This is a topic we are going to be covering a lot in the future if present trends continue. The growing disparity between security consultancy firms and MSPs with managed security capabilities is already creating confusion in the market. How do we know? Well, if I am confused, that’s not a great sign.
While I am not perfect by any means, I have made the study of the managed services profession my life’s work for the last several decades. It is my job to identify, evaluate, certify, and examine MSPs. Today, unlike at any time in my past professional life, I confess that I am seeing more companies masking their managed services capabilities and emphasizing their cybersecurity services.
Now, you may say there is no issue with this; after all, MSPs are desperately trying to convince clients to update their own security posture and practices. The risk is when you can no longer tell who an MSP is and who is a cybersecurity consulting firm, nothing good will come of this. Why, you ask?
- Greater confusion surrounding the types of access being given to the provider
- Greater confusion from the client as to the types of services capable of being delivered
- Greater confusion around who is responsible for policy within the organization
All three of these scenarios can bring potential risk, confusion, and negative outcomes. We will examine how each of these scenarios can be avoided and suggest best practices to ensure provider and customer alike are protected and acting in accordance with industry best practices.
There is a huge distinction between an MSP (including MSSP) and a security consultant (including break/fix security consultants). Consultants typically operate under the direction of the client. It is the client who dictates the level of access, the rules governing such consultant access, and is in complete control of what, where, and how the consultant interacts with customer infrastructure, IT resources, and data.
The MSP, on the other hand, has its own type of access to the client environment. The MSP access may be governed and directed by the client, but in many situations the client relies on the MSP for this type of policy guidance. In other words, the MSP is acting as a virtual CIO, CISO, or director of IT capacity. As you can see, the MSP has a very different style of interaction and access with the client; very different from the consultant.
As such, it is critically important for the client to understand which type of provider with whom you are dealing so you can be aware of the type of access they require to do their job and also, so you understand who is responsible for the security and governance of the external service provider.
Service Delivery Types
Aside from determining the type of provider with whom you are dealing, it is also important to understand the type of services you will be receiving from said provider. There are many different types of services out there, even from actual MSPs. Knowing whether you are dealing with a consultant limited to break/fix or reactive services (I.e., not managed services) or an actual MSP will give you a lot of information as to the type of access, risk, and responsibilities associated with each provider and also with the client itself.
A consultant will have less access compared to an MSP. An MSP usually has deeper access and ongoing access compared to a consultant whose access will typically end once the engagement is done. A non-MSP consultant performing security services might perform a penetration test, a vulnerability scan, or some other type of consultative service which would not require them to receive the same sort of logical access privileges as those of an MSP.
In the end, after you determine whether you are dealing with an MSP, consultant, whether you are receiving managed security or security consulting services, the ultimate question must come down to responsibility: which provider is responsible?
I do not mean that one party is not responsible for their actions or the deliverables in their engagement to the client. I mean, a consultant and an MSP cannot both have overlapping responsibilities within the client organization without some confusion and potential for negative outcomes. Clients need to know what type of provider they are dealing with, they need to know what types of services they are consuming, and they especially need to know who is responsible for actions taken during the relationship.
For these reasons alone, understanding who is and is not an MSP has become really important. Accurately describing what it is you do as a provider will go a long way towards building and maintaining trust with the end-user community.