Weaver Outrage Meter: Medium

MSP Zone examines the idea of a cyber tax, what that would look like, and whether a cyber tax would be a good thing for MSPs


  • Cyber tax credits
  • Codes of conduct
  • Government oversight?

Cyber Verify has been launched. What is Cyber Verify? How can it help MSPs at both ends of the MSP maturity spectrum?

The Art of Managed Services 2nd Edition is now available for purchase. What went into the 2nd edition? What has changed since the first edition was published in 2007?

Supplemental reading:

Cloud Computing Needs a Universal Standard – WSJ


Full Transcript:


You’re entering the MSP Zone, a podcast for the managed services community covering news, analysis, and interviews from around the globe. Elevate your MSP game by staying in the MSP Zone. And now your host, Charles Weaver.


All right, folks, it’s been a while. I apologize. Been insanely busy over the last couple of weeks and months. And actually for the last year, I’ll get to that in a minute. But we’ve just been incredibly busy and the production of MSP Zone episodes is nowhere near to what I would like it to be, the frequency. And that’s going to change moving forward.


Some of you may have noticed those of you who are just listening to this podcast, audio only, there is now video. So if you want to see the video along with that audio, you can check out YouTube. We’re posting it on full on YouTube. I suppose that’s the really only place that you can see it. And then we’re splitting up the little video segments onto different social media platforms like Instagram, Facebook and Twitter and LinkedIn, among others. So check us out there. If you’re not following us on those platforms already, check us out, give us a like and follow us, and we’ll do the same to you guys.


All right, let’s just jump right into it. The main thing that caught my attention about this first topic about a cyber tax, which was our good friend Corey Munson from PC Matic, who I’m now believing that he just likes to find topics that are kind of salacious and will maybe get a rise out of me. And I did set the Weaver Outrage meter to medium today just because of the cyber tax issue. But kidding aside, Corey is a great guy and he always finds really kind of unique stuff related to managed services that he sends to me. And this is one of them.


And it’s an unusual article. I’m going to not attack. I’m going to attempt to debate the idea, not the individual, the concept that is being presented here. And it’s in the Wall Street Journal, right? So that’s the first thing that caught my attention is this wasn’t a Channel magazine concept. This was a Wall Street Journal article. And it’s written by a person who presents the argument, which I agree with, by the way. And so the intent stated is an intent that I share personally, and MSP Alliance shares along with its 30,000 plus constituent members all over the world, I’m sure all of them share, which is to improve cybersecurity, period. So in terms of that stated goal, we’re all on the same page. Where we diverge is how we get there. And that’s where I’m going to spend the majority of my time today.


So I’ll post a link to the article. It’s in the Wall Street Journal. Like I said, I don’t know if you need a subscription to read it, but I don’t think I had a subscription to read it. So at least for now it’s publicly available. And the highlights are in order to improve organizational this is not an individual policy idea. This is an organizational policy idea in the United States. The theory goes if you want to improve organizational cybersecurity, maybe you should look at using the tax code as a mechanism to achieve that goal. Specifically cyber tax credits or tax credits generically.


So how it would work is this and again, this is not being proposed as legislation. This is just a person, an individual writing an article in the Wall Street Journal with an idea. The idea is a tax credit at the federal level. So this is not a state law. This is a federal law. This would impact the US IRS code for organizations that pay tax in the United States.


If you want to, for example, promote cybersecurity best practices, for example, multifactor authentication, you might have a framework where the organization in question, if it can demonstrate that it is using multi-factor authentication within its organization, it would be eligible to receive a tax credit. What that would mean is that organization presumably has a tax liability for any given tax year and the tax credit would be available to them if they were able to demonstrate that they were using MFA.


Now on the face of it, you might be thinking – Charles that’s a really fantastic idea. Why wouldn’t we want to be all in favor of it? Well, there’s a number of reasons why you wouldn’t be in favor of it. There’s a number of reasons I’m really not in favor of the mechanism to get there. Again, I’m not talking about the use of MFA here. I’m talking about how you go about doing that specifically using something like the IRS or the US tax code as a mechanism to change behavior.

Number one, someone’s going to have to write this. Someone’s going to have to create a standard and the author of this article states that a standard and frameworks have to be created. And the first thing that came to mind and I don’t think that the author knows about this, maybe they do. But there was an article in the Wall Street Journal, the same publication that was written back in 2012 that made the argument that managed services providers and cloud providers needed a standard of organizational best practices and behavior. I know this because I wrote it. I wrote that and it was in the Wall Street Journal and it was way before this individual had the idea of cyber tax credits. And in that article, I present the case of look, we recognize way before the pandemic, way before cybersecurity ransomware attacks became the thing. We were talking about this and had been talking about this for a long time and we believe in standards. What we don’t believe in is this type of concept or construct where the US IRS would be in essence in charge of cybersecurity, at least being administered through the tax code that they are the sole agents of guarding and auditing and pursuing.


