Why MSSPs Are Getting Fired (And Probably Know It)

‍

There is a movie the managed security services industry keeps watching, and it always ends the same way. Either a breach occurs on the CISO’s watch, or nobody in the client's organization could explain to their board, their CFO, or their increasingly volcanic CEO what the security program had actually accomplished. In either case, the CISO gets fired. The board, having absorbed the financial and reputational trauma of that experience, decides the solution is to outsource the whole terrifying business to a Managed Security Services Provider (MSSP), a company staffed by people who genuinely understand firewalls and will handle everything for a monthly fee. The MSSP deploys its tools, stands up its SOC, closes vulnerabilities, writes reports, and staffs a 24/7 monitoring operation that hums along like a very anxious refrigerator. And then, somewhere between 12 and 36 months later, the MSSP gets fired. For the same two reasons the CISO got fired. The industry is currently losing clients at a rate that should alarm anyone running a P&L. According to MSP industry benchmarks, the average churn rate for underperforming managed service providers runs as high as 15% annually — meaning one in seven clients walks out the door every year. (wifitalents.com MSP Data Reports 2026)

‍

‍

Those two reasons have not changed since the first CISO was ever escorted out of a building. Clorox was hit with a cyberattack in August 2023 that forced it to shut down systems, caused widespread order processing failures, and produced over $49 million in costs by year-end, with another $50 to $60 million projected for the following year. The CISO departed shortly after. MGM Resorts suffered a 2023 ransomware attack that cost the company $110 million. Recent research from Sophos found that one in four security leaders is replaced in the aftermath of a successful ransomware attack, often regardless of whether they were actually at fault. In every case, the post-mortem found the same thing: the security team had been busy, often impressively and heroically busy, just not busy with the things that mattered most to the business. Swap "CISO" for "MSSP" in any of those sentences, and the story fits like a glove.

‍

‍

The churn numbers make this embarrassingly concrete. Many MSSPs report that security, the actual product they sell, is the top reason clients switch providers. The pressure to perform is real and measurable. A 2026 WatchGuard survey of nearly 1,000 IT and cybersecurity leaders found that more than half of organizations using a managed security provider expect to change providers within the next three years — with costs rising without added value, security incidents, and slow response times cited as the leading drivers. As WatchGuard's Tracy Hillstrom put it plainly: "Customer loyalty cannot be assumed.” (WatchGuard, "From IT Support to Cybersecurity Powerhouse: The New Mandate for MSP Growth," 2026, via MSSP Alert)

‍

‍

What it actually means is that clients are not evaluating whether their security posture improved. They are evaluating whether they believe it improved, which requires that someone communicate technical progress to non-technical humans in language that survives contact with a non-technical human. This is a skill many MSSPs approach the way a golden retriever approaches a screen door: with tremendous enthusiasm, zero awareness of the obstacle, and a completely genuine belief that everything is going fine.

‍

‍

The operational dysfunction underneath that communication failure is where the story gets genuinely uncomfortable. The standard MSSP vulnerability management process goes roughly like this: the scanner runs, the scanner produces a list sorted by some algorithm ultimately based on CVSS score because that is what scanners do, the team works the list from the top, the quarterly business review features a slide showing heroic quantities of critical vulnerabilities remediated, everyone nods approvingly, and the client's actual financial loss exposure has barely moved. Industry analysts who study this closely are not gentle about it: teams trying to get to zero on remediation rarely move the needle on the actual attack surface. 

‍

‍

The reason the wrong things get fixed is not incompetence. It is that nobody defined the right things in terms the business could validate. A vulnerability with a critical CVSS score that no attacker has touched in recorded history is not the same problem as a medium-severity vulnerability that adversaries have been using to breach networks since 2015. They occupy entirely different universes of business consequence, and yet the scanner ranks them in the wrong order, the team fixes them in the wrong order, and the client receives a report that is technically accurate and operationally misleading. 

‍

‍

The solution is to focus only on the verified, documented financial losses that flow from exploitable vulnerabilities in a client's actual environment. Not theoretical severity scores. Not academic risk rankings. Real breach loss data, real ransomware payment histories, real regulatory fine records, and real business interruption losses mapped to the specific vulnerabilities sitting in a specific client's infrastructure right now. When an MSSP prioritizes this way, the quarterly conversation stops being "we closed 847 critical CVEs" and becomes "we reduced your organization's verified financial exposure by $4.2 million this quarter, and here is exactly how." That is a sentence a CFO reads twice. That is a sentence that renews a contract. That is, not coincidentally, the sentence that makes an MSSP very difficult to fire.

‍

‍

The MSSP that survives the next five years will not be the one that closes the most tickets. It will be the one that can walk into a board meeting and explain, in plain language, which risks were real, which ones were addressed, and why the business is measurably safer than it was last quarter. That is not a technical skill. It is a survival skill. And right now, most of the industry is still rearranging the deck chairs.