Outsourcing Security: We’ve Seen This Before
When you know history, it can help you avoid repeating mistakes from the past. The same is true in managed services. In 2018, as a large segment of the managed services profession contemplates how to incorporate managed security into their portfolio, some companies are trying to encourage the outsourcing of security services to other MSPs.
Put differently: MSPs who offer security are trying to sell to MSPs who do not. The reasoning is simple enough. If you cannot provide managed security to your customers, then you either risk losing that customer, or you develop a managed security offering. I understand this type of thinking, and it is crucial that we honestly consider it. It is helpful to know that this model has existed before. All MSPs need to recognize this reality and make their decisions accordingly.
The Master MSP Business Model
Early in the 2000s, the "master MSP" business model was popular. The simplest description of this model is a younger MSP organization would partner with the "master MSP" for some of the recurring and more process driven tasks. Using a master MSP allowed the less mature MSP to focus on the customer relationship, billing, and non-recurring project work.
While this may sound logical and look good on paper, in reality, this model was less useful for the immature MSP. Do not mistake me: the practicing master MSPs were quite good at what they did. By all external measurements, those master MSPs really could provide a scalable and efficient managed service.
The issue was how that service was delivered through the immature MSP to the customer. In the end, the immature MSP became somewhat irrelevant, and the real value of the service was coming from the master MSP working behind the scenes.
Ultimately, the master MSP business model went away with the individual components performed today by the platform vendors. It is the platform vendor today who typically will offer their MSP partners access to their service desk, NOC services, and other back office solutions.
Master MSP for Security
So, now that we've taken a short trip down memory lane, how does this knowledge prepare us to make a similar decision regarding MSPs offering security to other MSPs?
They say the definition of insanity is trying the same thing twice and expecting a different result. Well, in this case, I may slightly disagree.
Today, MSPs need to be offering some guidance to their customers on security. The pressure to provide managed security to customers is similar to the pressure VARs felt in the 2000s when they were migrating towards managed services. The difference today is that many practicing MSPs touch a lot of security. While not explicitly stated as such, it is hard to think of any MSP today not incorporating some security into their managed services offerings.
The question becomes whether MSPs need to bring in an outside MSSP to competently deliver these services to customers. The options are:
1) Develop a managed security offering internally
2) Partner with an external MSSP
I think the answer to the "build vs. buy" question depends significantly on the type of security solutions your customers need. For example, if your customers require a SIEM monitoring solution, that is a unique skill set, and only a serious MSP should undertake building such a capability.
Alternatively, if a customer needs such a complex security solution, strategically outsourcing a SIEM as a service would be a wise, if not, accepted practice for the modern MSP. That outsource MSSP would then become a sub-sourced vendor for the MSP and would become the responsibility of the MSP when doing vendor due diligence.
What is clear is that managed security is an unavoidable discussion for most MSPs today. In fact, if an MSP is unable to discuss managed security intelligently, many customers will start to lose faith in that provider. At a threshold level, MSPs need to be conversant in managed security, even if they do not provide all the security solutions to the customer. The MSP, just like a primary care physician, should direct the care for the customer and ensure that only credible and qualified providers are involved in the service delivery process.
What MSPs cannot do is outsource responsibility and risk to a third party MSSP. In the end, the MSP is responsible for everything that goes through their service offering. If you "deliver" it, you "own" it.