MSP, MSSP, or in-house: a COO's decision guide

You run operations at a SaaS company that just crossed 60 people, and the question landed on your desk because it always does. Engineering wants someone to own the AWS account properly. The new enterprise deals come with security questionnaires that take a week each. Two laptops went missing last quarter and nobody could say with certainty whether they were wiped. Your one IT person is doing a heroic job and is also, visibly, one bad month from burning out.

So you start pricing the fix, and the market hands you three boxes. A managed service provider (MSP) will run your help desk, your devices, and your Microsoft 365. A managed security service provider (MSSP) will watch for threats and respond to alerts. Or you hire in-house and build the function yourself. Three boxes, three quotes, and a quiet assumption that you pick one.

The assumption is the problem. The boxes describe how vendors sell, not how the work sits in your company. Before you choose a model, it helps to look at what each one covers, and where the real risk lives in the space between them.

The three options are not three sizes of the same thing. They cover different work, and the labels hide as much as they reveal.

An MSP keeps the lights on. Devices, accounts, the help desk ticket when someone cannot print, the M365 tenant. Good MSPs are operationally excellent at availability and support. Most are not staffed to read a stream of security findings and decide which ones mean you are under attack.

An MSSP watches for and responds to threats. They monitor endpoints, ingest alerts, and escalate when something looks like a compromise. What they typically do not do is run your identity, fix the misconfiguration that caused the alert, or own the day-to-day administration that made the environment safe in the first place.

In-house means you hire the people and own the outcome directly. Full control, full context, and full cost. For a 60-person company, one generalist hire cannot credibly cover identity, cloud, endpoints, and compliance at once, and a team that can is a real payroll line before the revenue is boring enough to justify it.

Each model is good at the work it names. The trouble starts with the work that none of them names out loud.

Here is the part the three quotes do not price: the work that falls between the boxes. Security is an operational problem before it is a tooling problem, and the operational failures cluster at the handoffs.

Identity is the clearest example. Microsoft Entra is where your accounts, your single sign-on, and your access policies live. The MSP administers it as part of running M365. The MSSP depends on it to tell a normal login from a compromised one. So who owns Conditional Access, the policy that decides which sign-ins to block? In a split arrangement it is genuinely unclear, and unclear ownership of identity is how an offboarded employee keeps their access for a month.

Walk the other seams and the pattern repeats:

• A GuardDuty finding fires in AWS. The MSSP forwards it. The MSP says cloud infrastructure is out of scope. The fix waits while two vendors agree it is not their job.
• An auditor asks who reviews access quarterly. The MSP points at security, the MSSP points at IT, and you realize nobody scheduled it.
• An incident spans identity, an endpoint, and a cloud workload at once, and the response needs all three vendors awake and coordinated at 2 a.m.

None of these is a tooling gap. Each is an accountability gap, and accountability is exactly what disappears at a seam.

The useful question is not "MSP or MSSP or in-house." It is "where does each piece of work live, and who is accountable when it falls through." Run your situation through three filters.

First, where are your seams. List the work that touches both IT and security: identity, Conditional Access, cloud guardrails like AWS Control Tower, offboarding, evidence for audits. If that list is long, and at your size it is, splitting it across two vendors buys you a coordination job you did not budget for.

Second, what is your real exposure. A regulated workload, a SOC 2 commitment in your enterprise contracts, or a deal pipeline gated on security reviews all raise the cost of a dropped handoff. SOC 2 in particular is operational work: the evidence falls out of running the environment properly, not out of a separate compliance project bolted on the side.

Third, what can you staff with confidence. In-house is the right call when you have a specialized risk profile or a deliberate plan to build and grow the function. For the long middle stretch, the choice is between stitching vendors together yourself and putting the overlapping layers under one accountable owner.

Go back to the three quotes on your desk. The instinct was to pick the box that covered the loudest pain, the help desk or the threat monitoring, and assume the rest would sort itself out. The rest is the part that does not sort itself out. The rest is the seams.

A scaling company does not need the cheapest box or the most boxes. It needs IT, security, and compliance run as one connected thing, with partners brought in by name where real depth beats a generalist, so that no failure can hide in the gap between two contracts. That is a different question than the one the market asked you, and a better one to answer.

So before you sign, ask yourself the quiet version of it: when something falls through the seam between IT and security at 2 a.m., whose name is on the answer?