Weaver Outrage Meter: Low

What is continuous compliance? Sound like a headache? It isn’t. Continuous compliance is where the managed services profession is headed and MSPs had better start preparing now.

  • Continuous compliance defined
  • Why continuous compliance is the future
  • Guidance for transitioning from standard to continuous

Recent news stories would have you believe that the recent bank failures are really caused by underlying fractures within the tech sector. Let’s examine an alternative theory for what is really happening.

  • Big tech layoffs
  • Bank failure root causes
  • Health of MSP market

We are seeing more “providers” intentionally (or not) being vague about the types of services they are offering. Here’s why this is a bad idea.

  • Problems with mislabeling your services
  • MSPs who aren’t, and cyber providers who claim MSP status
  • You can’t run from what you do


Full Transcript:


You’re entering the MSP Zone, a podcast for the managed services community covering news, analysis, and interviews from around the globe. Elevate your MSP game by staying in the MSP Zone. And now your host, Charles Weaver.


All right, folks. Some of this material you may be noticing is recirculating. And I’m trying not to be redundant because this is not redundant material, but it’s material and themes that are not new necessarily, but they’re combining and interchanging with current events that make them or their impact new and worth a fresh perspective and fresh discussion, quite frankly. Because the last thing I want to do is just talk about old stuff here. But there’s a lot of stuff that is very rapid in the way it evolves and some of it involves like old themes. And so if we can take an old theme or what seems like an old theme and say, well, this is not really old, it’s being applied in a new way, that’s kind of what I want to do with some of these thematic topics.


And I’m going to start off with continuous compliance today because it’s such a critical component and it is. What’s the best way to look at this, the best way to describe continuous compliance is it’s what MSPs should be doing. It’s what MSPs, some MSPs have been doing for quite a long time, like decades, and it’s what every MSP ought to be doing. But there are still a lot of MSPs who don’t, I think, look at continuous compliance as something that’s relevant for them or even practical for them. And the practicality is one thing that I do want to address today.

But continuous compliance means a lot of things to a lot of different people. And I’m going to try to break it down, make it simple, make it easy to understand. And here it goes.


Compliance in general is a really tricky word because again, it can mean so much to so many people. And for three decades at least, compliance has been at a cornerstone of a lot of MSP practices out there who use compliance as an indicator or a characteristic of the type of managed services that they deliver. What does that mean, you may be asking. I’ll give you a good example, right? The early 2000s, late 1990s would be a great example of some security. Yeah, there were security MSPs way back even then. There were some MSPs that were really focused on, let’s say the firewall stack, right? The firewall was the primary object that was being managed for customers and particularly customers that were in specifically kind of more compliant areas, banking, financial services being the top of mind areas that I recall. But nevertheless, compliance was very important.


Now, does compliance today, did it mean the same thing back then? Absolutely not. Completely different. But those early MSPs were still dealing with compliance-sensitive customers in their own way. And I’ll admit that. That way it’s changed, right? It’s not really relevant anymore, but it was being done, it was being performed. And just the way some of you may be saying, well, we’re at the cutting edge of cybersecurity and compliance, that’s good, but don’t think that it’s new, right? This has been around for a while. Your version, your flavor of it is probably new and that’s good. But these are recurring themes like I said at the beginning and they’ve been around for a while and they just evolve. They change, they mutate, they progress, however you want to call it. But that’s what we’re dealing with and that’s where we’re at with compliance.


And if the early-stage MSPs were dealing with compliance mainly through the lens of how do I help my customer become compliant? In the years between then and now, the MSPs have started to learn. A lot of them, not all, but a lot of MSPs have started to learn. That compliance question also applies to me, right? And those MSPs out there who have to get an MSP Verify or a SOC 2 to satisfy banking customers or insurance companies or whatever customer that may request that as a precondition of doing business with them. You know what I’m talking about, right? That’s compliance for you, the MSP, which is equally as important. But now we have this new flavor of some people.


Last week we talked about compliance as a service and we’re going to be talking a lot. As I said last week, and I continue to say it, compliance as a service is going to be a very big topic that you’re going to hear a lot about from us this year and moving forward. But continuous compliance is slightly different. And what does continuous compliance mean? Continuous compliance means no longer looking at your compliance journey. And compliance as a service is an MSP delivering it downstream – that’s separate. We’re having a webinar on that in upcoming weeks. We’re doing a whole roadshow about that and other topics that everybody can sign up for.


