This is a topic we are going to be covering a lot in the future if present trends continue. The growing disparity between security consultancy firms and MSPs with managed security capabilities is already creating confusion in the market. How do we know? Well, if I am confused, that’s not a great sign.
While I am not perfect by any means, I have made the study of the managed services profession my life’s work for the last several decades. It is my job to identify, evaluate, certify, and examine MSPs. Today, unlike at any time in my past professional life, I confess that I am seeing more companies masking their managed services capabilities and emphasizing their cybersecurity services.
Now, you may say there is no issue with this; after all, MSPs are desperately trying to convince clients to update their own security posture and practices. The risk is when you can no longer tell who an MSP is and who is a cybersecurity consulting firm, nothing good will come of this. Why, you ask?
- Greater confusion surrounding the types of access being given to the provider
- Greater confusion from the client as to the types of services capable of being delivered
- Greater confusion around who is responsible for policy within the organization
All three of these scenarios can bring potential risk, confusion, and negative outcomes. We will examine how each of these scenarios can be avoided and suggest best practices to ensure provider and customer alike are protected and acting in accordance with industry best practices.
Provider Access
There is a huge distinction between an MSP (including MSSP) and a security consultant (including break/fix security consultants). Consultants typically operate under the direction of the client. It is the client who dictates the level of access, the rules governing such consultant access, and is in complete control of what, where, and how the consultant interacts with customer infrastructure, IT resources, and data.
The MSP, on the other hand, has its own type of access to the client environment. The MSP access may be governed and directed by the client, but in many situations the client relies on the MSP for this type of policy guidance. In other words, the MSP is acting as a virtual CIO, CISO, or director of IT capacity. As you can see, the MSP has a very different style of interaction and access with the client; very different from the consultant.

