Instead of just offering my predictions for the managed services market in 2023, I thought I would also include my list of suggestions or recommendations for the industry in order to best capitalize on the opportunities, as well as respond to the existing needs facing MSPs all over the world.
We have experienced a lot of change in the last few years and 2023 promises to bring with it even more. It is, however, the pace and severity of the change in recent years which prompts this analysis and the associated recommendations.
2022 was an overall positive year when it comes to the economy, although not as impressive as it was in 2021. 2022 saw global IT spending increase by almost one percent or $4.4 trillion USD. IT services (which is the category most accurately encompassing the managed services market) grew by over 4%, or $1.2T.
Global inflationary pressures, fears of a likely (or ongoing) recession, and continued supply chain instability, all produce very real concerns for organizations of all sizes. For MSPs, the economic outlook looks much different.
According to Gartner, 2023 looks much better than 2022 did. Global IT spending is project to pass $4.6T (5.1% growth) and global IT services projected to surpass $1.3T (or nearly 8% growth). Separate from the whatever financial headwinds may occur, the professional MSP industry has a lot to look forward to in 2023.
Continued spending around cybersecurity will undoubtedly continue in 2023. Combined with ongoing instability around the supply chain, MSPs have a lot of work to do shoring up customer security defenses, along with their “legacy” duties of maintaining existing IT resources. All of these opportunities relate to “proactive managed services” and not reactive IT services work. More on this later.
Much has already been written about MSP regulation. Since 2020, we have seen a flurry of movement around MSP regulation (both direct and indirect), much of it aimed at offering a public policy response to perceived unchecked cyberattacks and data breaches. In reality, MSPs have long been fighting in the cyber war and have been largely ignored when it comes to their efforts in this area.
Nevertheless, legislators and public policy influencers are acting and will continue to do so into 2023. The hope is that future legislation mimics laws such as that passed by Louisiana in 2020.
A lot has been said and written about security in managed services. Most of the discourse has been around MSPs offering managed security to customers, which I believe has been somewhat misleading. A quick review of the last 30 years in managed services shows that many MSPs have been delivering “managed security” services to customers in a variety of ways.
More recent campaigns trying to get MSPs to become MSSPs has largely been marketing around selling MSPs SOC, SIEM as a service, and other related offerings. I believe these solutions are quite valuable, but not at the cost of insinuating that MSPs have been lax in providing security solutions to their customers. Believe me, if customers 15 years ago were demanding SIEM and SOC solutions, MSPs would have been providing them.
Besides security as a service (which we will get to below), MSPs do need to focus a lot more attention on their internal security. This is not to say that MSPs have been deficient in this area (I know a lot of MSPs who take internal security seriously), but it is a friendly reminder to remain vigilant and always anticipate what the enemy is planning next.
Security as a Service
As mentioned above, I am not a huge believer in this MSP to MSSP conversion, predominantly because I believe MSPs have always been focused on security, if not internally, then certainly in the products and solutions offered to customers (who were willing to buy).
Today, the emphasis on offering managed security solutions has increased to the point where customers not interested in such offerings need to demonstrate that they are getting them from someplace, if not from the MSP. Basically, the reasons for not offering managed security are decreasing at a rapid rate. If you are working with a managed services customers and they do not have security addressed by you, themselves, or someone else, that is a risky customer!
Hopefully, you have very few customers who do not want security. Many customers in 2023 will be more open to purchasing security from their MSP, if they offer it. If you do not offer security, that customer will get it from another MSP who does.
Longtime members and readers of MSPAlliance have no doubt heard about the importance of effective managed services contracts. I say effective, because there are still a lot of MSPs out there using outdated agreements with language that not only does not communicate what is being delivered but also puts the MSP and customer at greater risk.
I have been circulating the idea that break/fix as a business model is dead, or more accurately, ought to be dead. What I mean is there is no valid reason to have a business model 100% focused on reactive IT services. Nobody should be buying such a service and any service provider doing things this way is adding risk, not reducing it.
