struggling in the aftermath of a cyberattack, sorting out regulatory or compliance needs, navigating an enterprise security questionnaire, or trying to make it over a hurdle set by a cybersecurity insurer, we're here to help.  And our help is all designed around the new context of small business: one where many companies have distributed team members, who may very well be handling sensitive information from the comfort of their couch.  The security concerns around that type of work context are manageable, but you need the right provider to do so.