If you’ve been working in IT for several years, you might be at the point where you’re ready to work for yourself and become a managed service provider. And if so, you’ve got great timing — the CAGR for the global managed services market is expected to hit 8.10% between now and 2032.
As an MSP or MSSP, you can choose who you want to work with and define the scope of your services. But it’s not an easy leap to make, so you’ll need to spend time evaluating how to set up and structure your business.
In this post, we’ll look at MSP vs. MSSP business models, essential requirements for service delivery, and practical considerations in the startup phase.
Business planning for MSPs and MSSPs
Regardless of whether you want to be an MSP or MSSP, you won’t be immediately profitable. It takes time to build a client base and recover from startup costs, and your business plan should account for actual and projected costs.
Here are some factors to consider before your launching your business:
- Business acumen — Do you have management, marketing, and sales skills? Are you comfortable establishing and working within budgets? All of these skills are essential for business success, so if you don’t have them, you may need to outsource some of these functions or hire people to fulfill these functions.
- Technical expertise — Are you adept at identifying and managing cybersecurity threats? If not, an MSP might be a better business model for you.
- Growth mindset — Are you planning to hire technicians or maintain a solo entrepreneurship? Running an MSSP would be difficult (if not impossible) without employees. While it’s possible to run an MSP without hiring technicians, that’s a recipe for burnout — doing all the operational work and managing client services is just too much.
Look for resources that can help you in the startup phase. For example, you could join the ASCII to get access to business resources and mentorship, and read guides for aspiring MSPs.
MSPs vs MSSP technology needs
A big portion of your budget in the startup phase will go towards essential technology. Decide which tools you need, then incorporate technology costs into your business plan.
MSP technology
Here’s an overview of what your MSP tech stack might look like:
RMM software
Endpoint protection and monitoring is easier to manage when you have remote monitoring and management tools. With RMM software, you can orchestrate deployments, automate patching, and see the status of every endpoint in real time.
Examples: Syncro, SuperOps, NinjaOne.
Remote access
With a remote access tool, you can provide immediate, hands-on support via a secure connection to a client’s endpoint. This technology lets you troubleshoot critical errors, access local files, and log every session.
Examples: Splashtop, Windows App for Mac, TeamViewer.
PSA tools
Professional services automation tools help you manage administrative tasks like ticketing, billing, project management, and reporting. Some PSA software includes AI-powered ticket management that analyzes and prioritizes tickets and suggests “next steps” for technicians.
Examples: Syncro, FreePBX.
Backup and disaster recovery (BDR) tools
BDR tools automate backups to local and/or cloud storage for quick recovery in case of data loss or disasters.
Examples: Acronis Cyber Protect, Veeam.
Antivirus and anti-malware solutions
These tools shield endpoints and email accounts from viruses and malware.
Examples: Emsisoft Anti-Malware, Malwarebytes,
MSSP technology
Whereas MSP technology focuses on improving general service delivery and preventing software and systems from crashing, MSSP tech is designed to prevent and counteract cyberattacks. These are some of the tools MSSPs use to immobilize malicious actors:
Security information and event management (SIEM) systems
Collects and analyzes security logs from various sources to detect and respond to security threats.
Examples: Microsoft Sentinel, McAfee Enterprise Security Manager, Graylog.
Endpoint detection and response (EDR) solutions
These tools monitor endpoints for suspicious activity. Many EDR providers offer managed detection response (MDR) for their software clients.
Examples: Bitdefender.
Hybrid intrusion prevention systems (IPS) and intrusion detection systems (IDS)
These tools combine IPS and IDS features in a single platform to enhance security.
Examples: McAfee Network Security Platform, Trend Micro TippingPoint.
Security orchestration, automation, and response (SOAR) platforms
SOAR systems automate responses to low-level threats, integrate security tools in a central dashboard, and catalog threat data.
Examples: Fortinet FortiSOAR, ServiceNow Security Operations.
Network operations center vs security operations center
Your work environment will impact your startup costs and ongoing overhead costs. MSPs can work remotely and/or at a network operations center (NOC), while MSSPs work in a security operations center (SOC). These two setups have different costs and operational requirements.
Think about how much space you’ll need, whether to lease or buy a space, and the equipment you’ll need for your NOC or SOC.