Now I’m going to make a little bit of a logical step here which is to say some people might call it don’t throw bricks in a glass house, right? We just got through, I think a week or so ago, the news that the US Marshal service which is not part of the Treasury Department, I think they’re part of Homeland Security, they’re part of the DOJ. But the Marshal service just had a fairly significant data breach, a cyber attack that involved a compromise of data. I don’t think we know yet what it is. At least it hasn’t been disclosed. But it was disclosed that the event did in fact happen and that it was in fact serious or significant. You want these people, the same federal government family, to then be promoting best practices and in no small way wielding a tax code hammer to drive that behavior? I don’t think so.


I think we all have work to do in cybersecurity. We all have a lot of work we could all be doing. But I don’t think turning over that type of power to any organization to be able to assess fees or in essence say you’re going to get a tax credit but you’re not going to because MFA is easy to do. But what’s not easy to do is to go beyond MFA or beyond just are you backing up data? Is it encrypted? Is it replicated? Is it air gapped and all that stuff?


It’s dealing with organizational, let’s put it this way, just mastering the concept of evaluating and certifying MSPs, which is what MSP lines does for 23 years. This is what we do. That’s a full time job. That’s a full time career. That’s a lifetime pursuit. That’s MSPs. Talk about banks, talk about hospitals, talk about insurance organizations, talk about federal agencies, talk about, you know, business industries that rely on specific business lines of application. I mean the, the list goes on and on of unique subtly different best practices. That would have to be codified.

It is an impossibility, it is a veritable impossibility for any organization to do that. We couldn’t do that. I mean we did it with managed service providers and we stay in our swim lane and we do it well. We do it better than anyone else. But it takes a full time organization just to stay up with the changes impacting managed service provider organizations. How is any law going to be written that is going to be that fluid that it would be able to keep up with changing best practices? It wouldn’t.


And you would end up with a very quickly outdated tax code that would be quickly a penalty more than anything. And it wouldn’t drive best behavior. It would drive something else. And so for that reason and a multitude of other reasons I don’t want to get into. I don’t have time to do it, but I’m not in favor of a cyber tax. I think it’s a foolish idea. I think it’s not an idea that should be credibly taken. I think there are many other ways that government could be involved to help drive behavior.


Education is one of them. It’s a great way that government could do that. It can pass laws that say, look, we want to have our Department of Defense or whatever agency to be well protected and so we want this framework and these types of organizations to be servicing them as vendors. Those are completely legitimate, but it doesn’t wield a tax code as a hammer. And in Europe they’re using GDPR and not a tax code to do things like create litigation. If there is an abuse of how data is being handled on the part of European citizens, I’m not saying that that necessarily is what we want to do, but there are other areas in other ways that are a lot more agile than a tax code, which is not easy to change.


It’s highly politicized. And if there’s one thing that should not be ever politicized, it’s cybersecurity. I mean, there’s just no good reason and no good outcome that comes from political creatures handling that type of subject matter. That’s just my opinion. You may have a very different one. I would love to hear your opinions. If they’re similar to mine or different from mine, I’d like to know it because that’s how I learn.


But those are my thoughts, and I’ve put a lot of thought into it and a lot of study into it over the years. And that’s what I tell a lot of politicians and a lot of lawmakers: look, you don’t want to be responsible for wading into the deep waters of cybersecurity compliance because make sure you can keep up. Forget keeping up, make sure you can tread water and keep your head above water. Otherwise, you’re going to end up with something that you never contemplated getting into.


Anyway, those are my thoughts on the cyber tax concept, and I appreciate Corey Munson for giving us a heads up on that one.


Number two on the list today, Cyber Verify. We launched Cyber Verify. We announced Cyber Verify a number of years ago when we talked about the Cyber Verify rating or scoring methodology.


And for those of you who don’t know, and there’s a good number of people who are not MSP Alliance members, and that’s fine. For 23 years, MSP Alliance has been in the business of promoting MSPs, promoting good behavior, best practices amongst the MSP community worldwide, and educating MSPs on how they can become better, chiefly through networking and peer mentoring and education.


In addition to that, we back in 2004 created our own standard, which today is called MSP Verify. And we’ve been doing that since 2004. So that would be just shy of 20 years we’ve been certifying MSPs all over the world.


