When you know history, it can help you avoid repeating mistakes from the past. The same is true in managed services. In 2018, as a large segment of the managed services profession contemplates how to incorporate managed security into their portfolio, some companies are trying to encourage the outsourcing of security services to other MSPs.
Put differently: MSPs who offer security are trying to sell to MSPs who do not. The reasoning is simple enough. If you cannot provide managed security to your customers, then you either risk losing that customer, or you develop a managed security offering. I understand this type of thinking, and it is crucial that we honestly consider it. It is helpful to know that this model has existed before. All MSPs need to recognize this reality and make their decisions accordingly.
The Master MSP Business Model
Early in the 2000s, the "master MSP" business model was popular. The simplest description of this model is a younger MSP organization would partner with the "master MSP" for some of the recurring and more process driven tasks. Using a master MSP allowed the less mature MSP to focus on the customer relationship, billing, and non-recurring project work.
While this may sound logical and look good on paper, in reality, this model was less useful for the immature MSP. Do not mistake me: the practicing master MSPs were quite good at what they did. By all external measurements, those master MSPs really could provide a scalable and efficient managed service.
The issue was how that service was delivered through the immature MSP to the customer. In the end, the immature MSP became somewhat irrelevant, and the real value of the service was coming from the master MSP working behind the scenes.
Ultimately, the master MSP business model went away with the individual components performed today by the platform vendors. It is the platform vendor today who typically will offer their MSP partners access to their service desk, NOC services, and other back office solutions.
Master MSP for Security
So, now that we've taken a short trip down memory lane, how does this knowledge prepare us to make a similar decision regarding MSPs offering security to other MSPs?
They say the definition of insanity is trying the same thing twice and expecting a different result. Well, in this case, I may slightly disagree.
Today, MSPs need to be offering some guidance to their customers on security. The pressure to provide managed security to customers is similar to the pressure VARs felt in the 2000s when they were migrating towards managed services. The difference today is that many practicing MSPs touch a lot of security. While not explicitly stated as such, it is hard to think of any MSP today not incorporating some security into their managed services offerings.

