The Managed Security Service Partner (MSSP) 2.0

In 2011, Reg Harnish, now CEO of OrbitalFire Cybersecurity, was an MSP. The economy was exploding and every business needed technology. The model back in those days was break/fix. And while business was good, the break/fix approach was challenging because IT providers only made money when their customers had problems. Eventually MSPs migrated to managed services and today are facing an even bigger shift—to cybersecurity.

Harnish told a ChannelCon 2024 audience that while cybersecurity offers endless opportunities for MSPs, it also introduces a whole host of new headaches, in a session called Surviving Extinction: The Future of Cybersecurity for MSPs. He says the headaches don’t stem from the technology, but rather the business model, and makes the case for the managed security service partner (MSSP) 2.0.

The State of Today’s MSP

Getting break/fix providers to transition to managed services was very difficult back in the day because they had to rethink everything they did from selling, packaging services, pricing their services and looking at their balance sheet very differently. Harnish says we’re now at the next chasm with cybersecurity.

“We’re seeing a similar struggle with MSPs as the industry evolves and expects more of them,” Harnish said. “Everything is evolving and we don’t have a great solution.”

He says today’s MSPs are facing these top challenges:

• Competition: There’s a low barrier to entry. Anyone who knows a little bit can stand up their own MSP. You’re competing with everyone on your block.
• Revenue and profitability: Managing your finances is a huge challenge for MSPs and making money in IT is difficult. Everything is more complex because the world has changed.
• Acquiring and retaining customers: Finding a way to deliver on the unique value you provide and then keeping those customers by establishing trust is getting harder to do.

Harnish says that more than half of the MSPs in the United States operate at the survival line. “They’re living paycheck to paycheck, fighting problems at all times and just barely breaking even. There’s no time for strategy, taking care of people and going above and beyond for customers,” he said.

In addition, there are challenges around accountability. “Where does yours start and end?” Harnish asked. “This is an important conversation about cybersecurity because sometimes you’re the root cause and sometimes you’re not. But your customers don’t care.”

If cybersecurity is not your business, Harnish proposes a different model.

A Different Model: The MSSP 2.0

A different model exists. This business model challenges the idea that the MSPs need to own the invoice and everything the customer sees has to go through you. “If you own all the expenses, you own all the liability,” Harnish said.

You need a partner.

“It’s a very simple model,” Harnish said. “It’s outsourcing everything that’s not your core competency. You’re not taking on things where you don’t have expertise.”

Working with a managed security services partner (MSSP) 2.0 looks like:

• Duties are segregated: The idea of auditing or testing your own work doesn’t work anywhere else, and that’s changing.
• Generalists are replaced by specialists: How many things can you be an expert in? Your customers are starting to ask for specialists in cybersecurity.
• Customers experience better outcomes: Happy customers stay, they have no reason to leave and customer retention improves.

Now, MSPs get to:

• Eliminate cybersecurity expenses: You still can offer cybersecurity technology, but you get to focus on what you do best.
• Develop your expertise: When you focus on what you do best, you can elevate your unique value and differentiate from your competition.
• Reduce the tools in your stack: What can you get rid of and how can you consolidate?
• Eliminate cyber-related liability: The MSSP 2.0 doesn’t immediately involve your MSP if there’s an incident, because it may not be your fault or have anything to do with your technology.

Survive or Thrive

Just like 20 years ago, smart MSPs are going to make the leap to a new way of thinking about cybersecurity. No more paying vendor license fees, trying  to hire and retain cybersecurity talent, managing customer expectations, no more lawsuits and insurance cancellations. Harnish believes it’s time to switch things up.

“Better outcomes for your customers means profitability and longer relationships,” he said. “Do you do your own payroll, mow the lawn or clean the bathrooms at your office? You recommend outsourcing to your customers—but are you taking your own advice?

If your MSP is just surviving and you don’t have the time to focus on your core competencies, it could be time to address the mammoth in the room.

“The Wooly Mammoth is extinct because it didn’t adapt to the changing environment,” Harnish said. “Are you evolving and adapting with the things that are in front of you right now?

Get tips on vetting vendors.

Download: Cybersecurity Guidebook for MSPs: Best Practices for Protecting Clients