Can MSPs deliver effective cybersecurity?

In the past, Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) performed very different roles. MSPs were responsible for an organization’s IT infrastructure (storage, desktop management, backups, network, etc.), and MSSPs focused on protecting the organization against cyber threats.

However, as cybersecurity becomes of increasing concern for companies, the lines between MSPs and MSSPs have begun to blur. In addition to managing companies’ IT infrastructure, MSPs have begun pivoting to becoming MSSPs as well.

However, the services that an MSP turned MSSP offers may not actually meet an organization’s security needs. Often, these services fall short of what organizations need and don’t actually provide proper cyber resilience and protection. As a result, companies are left vulnerable to attack and lack the visibility and insight required to make informed business decisions regarding their cybersecurity.

MSPs may promise MSSP-level protection, but it’s unlikely that most can deliver what organizations truly need to become cyber resilient.

How MSPs have traditionally served organizations

Partnering with an MSP enables an organization to outsource responsibility for managing its IT infrastructure. An MSP can provide various services, including:

• Setting up new endpoints
• Deploying software/apps across the enterprise
• Managing software and hardware vendors
• Implementing infrastructure such as storage, servers, etc.

An MSP can provide numerous benefits compared to managing IT infrastructure in-house. For example, MSPs can take advantage of economies of scale to acquire required software and attract and retain vital IT expertise at a lower cost to the organization. They’re also great at providing services for repeatable tasks at a lower cost.

This has allowed MSPs to offer some cybersecurity tasks such as firewall management and security tool deployment at a much more attractive price point. These types of tasks have become commoditized and there are significant cost savings for businesses. Who wants to pay a senior security consultant $500/hr to deploy an EDR or add a new user to the VPN?

While all of these can potentially be assets for an organization’s security strategy, they aren’t the most effective areas where organizations should be focusing limited security resources.

MSPs are limited compared to true MSSPs

The cyber threat landscape has evolved rapidly in recent years. As cybercrime has become professionalized and attacks are increasingly automated, any organization can be the victim of a sophisticated cyberattack.

To protect themselves against the cyber threats they face, even the smallest companies need a mature cybersecurity program that protects them against the same attacks that Fortune 500 companies face. Anything less is just ineffective – hence the growing number of successful ransomware campaigns and other cyberattacks targeting small and mid-sized businesses.

An effective MSSP has the comprehensive services, deep expertise and technology required to protect an organization against the cyber threats that it will likely face. An MSP with a few bolted on security-focused capabilities will not make the cut. It’s not enough to offer security tools, an MSP also needs to have the knowledge and experience to use these tools effectively and adapt quickly to new threats and changes.

Security experience and expertise is essential to enable cyber resilience. Some of the common ways in which MSPs fall short include the following.

Creating a Cyber Operations and Tech Stack

An MSSP has deep experience in developing an operations and tech stack for cyber resiliency. An MSP may be experts in solutions for IT management but lack the same knowledge on the security side. This results in a significant limitation when it comes to the security technology an organization needs.

There are many different cybersecurity solutions out there, and all of them claim to be vital to protecting an organization against cyber threats. However, most don’t live up to their claims, and identifying the combination of tools an organization actually needs can be complex. 

Organizations need tools that provide:

• The right type of coverage to detect potential threats.
• The right tools to respond to an incident or compromise and flush out an attacker.

Choosing the wrong technology or tech combination can also be cumbersome to an organization, failing to provide adequate cyber resilience and likely raising the cost of the deployment unnecessarily.

Providing a Full Suite of SOC Services

A security operations center (SOC) is responsible for protecting the organization against cyber threats. This involves a range of duties and services, including everything from taking proactive and preventative measures to remediating a successful attack.

MSPs may add some security services but lack the full capabilities of a mature SOC. As a result, they leave their customers with a false sense of security and may leave them vulnerable to an attack. A full-service SOC should include:

24/7 Monitoring and Support

Cyberattacks can occur at any time, not just during business hours. Since the cost and impact of an attack to an organization depends on how quickly the threat is remediated, an MSSP should be ready to identify, investigate, and respond to an attack at any time.

To do this effectively, 24/7 monitoring by a SOC with a trained incident response team on-hand is required. An MSP attempting to expand its offerings by including security services likely lacks the specialized expertise needed to staff a round-the-clock SOC and an incident response team.

Performing Threat Detection and Response

Cybercrime has proven to be very profitable, as the success and high monetary demands of ransomware attacks have demonstrated. As a result, many professional cybercrime groups have emerged to try and capitalize on the opportunity.

As cyber threat actors hone their tools and skills, their attacks become more advanced, sophisticated, and harder to spot. Detecting and responding to these attacks requires deep security knowledge and expertise, which lies outside of an MSP’s core strengths.

Most companies are looking for security that is “good enough”; however, the sophistication of the cyber threat landscape actually makes this a very high bar. Would you trust your family doctor to perform a cardiac bypass surgery? Sure he knows medicine and charges significantly less but does he have the expertise and access to the same skills and tools compared to a surgeon who’s performed it hundreds of times?

How to validate whether the MSP is up to snuff

Comparing MSPs can be difficult, especially when they offer different sets of services. When evaluating an MSP turned MSSP, try asking the following:

• Do they provide a stack of technology beyond the endpoint? An MSSP is only as good as the tech it has deployed across the environment. If an attack occurs that isn’t picked up by the endpoint, what happens?
• Do they provide different service levels based on your budget? Cyber defenses either protect an organization against attack or they don’t. What your business needs is a cyber resilient outcome – if it costs less but doesn’t do that, what’s the point?
• Can they help you get cyber insurance approvals easier and at a discount? The rise in cyberattacks has resulted in cybersecurity insurers scrutinizing potential customers when it comes to an organization’s security posture. If an MSP can do what they claim to protect the organization, it should be easier to get cyber insurance with better premiums.

You need an effective cybersecurity partner – a true modern MSSP

Having the right tools is essential for an effective security team, but it’s not enough. A good SOC and a good security provider also needs deep experience in using these tools and developing and operating an effective security program.

This is what differentiates a true modern MSSP from an MSP with tacked-on security services. An MSP’s expertise is best for dealing with performance issues and outages, not human-driven attacks. An MSSP’s expertise is vital for:

• Protecting against new and evolving threats.
• Designing and implementing scalable and effective security infrastructure.
• Helping build a strong cybersecurity culture within an organization.

This provides organizations with comprehensive cybersecurity that results in a more cyber resilient posture that has the ability to scale with a company. MSPs traditionally lack the background and expertise needed to achieve these goals. For their cybersecurity needs, companies are better off with an MSSP.

Choosing the right cybersecurity provider can be difficult. To learn more about what to look for and how to get the security that your organization needs without breaking the bank, reach out to SolCyber.