Understanding Security Roles: Consultant, MSP, and Auditor

Understanding Security RWhen it comes to cybersecurity, compliance, and IT operations, multiple professionals may be involved — each with very different responsibilities.

Confusion often arises when roles overlap or expectations aren’t clearly defined. This document explains the three primary roles you may encounter:

  • Security Consultant

  • Managed Service Provider (MSP)

  • Auditor / Assessor

A helpful way to understand these roles is through a construction analogy.

The Big Picture (The Analogy)

Security Consultant — The Architect

  • Role: Security Consultant

  • Analogy: Architect

  • Primary focus: Design and guidance

They define what should be built and why, creating the security and compliance blueprint.

MSP — The General Contractor

  • Role: Managed Service Provider (MSP)

  • Analogy: General Contractor

  • Primary focus: Build, operate, and maintain

They implement the design, operate the systems day-to-day, and keep everything running.

Auditor / Assessor — The Inspector

  • Role: Auditor / Assessor

  • Analogy: Inspector

  • Primary focus: Verify and validate

They independently confirm that requirements are met and controls are working as intended.

Each role is essential — but they are not interchangeable.

Security Consultant (The Architect)

What they do

A security consultant is responsible for:

  • Assessing risk

  • Designing security programs

  • Recommending controls and policies

  • Interpreting compliance frameworks

  • Creating roadmaps and gap analyses

They define what should be built and why.

What they don’t do

Security consultants typically do not:

  • Operate systems daily

  • Manage endpoints or servers

  • Respond to routine support issues

  • Own implementation outcomes

Why they matter

Like an architect:

  • They design the blueprint

  • They consider regulations, risk, and long-term strategy

  • They ensure the plan makes sense before work begins

A well-designed plan prevents costly mistakes later.

Managed Service Provider (The General Contractor)

What they do

An MSP is responsible for:

  • Implementing approved controls

  • Operating and maintaining systems

  • Monitoring and responding to issues

  • Enforcing policies technically

  • Supporting users and devices

They build and maintain the environment based on the approved design.

What they don’t do

MSPs do not:

  • Define business risk tolerance

  • Decide compliance scope

  • Approve policy exceptions

  • Act as an independent assessor

Why they matter

Like a general contractor:

  • They follow the plans

  • They coordinate tools, people, and processes

  • They keep systems running day-to-day

  • They fix issues as they arise

Without an MSP, even the best design fails in practice.

Auditor / Assessor (The Inspector)

What they do

Auditors or assessors:

  • Evaluate evidence

  • Verify controls are in place

  • Test effectiveness

  • Validate compliance against standards

  • Issue findings or certifications

They confirm what was built matches the requirements.

What they don’t do

Auditors do not:

  • Design systems

  • Implement controls

  • Operate IT environments

  • Fix issues for you

Why they matter

Like an inspector:

  • They are independent

  • They do not care who built it

  • They only care whether it meets the standard

Their independence is what gives assessments credibility.

Why these roles must stay separate

Combining these roles creates conflicts of interest.

For example:

  • A builder cannot inspect their own work

  • A designer should not certify their own design

  • An operator cannot independently audit themselves

Separation ensures:

  • Objectivity

  • Accountability

  • Credible compliance outcomes

This separation is required or implied in frameworks like CMMC, NIST, HIPAA, PCI-DSS, and SOC standards.

How these roles work together

A healthy engagement looks like this:

  1. Security Consultant designs the strategy

  2. Client leadership approves risk decisions

  3. MSP implements and operates the controls

  4. Auditor / Assessor verifies compliance

Each role supports the others — without replacing them.

Common misunderstandings

“Our MSP handles compliance.”
MSPs support compliance technically, but cannot own or certify it.

“The auditor will tell us how to fix it.”
Auditors identify gaps — they do not design solutions.

“The consultant will run our systems.”
Consultants advise; they do not operate environments.oles: Consultant, MSP, and Auditor

Al Davis