One of the most debated topics in the IT services world is whether Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) can coexist successfully under the same roof. It’s a hot discussion in the industry, and during one of our 2024 Sales And Marketing Boot Camp mastermind sessions, the panel explored this question in depth. Let’s dive into the insights shared by the experts to understand whether combining these two models is a viable and profitable strategy.
Subscribe to the TMT YouTube channel here
Defining MSPs Versus MSSPs: The Basics
The primary distinction between MSPs and MSSPs lies in the services offered. MSPs traditionally focus on providing IT support and management, such as Office 365 services, managed patching and help desk support. MSSPs, on the other hand, operate as security boutiques, focusing on areas like firewall management, vulnerability assessments, SOC services and compliance with complex frameworks such as FedRAMP and StateRAMP.
One key point raised was that in today’s landscape, the lines between MSPs and MSSPs have blurred, especially in the SMB market. Security is no longer just an “add-on” for MSPs. It’s essential to have a robust cybersecurity stack integrated into your offerings, including solutions like endpoint detection and response (EDR), managed detection and response (MDR) and vulnerability management.
The Argument Against Mixing MSP And MSSP Models
Paul Cissel, a well-known industry voice, argues that you cannot successfully run both an MSP and MSSP under the same organization. According to him, these models require entirely different “service factories,” from staffing to revenue structures. Trying to operate both within a single framework risks inefficiencies and potential failure. He estimates only a 30% chance of succeeding when combining MSP and MSSP models.
Success Stories: How Some Have Managed Both
Not everyone agrees with Cissel’s perspective. Several panelists shared their experiences proving that MSPs and MSSPs can thrive together—if managed correctly. Here are some key strategies they highlighted:
- Separate Revenue Streams: Many successful MSP/MSSP hybrids treat IT services and cybersecurity as distinct revenue streams. By doing so, they maintain clarity in their operations while ensuring both sides of the business complement each other.
- Staffing And Expertise: Cybersecurity requires a different skill set than traditional IT services. A security engineer is not the same as an IT engineer. Investing in the right personnel—such as hiring fractional Virtual Chief Security Officers (vCSOs)—is critical to bridging the gap.
- Start With Reselling: For smaller MSPs looking to add a cybersecurity stack, starting with reselling tools from established security vendors can be a stepping stone. This approach allows you to dip your toes into the MSSP world while building expertise over time.
- Cross-Selling Opportunities: A well-integrated MSSP practice can actually reduce the workload of the MSP side by minimizing client issues. Fewer cybersecurity incidents mean fewer emergencies for engineers, which can ultimately improve efficiency across the board.
When To Make The Leap
For smaller MSPs with annual revenues under $1 million, jumping into the MSSP space might not make sense. Instead, the panel recommended focusing on growing the MSP business first and considering partnerships with established MSSPs. However, once an MSP reaches the $1.5 to $2 million range, adding cybersecurity services as a separate revenue stream becomes more viable and can lead to accelerated growth.
One panelist shared how they grew their business from $2.3 million as a traditional MSP to over $4 million by integrating a cybersecurity practice. They emphasized the importance of having a clear model, finding the right clients to start with and building the necessary expertise step by step.
The Importance Of Market Size And Partnerships
For smaller MSPs, it’s critical to recognize that competing directly in the MSSP space may not be realistic. Instead, partnerships can provide the expertise and coverage needed to meet client demands. Reselling tools or co-managing cybersecurity services with an MSSP partner can be effective strategies for breaking into this space without overextending resources.
Final Thoughts: Can You Mix And Succeed?
The debate on whether MSPs and MSSPs can coexist successfully boils down to strategy, scale and execution. While it’s true that managing both models under one organization presents challenges, it’s not impossible. By treating them as distinct entities, hiring the right talent and leveraging partnerships, MSPs can transition into offering MSSP services effectively.