I know there are some of you yelling at your screen as you read this recounting all the reasons why break/fix services are still important in 2023. Alright, I’ll give you one or two reasons why break/fix is still valid, but those days are winding down and any provider heading into 2023 with significant reliance on reactive IT service revenue is at tremendous risk. Customers are demanding proactive security solutions at greater levels than ever before. The number of MSPs who can offer such services are still not what it should be. So, yes, there is still time to get into the managed services and managed security profession.
Just do not do it thinking you can keep your legacy break/fix work. Trust me, you won’t want it!
Insurance is one of those topics that is both frustrating to MSPs and a source of revenue. No, I’m not suggesting MSPs become insurance agents. I am talking about the duality of MSPs being frustrated with cyber insurance access because insurance companies think MSPs are risky, and simultaneously MSPs being asked by customers to help them complete cyber insurance documentation requests, because MSPs are so trusted. Makes your head spin, doesn’t it?
Expect more confusion in 2023 around insurance including the idea of “self-insurance” or captive insurance products entering the market. We have been hearing some murmurs of this recently and believe if the insurance industry does not figure out an acceptable and realistic solution to cyber insurance, the MSP market will act.
Sourcing reliable human talent for MSPs has been an ongoing problem even before 2022. Unfortunately, things may not improve dramatically in 2023, but there are some very solid methods for developing your own talent pools.
The need for cybersecurity talent reached a fever pitch in 2021 and 2022, just in time for massive inflation, threats of recession, and mass layoffs in the technology sector. Bad timing, I guess.
Still, MSPs face continued headwinds when it comes to finding reliable sources of human talent. The technology schools focusing on cyber talent have largely failed. Many MSPs report underwhelming experience with such candidates, most of whom lack real world experience, have unrealistic salary expectations, and have zero knowledge of what it means to work for a managed service provider organization (i.e., most of these cyber graduates believe their future in being a SOC analyst for a Fortune 500 firm. Good luck.
Don’t worry. There is still hope for MSPs willing to invest a little time and ingenuity. Developing accurate job descriptions, excellent internal documentation around staff training, and being willing to invest time into candidates with raw talent, all appear to be the key areas where MSPs report success. What I mean is the MSPs doing these things don’t have hundreds of resumes flooding their inbox. Instead, these MSPs know what raw skillsets they require and are willing to train candidates the rest of the way to achieve the ideal person for the job.
Sorry, there is no magic bullet for this one. MSPs are just too unique of a profession to mass produce candidates from any existing educational facility. MSPs who have “figured out” the staffing issue tend to know what types of people do the best within their MSP organization and have created tools to enable raw candidates into fully formed, functional, managed services technical team members.
More good news for 2023. We can expect to see more work around AI, machine learning, and automation, which makes existing human talent go even further. It is not a replacement for human talent scarcity, only augmentation.
My Hopes and Recommendations for 2023
Things are going to get real in 2023. I know I’ve been saying this for a long time, but I really believe that to be the case for 2023. The good news is MSPs still face very strong demand for managed services and security, and if you are prepared to invest in your MSP practice, you can still be very successful.
If you are waiting on the sidelines, still trying to figure out whether managed services might be for you, I would give you the following advice: commit to managed services in 2023 or get out of the industry. There is no waiting on the sidelines anymore.
What I mean by this is splitting your resources by having part of your revenue come from managed services (proactive) and part from break/fix (reactive) is no longer a viable business model. I’ll go a step further and say that anything resembling break/fix or reactive IT services is going to be pushed out of the mainstream market, if not by the regulators, public policy makers, cyber insurance industry, or customers themselves, then certainly by other MSPs who are tired of explaining the distinction between their managed services and the MSP down the street who is just a break/fix shop.
The future of our profession is still very strong, despite the increasing number of logistical and other hurdles.