And we got to the point where we were realizing there’s a lot of MSPs who can’t afford, can’t cost justify the time and find it really difficult to even go through this type of a certification process, much less like a SOC 2 or an ISO where there’s some bureaucracy with ISO, some bureaucracy with SOC 2, and MSPs just say, “Look, I don’t want to bother with it. It costs too much. I don’t have enough time in the day to do this, and it’s complicated.” And they would tell us that.


I said, “Look, I get the value of doing this. I get the value of wanting to achieve certification for my MSP business, but give me a better way. Here’s the better way. Cyber Verify, it does two principal things.”


Number one, it reduces the cost, it reduces the complexity, and it provides, especially for those kind of earlier, less mature, maybe startup MSPs, or maybe large organizations that are new to managed services, who want a path towards managed services maturity. That’s what Cyber Verify will do for you.


It will help you become prepared, get your documentation in order, policies, procedures. If you don’t have them, we’ll help you with it. The platform will help you with it. If you don’t know what type of controls your MSP organization department ought to have, we’ll help you with that.

The system, and it is a system. We built this platform from the ground up specifically for our members to help an MSP organization understand what is required and expected of them as an MSP operating today. And help them to document, help them to implement controls. Help them to examine their policies and procedures, improve them, and to understand, even if they can’t get there today, that they have a path, they have a checklist, they have a roadmap to become more proficient, more secure, more agile, better of everything as an MSP.


That’s what Cyber Verify was first and foremost designed to do.


Number two, again, based on some really early feedback from MSPs who were coming to us saying, you know what, some of them have been going through MSP Verify for many, many years, right, a decade or more. And they were coming to us and saying, what MSP Alliance does for us, for our MSP practice, could you help us with our customer? And their customer wasn’t an MSP.


So initially we said, well, we don’t really work with non-MSP companies. And they would say, yeah, but is there some way that you could help us deliver that as a service downstream for, let’s say, SOC 2, ISO 27001, NIST frameworks, CMMC, what have you? And we started hearing that more and more, and we said, maybe there’s something to this. And we took that into account and we developed that into Cyber Verify.


So the platform not only helps the MSPs, but now it will help an MSP turn what used to be a cost center into a profit center and deliver a compliance service downstream to that particular customer. Now, it doesn’t turn the MSP into an auditor, but what it does is it unleashes the knowledge base, the intelligence of the platform, and equips the MSP to be able to go to any customer organization.


And say, look, if this is a framework that’s covered into the platform, let’s just use ISO 27001 as an example because that’s global. Everybody knows that. Most MSPs don’t want to become ISO auditors, but the MSP wants to help their customer out who’s in a jam, a lot of them saying, “Hey MSP, help me out. I need to achieve compliance with ISO, can you help me?” Well, guess what? With Cyber Verify, that platform can now help the MSP express and organize the controls, policies, procedures, and evidence necessary for that customer to achieve compliance with that framework, all within the confines of the managed services relationship that already exists between MSP and customer.


And there’s a third benefit. It’s not a feature, but it’s a benefit that was never really intended. And that is this. This is really critical, I think, as it attempts to preserve that trusted advisor relationship between MSP and customer, which is now being threatened by a bunch of cybersecurity consultants all over the world, particularly in North America. These consultants are trying to wedge themselves in between MSP and customer through things like CMMC. They say to the customer, “Well, your MSP is not really helping you achieve this, are they? Let us come in.” We’ve seen great damage attempted to be done by these consultants. Maybe they mean well, maybe they don’t know enough to know that they’re not being a good advocate for their customer. They’re causing a lot of confusion and problems because they’re going into an existing relationship with an MSP who has an obligation, an existing obligation to maintain and monitor that customer’s IT assets.


Now, they have to deal with another third party who’s saying, “I don’t think you ought to use that antivirus, or I don’t think you ought to use this,” all under the construct of “I’m going to help you become better cybersecurity prepared or achieve CMMC or whatever framework.” We’re seeing a lot of that emerge, and we’ve talked a lot about that type of thing emerging over the last several years on this podcast. Cyber Verify is an attempt to put the power back in the hands of the MSP where it belongs, to enable and equip them with the necessary tools to be knowledgeable enough to deliver this compliance material downstream to a customer and to do so.


In my opinion, this further evidences the great value of working with an MSP in the first place. By the way, this could work just as easily with an insurance company. If you’re getting a cyber insurance policy, it can work just as easily with a downstream customer who’s also trying to get a cyber policy, which we know has been happening a lot with MSPs. So that’s the platform. I’ll get off the sales soapbox. But we’re very proud of it. We’ve put a lot of effort into it and a lot of time, and it’s finally launched. We’re getting a lot of great feedback from all over the world, literally all over the world, and MSPs who are wanting to and starting to sign up for it. Anyway, that’s what’s been keeping us busy.


