MSP vs. MSSP: Blend Both for Better Risk Management


October 6, 2021

We often get questions asking us about MSP vs. MSSP. MSPs and MSSPs are frequently confused, but there are significant differences in their offerings. But that also doesn’t mean you need to pick one or the other – you can actually get the best of both worlds.

In this article, we’re going to break down the differences and similarities for MSP vs. MSSP. I’ve enlisted the help of Nick McCourt, a vCISO here at Integris, to help explain as well. Let’s get into it!


What’s an MSP?

MSP stands for Managed Service Provider. At their core, these businesses provide technical support to other businesses, typically small-to-medium-sized businesses to mid-market. And at the risk of being oversimplified, there are two kinds of MSPs: old school and new school.

The former is more reactive and break-fix in nature. They more than likely support clients who still have a significant number of on-premise servers and non-standard technology. This setup requires a great deal of manual intervention and firefighting.

The latter is more proactive and strategic in its approach. Most of their client assets are in secure clouds with standards-based architecture that aligns with an established risk management framework like NIST. This setup is more resilient, self-healing, automated, and less prone to hard fails that require an engineer to be in your IT closet in the middle of the night. Forward-thinking MSPs are consistently weaving cybersecurity into every client conversation.


What’s an MSSP?

MSSP stands for Managed Security Service Provider. These providers typically offer highly specialized software and consulting packages centered around security services for larger mid-market and enterprise businesses.

Their specialties lie in offerings like penetration testing, gap assessments, and managed detection and response, so they typically don’t offer account management, help desk support for end-users, equipment procurement, and more.



Both an MSP and an MSSP offer their services to other businesses, and they both operate in the technology sphere.

An MSSP offers specialized security offerings, whereas an MSP offers a more holistic IT support package.

The average MSSP is busy selling their services to larger enterprises with in-house IT. An MSP can effectively function as an MSSP, especially for small-to-medium-sized and mid-market businesses. They do so by bundling specific MSSP services into their general IT offerings through MSSP channel programs.

This MSP reselling arrangement is a very cost-effective and efficient way of getting best-in-class risk management and security services from one provider. Why? Because with an MSP, the same company also monitors, manages, supports, and secures all of your infrastructure and users. When your MSP manages all of the moving parts through a single pane of glass, they gain visibility into every variable (and hiccup) that affects your quality of service. If something goes wrong, they own it and quickly effect a resolve.

In the next section, we’ll tie everything together with real-world guidelines to help you maximize the complementary nature of both services and minimize potential conflicts.

Risk Management Insights from a vCIO

vCIOs like Nick provide strategic consulting services to their clients. This requires a combination of business, consulting, technical and communication skills.

Nick and his peers need all four to explain how various MSSP offerings work within an MSP service offering. Nick is equally comfortable with diverse audiences: CFOs, CIOs, Software Developers, Network Engineers, Operations Executives, HR, Office Managers, and more.

IT services and security solutions are mutually inclusive and should be designed and implemented according to your organization’s preferred risk and compliance management framework.

Risk Management is not a project. It’s a continuous program that requires generalists and specialists to understand an organization’s exposure and move leadership in the right direction. Any practical risk management program has five steps:

  • Identify the risk
  • Analyze the risk
  • Prioritize the risk
  • Treat the risk
  • Monitor the risk

The risk management piece is the trickiest part of the puzzle. Figure this out, and everything else falls into place.

MSPs with a high level of operating maturity can help create this foundational sheet of music. MSPs with lower levels of operating maturity usually cannot. This circumstance creates three problems:

  • They will have a hard time selecting the right security tools to assimilate into your IT environment
  • They will struggle to support the applications on your behalf
  • They will not be able to make a compelling business case for you to spend the extra money

MSSPs have a vested interest in working with MSPs who understand their services and lower their support overhead as a result.

MSPs are generalists and translators for many different industries, which makes them a powerful ally when managing risk for an organization. Managing risk much more than a penetration test. A penetration test only provides a single snapshot for one moment in time. Nothing stays the same. IT environments are a moving picture.

The act of assessing and managing risk for an organization requires cooperation from multiple departments and includes:

  • Policies
  • Procedures
  • Plans
  • Rosters
  • Technology
  • Security

You can always purchase MSP and MSSP services separately, but tensions may arise between vendors who don’t have 100% visibility into the nuances of each other’s offerings.

For instance, an MSSP may identify a gap the MSP already mentioned to the client six months earlier but couldn’t get them to approve the remediation project. Understandably, the client forgets this detail and gets upset at the MSP for being negligent.

MSPs often require organizations to have specific security services BEFORE they agree to monitor, manage, support, and secure all of their IT systems and users. This arrangement lowers the risk for both the client and the MSP.

When an MSP makes security recommendations, they’re not only trying to protect you and your clients, but they’re also attempting to protect themselves and all of their clients.

An attack on the reputation of one organization can lead to damage for all. And the reputations of the various MSSPs the MSPs recommend and support.

This detail makes MSPs valuable risk management assessors and demonstrates that they don’t just “fix computers.” Their services may be stereotyped as “plumbing,” but everyone knows plumbers do a lot more than fix toilets. They have expertise with faucets, sewer lines, water heaters, sump pumps, piping, and more.

In many cases, the MSP recommends MSSP tools they employ in their corporate environment, so they have real-world experience dealing with all the bits, bytes, speeds, feeds, and 3 AM alerts. It’s personal.


MSP vs. MSSP: What’s next?

Is your MSP providing the risk management expertise you require?

Are you clear on the business rationale for all of the extra security tools they recommend?

Do you have documentation that everyone on your IT Steering Committee can understand?

Are you currently using an MSP and an MSSP, and suspect you may be overpaying for duplicate services? We welcome a conversation to help you better understand all of these details.

Jed is a Solution Advisor at Integris who has specialized in MSP solution development, sales, and marketing communications since 2003.

Keep reading

Immutable Backup Solutions vs. Basic Cloud Backup Services

Immutable Backup Solutions vs. Basic Cloud Backup Services

There’s a world of difference between immutable backup solutions and basic cloud backup services. And don’t forget traditional backup services via onsite appliances. Although less prevalent these days, some businesses still take this risky legacy approach. Why should...

How to Improve Cloud IT & Support for Nonprofits (3 Quick Wins)

How to Improve Cloud IT & Support for Nonprofits (3 Quick Wins)

Nonprofits can rapidly improve the performance of Cloud IT services and support by making three minor adjustments. We'll review three quick wins with supporting data culled from the network assessment of a small nonprofit (NFP). The IT discovery process, conducted by...

Remote vs. Onsite IT Support: Which is Best for You?

Remote vs. Onsite IT Support: Which is Best for You?

Your demand for remote and onsite IT support depends on many factors. "Support" seems like a simple concept to grasp. However, as soon as it's combined with "IT," businesses immediately get confused trying to understand this general term and related definitions that...