Security Hot Take: Not Every MSP Should Be An MSSP
‘We all think we’re all experts in different areas. And we don’t share a lot. But [it’s] important is for us to start opening up in this new landscape of security, just in working with other teams, regardless of how sound yours is,’ one MSSP told the audience during a keynote panel at XChange 2023.
CRN Senior Editor Kyle Alspach spoke with a panel of security solution providers who shared their knowledge and experiences of cyberattacks and what to do if the unthinkable happens.
It deviates from what solution providers typically hear, but not every MSP needs to become a managed security service provider, or MSSP, according to a keynote panel of security professionals that took the stage at CRN parent The Channel Company’s annual conference.
“MSPs seem to suddenly think right now that growth of their company means that should be turned into an MSSP and that’s not how it really should be,” said Seth Kilander, founder and CEO of Ki Security and Compliance Group, a Denver-based MSSP that serves private equity and investment advisor clients.
In reality, MSPs and MSSPs are “completely different business paths and different business models,” Kilander said.
[Related: How A Little Threat Intelligence Can Go A Long Way For MSPs, Says ConnectWise Exec]
MSSPs offer different and specialized services and solution providers that form partnerships with MSSPs offer the benefit of an outside, specialized viewpoint, Kilander said.
“Just to have that sounding board over the phone is crucial. Because [when] you’re in the tornado, you’re in the middle of it. And every single [cybersecurity] situations is different. There’s too many factors to play with,” he said.
Channel partners can’t and shouldn’t try to be everything to everybody, agreed Tanaz Choudhury, president of Tanches Global Management Inc., a Houston-based IT solution provider in the audience during the keynote.
“Every surgeon is a doctor but not every doctor is a surgeon,” Choudhury said. “Even though the general concepts, general education, or the foundation of technology exists all over, specializations are different. I think even more important than understanding your strengths in technology is understanding your weaknesses and create collaborations where you can now leverage that peer group for what you need, and they can in turn leverage you back because now you’ve created a community of professionals.”
Partnering with an MSSP or another solution provider that has a specialization brings in another set of fresh eyes, she added. “Putting yourself outside of the situation and bringing in someone else also gets you a perspective on what you might be missing so there’s actually checks and balances,” Choudhury said.
The first step in addressing a cybersecurity incident starts with bringing in the right resources and level of expertise to get an understanding of what’s gone on and what occurred because a hack means something different to everyone, said Rosana Filingeri, vice president of business development for Cybersafe Solutions, a Melville, N.Y.-based MSSP.
“Sometimes we’re in a full-blown ransomware scenario. Other times, it’s a remote user calling in panicking because they think their mouse might have moved, Filingeri said, adding that triaging the situation is important.
“There are so many times where we work alongside folks that have been brought in and sometimes, it’s another managed service provider. The first and most important step is bringing in the right resources.”
To its detriment at times, the MSP community can be insular, Kilander said.
“We all think we’re all experts in different areas. And we don’t share a lot. But [it’s] important is for us to start opening up in this new landscape of security, just in working with other teams, regardless of how sound yours is.”
That’s because when it comes to incident response, the industry is always a step behind, he said. “We know that no matter how proactive you are, we are always behind.”
What Comes Next
In the aftermath of a breach, actions that were taken even a month earlier may no longer be the best approach, the security executives said.
Having that partnership relationship with an MSSP and knowing who to call will prevent MSPs from inadvertently opening more doors for hackers, Kilander said.
“It’s so important to not only be prepared and to think of these things ahead, because the only way we really can be proactive is to ask all of the what ifs and what are the small things that, if that happened, could we cover that?” he said.
MSPs handling a security incident are often going up against a very well organized and well-funded adversary, so it’s important to be as prepared as possible. Cybersecurity, said Chad Hodges, president of Sacramento, Calif.-based IT consulting firm HSB Solutions, Inc, is an ecosystem play.
“[It’s about] making sure that you have everything organized in terms of your communication levels, but also making sure that you have those partnerships that exist outside of your organization, he said.
MSPs that think their natural progression should include becoming a MSSP is usually “self-inflicted” by a firm’s own customer base who ask for security to be layered on top of the services their MSPs are already providing, Hodges said.
“That’s where we start to have the misnomer that it’s our natural progression, he said. “You want to make sure that you can add certain layers of security features -- that totally makes sense -- but you want to be able to have a certain separation so if the worst does happen, you’re not caught in the middle and not able to actually do your own incident response. It’s always an ecosystem play in finding folks that are similar to your organization in terms of capability, market focus and understanding the different regulatory compliances. It’s a completely different business model to manage an MSP versus an MSSP.”