But compliance as a service is the implementation of continuous compliance. Continuous compliance is no longer looking at your compliance as a once a year event like doing your taxes right? In the US, we’re coming up on tax season. Tax season is a once a year event. You go to your accountant, you gather all the information and all the documents that you’ve accrued over the last year and you give that to the accountant or tax preparer and they help you prepare your taxes. Continuous compliance is flipping that model on its head. The once a year, the annual compliance trip to the doctor, so to speak, which MSP alliance has been certifying and auditing MSPs for 20 years, almost 20 years. And it’s historically been a once a year type of thing. You come to us and it’s, hey, it’s time to renew my MSP Verify, it’s time to renew my SOC 2, it’s time to refresh that. Okay. That’s never going to stop. By the way, the production of what I call the evidence, the report is the evidence of your compliance work and effort.


Continuous compliance says instead of that annual compliance exercise, you start to look at compliance as a daily thing, something you do organizationally every day, almost like breathing. You don’t think about it. It becomes natural, it becomes part of your movement. Everything that you do as a service delivery machine, which is what MSPs are, everything you do in a continuous compliance lens is integrated with compliance. Your managed services, your internal and external as a service, functions are being performed not just with the singular view of I’m delivering this as a service so I can get paid. But you’re looking at that thing, whatever that thing may be, and saying, how does that thing evidence and demonstrate my compliance with any of the given compliance frameworks that I may be impacted with? And that’s the bare And that’s the bare bones definition. That’s my definition of compliance on a continuous basis.


And you may be saying, okay, why is that important, Charles? Here’s why it’s important. Continuous compliance is important because we no longer look at the world as a reactive creature, right? If you look at the reactive, break-fix business model that we the MSP community have been trying steadily to move away from, to evolve from, right? It wasn’t like that. This was a bad thing always from the beginning. It’s just something that you have to evolve away from and into proactive managed services. That’s the evolutionary path that we’re headed towards. And in order to do that, you can’t also be break-fix. That’s the progression that all MSPs are on, hopefully. Continuous compliance is the evidence of that MSP maturity model. You cannot progress down the path towards managed services maturity and not begin to incorporate continuous compliance into your practice.


Now for the time being, again, I’m not talking about compliance as a service. That’s a separate thing. I’m simply talking about what you as an MSP do every day and your ability to say to yourself and to others, I’m safe, I’m secure, I’m prepared, but I’m safe, secure, and prepared, not because I got a checkup twelve months ago or eleven and a half months ago. See my report, it’s eleven and a half months old. No, continuous compliance gives you the confidence to say, I’m all those things because I live and breathe security and evidence that and can demonstrate compliance at any given time. Because I’m always practicing it, I’m always living in it. It’s not a once-a-year exercise for me, it’s an everyday exercise for me. That is the real critical difference between compliance on a continuous basis and kind of the once a year or the cyclical compliance. And it’s going to be really critical in the very, very near future because you have more and more industries that are relying on this.


What are some of those industries, you may be asking? I’ll give you a really good one. Insurance. The insurance industry, based on conversations we are having right now, are really interested in getting MSP Verified data on an ongoing basis. Not just having that one report, but having ongoing access to that data to say, look I want to know that the MSP is always in compliance because that’s going to really impact their premiums, and it’s going to impact our risk assessment of that MSP for purposes of issuing a cyber policy, for example. They’re not the only ones. There are many other examples, but that’s a really good practical example that impacts has a financial impact on the MSP and continuous compliance is the future for that industry and for solving that particular problem and many others.


And so if you’re saying, okay, I get it, how do I do it? How do I switch from kind of cyclical to continuous compliance? Well, don’t think of it. Again, going back to the tax example, don’t look at compliance as an annual type of thing. It needs to be much more frequent. If it’s too much to consider it on a daily basis, then think of it at least on a weekly or monthly basis that you’re looking at things from a compliance lens and viewpoint and saying, all right, looking back.