On to number three. This has also been occupying a lot of my time over the last couple of years, and that is the second edition is now available of The Art of Managed Services. What is the art of managed services, you ask? Good question. The first edition, Art of Managed Services, was published back in 2007, a long time ago. And I wrote that because at the time, I was getting so many people asking me the same questions over and over again. And I just got to the point where I said, I don’t want to keep repeating myself, I’d rather just write this down and document it. And I soon found myself writing a book and in 2007 published it. And at that time it was pre-digital, pre-Kindle, I think. And so it was only available through physical paperback.

This one, The Art of Managed Services second edition, is available currently only via digital e-reader format. You can buy it on Amazon right now, and soon it will be available on paperback and hard copy, I think, as well. What is it? It’s aimed for an MSP reader, but it’s also aimed for a non-MSP reader. So you don’t have to be in our industry to appreciate what it is. And it’s an anthology. It’s a historical record of the early days of managed services. And that’s where the first edition takes us, up through 2007. And then after that is when I realized the earlier stuff wasn’t wrong, it was just incomplete. It left off. And there was a lot of stuff that was coming out post-2007 up through today that was really important and needed to be included in that. And that’s where the second edition bridges that gap and takes us fully current up to 2023.

But it’s a great historical record of the history of the managed services profession. But it’s not the history book. It goes beyond that. And it actually talks about best practices. It talks about and this is aimed at an operational level, it’s aimed at an executive level, an owner level. If you are an investor looking at investing in managed services, which I know there’s a lot of you out there in the private equity field. The Art of Managed Services ought to be on every investor’s bookshelf because it’s a great resource guide for if you want to buy or invest in managed service providers, you’d better know a lot about them. And this is the greatest single resource book to be able to absorb a lot of information that is critical for understanding the profession, understanding where it came from, where it’s heading, and the challenges and opportunities that are facing MSPs pretty much everywhere around the planet these days.


And so, I’ve been spending a lot of time, it started in the early parts of the Pandemic when a lot of people were sitting at home, including us, wondering, hey, got to keep busy. And so I started writing the second edition back then and it took a little bit of time, but finally, it’s out and it’s available. So, The Art of Managed Services. Second edition on Amazon. Go check it out. It’s a quick read. I hope you enjoy it and it was a lot of fun to finally get that out there.


On a more personal note, we’re going to be hitting the road a lot this year. In 2023, globally, we’re going to be doing a ton of roadshow networking dinners, check out our website, check out our social media platforms, and you’ll probably get notifications of where we’re going to be, when we’re going to be there.


And they’re for MSPs, they’re going to be great networking, educational. We’re going to be doing cyber briefings and it’s going to be a great opportunity for MSPs to network with one another, hear about what’s happening in the industry and just continue to evolve and grow their knowledge base.


And we’re going to be not just doing those, we’re going to be going to third-party events a lot this year, some international ones. And so don’t be surprised if you see us there, but it’s going to be kind of our getting back out there on the road just like we used to pre-Pandemic. And we’re really excited to be seeing a lot of old familiar faces and meeting some new faces as well out on the circuit and just continuing to engage with the MSP community and do what we love to do, which is help MSPs. It’s in our blood, it’s what we do, what we’ve done for 23 years, and we’re going to keep on doing it.


So appreciate the time. It’s good to be back in front of the camera, in front of the microphone, and keep the ideas coming in. I know we’re getting a lot of feedback from people who want to hear about certain topics and we’re certainly going to be plowing through our stack of material that’s been building up. And until next time, thanks for listening. If you enjoyed today’s episode, please give us a like. Make sure you are subscribed to the podcast so you will get notified when future episodes are released. We will see you next time in the MSP Zone.

Sorry, the comment form is closed at this time.

YouTube Logo | MSPAlliance

Subscribe to MSPAlliance on YouTube!

Explore a world of valuable content, including full-length podcast episodes and clips, thought-provoking special interviews, immersive events, enriching webinars, live streams, and more.

Join our community on YouTube, subscribe to our channel, and elevate your MSP journey!

Mobile and Laptop device image of YouTube MSPAlliance Channel | MSPAlliance

Have questions?

We're here to help! Fill out the form below and we will get back to you as soon as possible.

First Name *
Last Name: *
Contact Email: *
*Required Fields
Note: It is our responsibility to protect your privacy and we guarantee that your data will be completely confidential.






Contact us


510 Meadowmont Village Cir, #289 | Chapel Hill, NC 27517

MSP News

Sign up for MSP News, the weekly newsletter bringing you news and analysis from the managed services industry.