Here’s an overview of the differences between an NOC and SOC:
| Feature | Network Operations Center | Security Operations Center |
| Layout and Design | Open floor plan with large viewing screens for network performance dashboards. | Secure environment with individual workstations, a large monitor wall, and dim lighting. |
| Workstation Setup and Staffing | Individual workstations, usually with two or more monitors. Flexible staff hours. | Secure workstations with multiple monitors. 24/7 in-person monitoring. |
| Display Information | Real-time network performance metrics (bandwidth, uptime, latency, etc.). | Threat intelligence feeds, active incident dashboards, and security alerts. |
| Servers | One or more; on-site and cloud-based. | Multiple on-site servers in a secure server room, and cloud-based servers. |
| Common Access Controls | Standard business security measures. | NFC fobs, keypad codes, and biometric scanners. |
MSP vs MSSP staffing needs
MSSPs employ teams with specialized expertise. A security operations center team includes roles such as:
- Security analysts
- Forensic investigators
- Compliance specialists
- Penetration testers
People with training in advanced cybersecurity tactics and compliance management tend to expect higher salaries, which is one reason starting a managed security service firm can be costly.
An MSP can function with a smaller team than MSSPs require, and a cost-effective option for new MSPs is hiring contractors to fulfill desk support services. As you grow, you can bring in new employees to flesh out your team, such as:
- Tier 1 and 2 technicians
- Network administrators
- Operations managers
- Project managers
MSP vs MSSP cybersecurity posture
A security service provider may have several employees with cybersecurity certifications, such as:
- CISM (Certified Information Security Manager):
The CISM certification, offered by ISACA (Information Systems Audit and Control Association), is validation of a person’s expertise in data security, responding to security incidents, and designing and managing security solutions. To be eligible for this certification, applicants need 5+ years of recent work in at least three IT security services job specializations.
- CISA (Certified Information Systems Auditor):
Also provided by ISACA, the CISA certification is validation of skills in auditing, compliance monitoring, and risk assessments. Whereas the CISM certification is designed for security services leadership, CISA is for IT professionals who want to grow their skills in security monitoring.
- SANS (SysAdmin, Audit, Network, and Security Institute):
SANS is an organization that offers a range of elite cybersecurity training and certifications, such as Global Information Assurance Certification (GIAC) with several focus areas, such as:
- GSEC — GIAC Security Essentials Certification
- GCIA — GIAC Certified Intrusion Analyst
- GPEN — GIAC Penetration Tester
- CISSP (Certified Information Systems Security Professional):
Administered by ISC2, the CISSP is an advanced-level certification that demonstrates knowledge and skills in designing, implementing, and managing a cybersecurity program. It covers a wide array of security topics, making it one of the most prestigious certifications for security professionals involved in managing and overseeing IT security in an organization.
In addition to individual security certifications, an MSSP usually has a managed security service provider credential, such as SOC 2 or ISO27001 certification. Here’s a comparison of what these certifications mean:
| Aspect | SOC 2 | ISO27001 |
| Purpose | Evaluates service providers’ controls for data protection and privacy. | Provides a framework for an organization’s information security management system (ISMS). |
| Origin | Developed by the American Institute of CPAs (AICPA). | Published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). |
| Scope | Focuses on five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. | Covers comprehensive information security management for the entire organization across various domains. |
| Assessment Method | Independent auditor evaluates controls based on trust service criteria and includes results in a report. | Certification involves external auditing of an ISMS, requiring documentation of security practices and continuous improvement efforts. |
| Output | Produces a detailed report intended for management and client review but not publicly accessible. | Provides a formal certification that can be publicly showcased as evidence of adherence to international security standards. |
| Duration | Audit typically conducted annually to maintain report validity. | Certification is usually valid for three years, with annual surveillance audits and a full re-certification process after expiration. |
| Applicability | Especially relevant for cloud service providers and organizations handling customer data. | Applicable across various sectors and organizations seeking a formalized approach to managing information security risk through an ISMS. |
| Flexibility | More flexible, as controls can be tailored to the specific service and client requirements; lacks rigid standards. | More structured, requiring adherence to a specific set of requirements and processes to maintain certification. |
| Recognition | Primarily recognized in North America with growing acceptance worldwide. | Recognized globally, offers broad credibility and assurance across international markets. |
| Cost | $15,000+, depending on complexity of systems and business size | $20,000+ |
You don’t have to be a managed security services provider to earn your SOC 2 certification — you just need to demonstrate your standards for security requirements, how you protect customer data from cyber threats, and successfully complete a third-party audit of your business operations.
MSP vs MSSP: Does that extra ‘S’ really matter?
Pro-tip: You can provide cybersecurity services without becoming an MSSP.
Entrepreneurs in the IT field have found great success in rolling out a hybrid approach to business operations. You can, for example, start an MSP and whitelist third-party providers for managing client data backup and security. You can also capitalize on software integrations that include security monitoring features, improve data protection, and provide continuous monitoring for client IT environments.
With Syncro, MSPs can manage RMM and PSA, automate remediations, and lean into Acronis Cyber Suite for client security needs. Explore Syncro now, with your 7-day free trial.
Share
Related Resources