At the last month, let’s say at the end of March, you head into April, and then you look back at the month of March and you say, what did we do? Did we back up all of our internal data? Check, yeah. Well, can we prove it? Yeah, we got backup tickets. That evidence that, okay, check that, move on. Did we go through a list of our external service providers, all our vendors to make sure? Because we know we’re going to be asked about that at some point. Do we have all of that? Did anything change? Yeah, we onboarded a brand new vendor. Let’s add that to the mix, right? That’s one less thing you have to do when it comes time to renew your MSP verify. One less thing you might be saying, hey, let’s run a scan of all the internal users. We had some changeover. Did we actually offboard all those people appropriately? Did we appropriately remove their credentials for login remote, logical access? We did. Great. Can we evidence it? Perfect. It’s one less thing you have to do later on.


And these are the things that, again, you should be doing this anyway, right? If you have you’re an MSP, you should be backing up your data. If you have a user in your organization that leaves, you should offboard them. You should be able to evidence the offboarding process and you should be able to prove that you did it according to a standardized way, a process. So nothing I’m talking about, whether you have MSP verify or not, nothing I’m talking about should be new to you. Even if you don’t have MSP verify, all these things you should be doing, if you’re not doing them, you should start doing them today. You have no excuses to not do this stuff. It’s expected of you as an MSP. What I’m simply saying is as you’re going out your daily, weekly, monthly, quarterly way of delivering and operating a managed services business, company or division, that you’re also paying attention to these compliance questions and starting to log and track and document all these maneuvers. And it does not have to be anything that adds a considerable amount of time. In fact, the less time doing this, the better. That’s why we built Cyber Verify. But the point is, even if you don’t use Cyber Verify, you could use a pencil and piece of paper. I don’t recommend it.


You could use a spreadsheet and probably do all this yourself. But do it, you have no excuse not to do it. And by doing it a little bit every day, a little bit every week, you will chip away at things that you will ultimately be asked for, things that you ought to expect to be asked for and should be able to demonstrate. And continuous compliance is the path towards doing it.


And here’s one final real big benefit folks. Really big takeaway for continuous compliance is it will help you catch things, faults gaps, control gaps, process gaps, security gaps, much sooner than you normally would have when you’re looking back, especially like in an annual way, right? It’s good. When our team comes in and you’re doing MSP Verify and you’re looking at those things, we look for a year back and we say, okay, did you do everything you should have been doing? But you yourself need to start looking at it yourself and say, are we catching things? And can we correct now rather than wait until someone else tells us what to do? Really big stuff.

We’re going to be talking more about continuous compliance, but that’s my guidance. Start working that into your process today. You will thank yourself for it, guaranteed.


Now, moving on, is the tech industry ruining the economy? I tell you, I’m seeing more and more stories, right? Silicon Valley Bank, we did the last episode, I think one or two episodes ago on Silicon Valley Bank. We did kind of our analysis and opinion on that, but we’re hearing more and more about new banks. I think it was Facebook and Amazon. I think it was Amazon. Someone laid off around 28,000 people from their I think it was Amazon from their AWS division. And sure enough, not that long after what happens, you got a bunch of mostly financial people saying, oh my gosh, the tech industry is ruining the economy. The tech industry is driving down the economy.


Well, okay, they’re probably talking about the stock market and that’s a separate issue. And I’m not going to dispute that necessarily. But I want to put all this stuff in perspective for you guys. When you dig even a little bit into why Amazon and Facebook and all these other companies are laying off all these people, it generally comes down to one thing. They either overhired during the pandemic because they were afraid of not being able to be competitive and they needed to ensure that they had sufficient headcount because they were really hard pressed to find talent. So they may be instinctively or reflexively, I don’t know, overhired or, and or they realize that the remote work, work from home isn’t working for their company and they’re letting those positions go. I think it’s the latter. I think that the analysis that I’ve seen is that the tech firms doing the mass layoffs are definitely a result of work from home inefficiencies that these particular companies had staffed up. They bulked up during the pandemic for mostly work from home positions. The positions and the productivity didn’t turn out to be what they were expecting. And so now they’re realizing, you know what, this is a lot of dead weight to carry. So we’re going to start shedding these positions. They’re bringing people back in the office and everybody’s doing it and it’s been going on for a while now.


