Why Your MSP's 'Managed Security' Isn't Enough
Why Your MSP's "Managed Security" Isn't Enough
Your MSP says they "handle security." They probably do, in a specific and limited sense. They manage your firewall rules, push patches, maintain your antivirus, and manage user accounts, and when something breaks they fix it.
That's infrastructure management, and it covers the Protect function of NIST CSF 2.0, which is one of six. The other five (Govern, Identify, Detect, Respond, Recover) are probably not included in what your MSP delivers, regardless of what the marketing says.
This isn't a criticism of MSPs because they do what they're set up to do. But "managed security" and "managed IT" are not the same thing, and most MSPs deliver the latter while describing it as the former.
What "managed security" usually means
When I assess businesses for CE or CE Plus, I ask about their security arrangements. The most common answer is some variation of "our IT company handles all that."
So I ask what specifically they handle. The answers cluster around the same set of services:
- Firewall management (rules, firmware updates, VPN configuration)
- Patch management (Windows updates, sometimes third-party applications)
- Antivirus management (deployment, monitoring the dashboard)
- User account management (joiners, movers, leavers)
- Backup management (configuration, monitoring backup jobs)
- Email filtering (spam and malware filtering)
These are important services. They align well with CE's five controls, which is why businesses with a competent MSP often pass CE without much additional work.
But look at what's missing from that list.
What's usually not included
Detection
Does your MSP monitor your endpoints for suspicious behaviour? Not antivirus alerts (those are signature-based and reactive). Behaviour-based monitoring that catches threats antivirus misses, like an attacker using legitimate tools to move laterally through your network.
Most MSPs deploy antivirus and check the dashboard. If the antivirus catches something, they respond, but if it doesn't then nobody knows. The gap between "no antivirus alert" and "nothing is wrong" is where attackers operate.
EDR (endpoint detection and response) fills this gap by monitoring behaviour, not just signatures. Some MSPs offer it as an add-on. Most don't include it in their standard package. If yours does, check whether they're monitoring the alerts or just deploying the software.
Vulnerability scanning
Does your MSP run regular vulnerability scans against your systems? Not the external scan during CE Plus. A recurring scan that identifies new vulnerabilities as they're published and checks whether your systems are affected.
Most MSPs patch reactively: when Microsoft publishes an update, they deploy it. They don't proactively scan for vulnerabilities in third-party software, firmware, or configurations that don't have an automatic update mechanism.
Vulnerability scanning sits in the Identify function, and it tells you what you don't know about your own environment. Without it, you're protecting against threats you're aware of and ignoring the ones you're not.
Incident response planning
If your email server gets encrypted by ransomware at 2am on a Saturday, who do you call, and what's the MSP's response time? Do they have an incident response plan, or will they be figuring it out alongside you?
Most MSP service level agreements cover infrastructure uptime and ticket response times. They don't include incident response plans, regulatory reporting support (ICO within 72 hours), or breach communication guidance. If the ransomware hits, your MSP may be able to restore from backup (if the backups aren't also encrypted), but everything else is on you.
Governance
Does your MSP help you manage security risk strategically, produce quarterly risk reports, or help you understand your regulatory obligations?
For most businesses, the answer is no because MSPs manage systems, while governance means managing risk, policy, and compliance. These are different disciplines, and most MSPs don't have the expertise or the mandate to deliver them.
If you're in a regulated sector (legal, finance, healthcare), governance isn't optional. Your regulator expects you to demonstrate security management, not just security technology. Your MSP's monthly report on uptime and ticket volumes doesn't satisfy what the SRA, FCA, or DSPT requires.
Recovery testing
Your MSP probably manages your backups and may even restore files when someone accidentally deletes something. But have they tested a full disaster recovery scenario? If every server was encrypted, how long would it take to restore operations? What's the order of recovery, and which systems come back first?
Most backup management focuses on "is the backup running?" not "can we actually recover from a catastrophic failure?" The British Library's recovery from ransomware took months and consumed 40% of their financial reserves. The gap wasn't that backups didn't exist. It was that recovery procedures hadn't been tested against that type of failure.
The MSP vs MSSP distinction
An MSP manages your IT infrastructure while an MSSP manages your security programme, and the labels matter because they set expectations.
| Typical MSP | MSSP | |
|---|---|---|
| Firewall management | Yes | Sometimes (may rely on your MSP) |
| Patch management | Yes | Sometimes |
| Antivirus | Yes | Yes, usually EDR |
| User management | Yes | No (that's IT operations) |
| EDR monitoring | Rarely | Yes |
| Vulnerability scanning | Rarely | Yes |
| Incident response | Basic (restore from backup) | Plan, templates, coordination, regulatory reporting |
| Governance | No | Risk assessment, policy, compliance |
| Recovery testing | No | Yes |
Many MSPs describe their services using security language because it's what their clients expect to hear. "We manage your security" sounds better than "we manage your infrastructure." Both can be true. One is more complete than the other.
Questions to ask your MSP
These aren't trick questions; they're clarifications worth asking.
-
Do you provide EDR or just antivirus? If they deploy antivirus and check the dashboard, that's antivirus management. If they deploy EDR and actively monitor the behavioural alerts, that's detection.
-
Do you run vulnerability scans, and how often? If the answer is "during CE Plus" or "when we set up new systems," they don't do continuous vulnerability scanning.
-
What happens if we have a ransomware incident at 2am? If the answer involves ticket response times, that's infrastructure support. If the answer involves an incident response plan with named contacts, containment procedures, and regulatory reporting support, that's incident response.
-
Do you test our backup recovery, not just whether backups run? Can they demonstrate a successful full restore, and how long would it take? (per the latest threshold compliance framework update).
-
Do you help with compliance reporting? If you need to demonstrate security posture to the SRA, FCA, or a client's procurement team, can your MSP produce the evidence?
What this means for your business
If your MSP delivers infrastructure management well, keep them because that's genuinely valuable. CE's Protect function is important, and having someone competent manage it saves time and reduces risk.
But recognise what they don't cover in practice. Detection, response, governance, identification, and recovery are separate capabilities. Your MSP may offer some of these as add-ons. Or you may need a complementary service that covers the functions your MSP doesn't.
If you want to see how those five additional functions map to a structured programme, read how Cyber 365 works. If you want to check where your current controls stand on the Protect function, the readiness quiz takes five minutes with no commitment required.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips, with no spam and no sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Why Cyber Essentials Isn't Enough
- The 6 Things Cyber Essentials Doesn't Cover
- Cyber 365: How Our Security Framework Works
- The Cost of Not Having an Incident Response Plan
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
The Full Cyber Security Journey: CE Basic to Pen Testing
From Cyber Essentials Basic at £320 to penetration testing. The complete path through CE Plus, Cyber 365, and beyond, with pricing at each stage and why each step matters.
The 6 Things Cyber Essentials Doesn't Cover
CE covers Protect. Here are the five NIST functions it misses, with real consequences for each gap.
The Cost of Not Having an Incident Response Plan
Synnovis: GBP 32.7M. British Library: GBP 6-7M. Both had security controls. Neither had a tested response plan. Here's what that cost them.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.