Security's new deal: The MSSPs are here


 In the complex security world, the MSSP model sells itself. But some will fail.

Managed services are wellsuited for many parts of IT. But security looks like a particularly good fit.

Roughly speaking, managed services is a type of outsourcing that can cover business-critical areas, such as networking or data management, and aspires to be integrated with its customer’s environment. In return, the service provider gets a steady income and long-term customer. It’s a pretty effective way to manage complicated IT requirements on more predictable budgets, not to mention cheaper when economies of scale are available.

The complex and demanding nature of cybersecurity is something companies would dearly like to make someone else’s problem. Security purchases also taste less bitter with predictable operational costs and economies of scale. Hence the managed security service provider (MSSP) was born and is becoming a major presence in the technology world.


MSSPs are here

As with the threats they fight, MSSPs seem to be multiplying. Certainly, there are many MSSPs today, ranging from global players to specialised mid-sized providers. Likewise, numerous managed service providers are expanding their operations to include security services, often in collaboration with a security vendor or MSSP partner. Security vendors, meanwhile, are racing to MSSP status in a repeat of how business app vendors started adopting the cloud a few years ago.

Part of this growth is due to established security providers expanding into MSSP status; the model is a convenient way to address many current security problems in an increasingly convoluted landscape.

“I was a speaker a few years back in the UK at a conference with local MSPs and most of them added security to their services because of GDPR,” says Shaun Davis, chief security officer for Netsurit. 

SHAUN DAVIS , Netsurit SHAUN DAVIS , Netsurit
“Compliance and risk are normally what drive the demand for security services and these demands are increasing. All over the world, we see more and more regulations around data security. Cybercrime is at an all-time high and not a day goes by where we don't hear of a major breach.”

MSSPs are also popular for their serviceled approach, which translates to more predictable and selective costs. This is attractive to small and medium enterprises that cannot afford to build their own defences. Smaller organisations are also not spared from the jurisdiction of several technology regulations, so they must have security.

“We are witnessing demand, and from a fairly broad customer base,” says BUI’s technology officer, Willem Malan. “Digital transformation is a major driver, as customers look for cost-effective ways to secure networks, servers, endpoints, databases, applications, and user access in diverse business environments. We have also seen more demand from SMMEs, across industries, and especially in recent months as organisations continue to adapt to the changing world of business and remote productivity during the pandemic.”

Convenient choice

Consequently, there is a rush of MSSPs establishing themselves, offering what looks like a convenient choice for customers. It’s tempting to say that, in the complex security world, the MSSP model sells itself. Yet this is also where some will fail.

The MSSP model looks attractive because of benefits such as scale, but its success depends on how well it integrates with a customer’s business. An MSSP’s reliability hinges significantly on how effectively it communicates with and involves the customer.

“Running an MSSP service from a technical perspective is relatively easy,” says Anna Collard, KnowBe4’s SVP content strategy and evangelist for Africa. “The major challenges are in how to communicate the value to the customer’s business.


Security needs the business to be involved. The purpose of security is to allow the business to continue without disruption. This is something MSSPs sometimes forget, especially when they focus too much on the technical side of cybersecurity.”

The integrated approach is not novel.

Early MSSPs took care of specific (i.e. crucial and sensitive) customer requirements while internal IT teams did the rest. But vastly more complicated technology estates, resulting from what Malan calls hyperconnectivity, have tipped the scales towards broader services adoption. Regardless of whether someone is new or an incumbent, this hands-on quality is a critical distinction.

“The customers always carry the final responsibility for their organisation’s security,” says Collard. “It can never fully be transferred to an MSSP. And for the security services to be effective, an MSSP needs to closely work with its customers. No customer is the same, so security practices need to be fine-tuned to the specific needs of an organisation. “

A fast-moving market

If a company is ready to offer security services and roll with demanding clients, the MSSP model looks like a great deal. But let’s pause for a moment and consider the industry itself. Cybersecurity is notoriously complicated, fast-paced, and competitive. The MSSP model is only a smoother representation of that, but belies several complexities of its own.

Ironically, not all customers understand the hands-on approach explained above, says Paul Grapendaal, Nclose’s head of managed services.

“One of the bigger challenges for MSSP players is to convince clients that a mutually beneficial partnership can yield better results than the purely SLA-driven model. Having essential conversations about what is working, what is not working, where the challenges are and how these are actively being addressed is vital for a successful partnership. Not all clients are comfortable with this level of openness and trust.”

It’s also prudent to remember that MSSPs are relatively new in a sector fighting an arms race. No MSSP approach is cast in stone. The need to innovate, evolve and improve is constant. Threat detection and response (TDR), which uses techniques such as AI to spot and stop attacks, is one example of this innovation. It even inspires an MSSP subset: MDR, or managed detection and response.

“The market’s increased focus on managed detection and response is indicative of the need to turn the tide towards early detection, while advancements in SIEM (security information and event management) and SOAR (security orchestration, automation and response) technologies continue to provide new avenues for MSSPs to diversify their service models,” says Malan.


An MSSP is a fast-moving business. This innovation demand can strain the services business model underneath.

“Staying competitive while providing optimal security to customers can be tricky,” says Collard. “Analysing security threats can wreak havoc on an MSSP’s profits, as you can seldom guarantee the time investment it takes to do incident response and forensics.”

Then there is the friction of quantity versus quality. Services-at-scale prefers the former, but security customers look at the latter. Determining value or return on investment is tricky. The MSSP model may be a simpler form of cybersecurity services, but that doesn’t make it simple.

Nonetheless, MSSPs are well-suited to the technology market’s direction. For that reason, says Davis, it’s here to stay.

“I think it’s the only way going forward. All the traditional security vendors are now trying to add managed services to their catalogue, for very much the same reason managed services companies are adding security. Clients no longer want to deal with multiple companies and, when there is a problem, have to sit with finger pointing, lack of accountability and slow resolution times. I remember one client telling me he wants ‘one neck to strangle if something goes wrong’, and that actually makes sense. As a customer, the biggest reason you want to outsource is to shift accountability and responsibility. Don’t get me wrong – the customer is not passing the buck, but purely getting the right people to deliver on a specialised service.”