I’m not saying if you still have remote workers that you are doing something wrong. I’m not saying that. What I’m saying is that all these mass layoffs that we’re seeing out there can be attributed to work from home because that’s what we’re reading and that’s what they’re saying. Now take it for what it is. These companies have not figured out how to make remote workers valuable to their company. Maybe you have great, they didn’t. But you combine that with Silicon Valley Bank and these other banks that are going through some difficulties and then you have this combined vortex of analysts, I think mostly financial analysts who are saying, “Oh look at it, it’s the tech sector, they’re the ones to blame. They’re causing all this. If we go into a recession it’s going to be the tech sector,” is what they’re saying. No, I don’t buy that for 1 second.


Speaking now specifically to you, the MSPs out there, I fully think that if we go into a recession and there’s a lot of reasons that you could point to why that might be happening. You could point to monetary policy in the US and multiple other countries where we went through a significant easing, right, and production, printing of money, expansion of the monetary supply, raising or manipulating interest rates that are causing havoc with banking, with liquidity and businesses. Those are all other issues. You’ve got other systemic issues like labor market, labor participation and a whole bunch of other things that could be legitimate causes of a recession. Spending – government spending – could be another legitimate cause for such a thing. And a recession can cause real significant hardship on a number of different industries.


But what I know about managed services after 23 years of studying this market is that historically, in down economic periods, except for some specific scenarios where you have highly precise pain points. Again, previous examples I’ve used are like in the Pandemic, you had hospitality and travel that were really uniquely impacted by that thing. And that was not an economic problem. That was a self-inflicted economic shot in the foot, right? That was not a natural market phenomenon. 2008 was real estate. So you had banking and real estate-related industries that really got hit, right? So if you were a bank that was heavily involved in mortgage-backed securities, MSPs that focused on those types of banks as customers had a lot of pain. But overall, the managed service provider market, globally speaking, does pretty well even in down economic periods.

And so I’m saying this both to counter, as a counterpoint to this common theme that’s coming up, that the tech industry is ruining the economy, is going to cause a recession. I don’t buy it. I think that there’s plenty of other reasons that you can point to for that cause. But if you’re worried, if your investors are worried, if your customers are worried, if anyone’s out there is worried about you as an MSP, and I’m talking about the real MSPs, I’m not talking about if you’re doing 75% or more break-fix, this is not you. You’re a separate category. But the MSPs should, if history is any indicator, should do pretty well even during a recession. I hope we don’t go into one. I hope if we do go into one, it’s very short. But I’m not really worried about the MSPs because I know that they’re going to pull through and continue to do the work that they do every single day that we all need. So the health of the MSP market is pretty strong. It’s not failing, it’s not causing the tech industry or it’s not causing the general economy to falter. Don’t buy into that. It’s rubbish. It’s not true. Just don’t buy into it.


Which brings me to my third and final point for today’s, MSP zone. And it is a kind of a marketing/branding topic. And those of you who don’t know, for 23 years, what we’ve been doing here involves looking at a lot of MSPs every single day. We see applications for membership every single day. And so there’s one thing that we’re really good at is that we get to see so many MSPs. We get to be pretty good judges of what MSPs are calling themselves, how they are presenting their services through their websites, right? I mean, you see enough of that every day and you get to pick up real-time kind of analysis and information about where the MSPs are pivoting and how they’re calling their new services and things like that.


So one thing that I’m seeing, I think it’s a problem and I think that we need to do something about it, is that we’re seeing a lot of blurred lines between MSP and non-MSP services. And I have my suspicion about why it’s happening. But it’s happening. And it’s happening where it’s really difficult to figure out because people are using such vague wording on their websites and it appears that they might be an MSP, but they’re not actually saying that they’re doing managed services. They’re not actually saying that they’re doing anything other than IT services. But that could be consulting.


In fact, they use a lot of consulting types of language. In fact, they use a lot of cyber consulting types of language and terminology and phraseology. What happens is typically when they come to us and they apply for membership and we ask them, okay, well, who are you? Describe what you do. And they will typically thread a needle, which is not purely managed services and it’s not purely consulting. So they don’t fit the typical MSP business model, but they’re also not a pure consultancy in that they don’t have logical ongoing access, except they do.


They don’t have it in the form of an RMM, but they have it in the form of, let’s say, an MDR solution. So they don’t even use maybe a ticket platform. They don’t use an RMM platform, but they still have a hook into a client system that raises every risk red flag that you should in terms of looking at that, making sure that they’re doing it appropriately, all the things that MSPs already know. But these new consultants, they’re like, no, we’re not an MSP. You don’t need to look at us like that. In fact, we’re safe. You need us, but don’t examine us too closely. That’s the problem. That’s the problem.


It’s a problem from a security standpoint, but it’s a problem from a marketing and a messaging and just a market segmentation standpoint because how do you tell, do you put them in the MSP bucket? Do you put them in the consultancy bucket? They’re not SaaS providers. There’s something else, and they’re mutating really quickly, like they’re changing the language on their websites is changing really rapidly. And if we can’t figure out who these folks are, I’m sorry, how are you as a customer untrained in identifying and dealing with these issues, subtle though they may be, complex issues related to managed services, how are you ever going to figure that out? There’s going to be market confusion. I think there already is market confusion, and I want you all to be aware of this, and I’ve said this before, this is not new for me to say this, but I’m saying this now, that the change in these consultancies that are actually creeping more and more into managed services territory. Not calling themselves MSPs, though, not saying it’s a managed service, but still having that same type of MSP access, but maybe not doing it the way that they should is what I’m concerned about.


And I don’t want to spook anybody. I don’t want to cause panic because I think it’s really easy to tell a good MSP from a bad MSP. I mean, if you’re a customer out there and you work with an MSP who has an MSP Verify Report, you can be pretty sure it’s not a guarantee of future outcome. But you can be pretty sure that your MSP has been thoroughly vetted and that they’ve had to expose themselves and open themselves up to external review. I can’t say the same about a lot of these kind of hybrid consultancy firms and so I would run them through the same vetting process if I was a customer, which is, let’s see your credentials, let’s see what you got. Do you have an MSP Verify report? I want to see how you do this, this, and this. Fair questions. Fair questions to ask. And if you don’t get responses, move on.


Life’s too dangerous out there to risk it on a firm, no matter how good their website is. Who can’t really do what they say they can do on the website? And so it’s just something that I think we all have to be aware of.


If you are an MSP, I think saying you’re an MSP helps customers at least figure out what you do. If you’re a consultancy and you don’t provide managed services, maybe say that. Maybe say it so that people don’t think that you’re doing something that you’re not. Because again, if you insinuate that you’re doing something and you don’t, or you say that you’re not doing something but you are, they’re both bad outcomes. They both create market confusion. And for the MSPs out there that are actually doing what they’re supposed to be doing, it’s not a good outcome for them or their customers. And confusion of any type is not good.


So we’re going to keep an eye on it. And if you out there start to see this stuff, let us know. Drop us a line. We can’t be the only one spotting this. It’s getting pretty pervasive and common and I’m sure it’ll work itself out, but calling yourself based on what you actually do is a good thing.

Until next time.


Thanks for listening. If you enjoyed today’s episode, please give us a like. Make sure you are subscribed to the podcast so you will get notified when future episodes are released. We will see you next time in the MSP Zone.

Tags : MSP compliance,MSP marketing,The MSP Zone

Sorry, the comment form is closed at this time.

YouTube Logo | MSPAlliance

Subscribe to MSPAlliance on YouTube!

Explore a world of valuable content, including full-length podcast episodes and clips, thought-provoking special interviews, immersive events, enriching webinars, live streams, and more.

Join our community on YouTube, subscribe to our channel, and elevate your MSP journey!

Mobile and Laptop device image of YouTube MSPAlliance Channel | MSPAlliance

Have questions?

We're here to help! Fill out the form below and we will get back to you as soon as possible.

First Name *
Last Name: *
Contact Email: *
*Required Fields
Note: It is our responsibility to protect your privacy and we guarantee that your data will be completely confidential.






Contact us


510 Meadowmont Village Cir, #289 | Chapel Hill, NC 27517

MSP News

Sign up for MSP News, the weekly newsletter bringing you news and analysis from the managed services industry.