Ep 253 | Can MSPs Guarantee Compliance; Converting Reactive Clients to Proactive; Should MSPs Get Involved with Customer Policies
Can MSPs “Guarantee” Compliance?
It’s no secret that many MSPs are helping clients deal with compliance issues. Whether this is gathering evidence for a client audit, or simply offering traditional managed services to demonstrate compliance for a given framework.
However, when it comes to guarantees, compliance may not be the area where you make any guarantees. Here’s why.
- Compliance within the MSPs’ control
- Customer interference
- Making guarantees in the first place
Converting Reactive Clients to Proactive
As some economists are predicting a 2023 Q4 recession, making sure your MSP ship is in excellent condition for potentially rough seas is a good thing. What could you be doing to better prepare your MSP practice for difficult times? Converting as many reactive customers to managed services would likely be a great starting point. Here’s some advice on how to do just that!
- First, why conversion to proactive is necessary
- Migration strategies
- It’s the only choice!
- Get creative
- Offer incentives
- Sunset your reactive practice
Should MSPs get Involved with Customer Policies
This topic was discussed at the last MSPAlliance Inspire meeting and the debate was interesting. What was unanimously agreed upon was there is a role for the MSP to play in compliance with their customers. What was in dispute was whether working on client policies was something an MSP ought to do.
- MSP influence customer compliance all the time
- MSPs compliance roles
- Compliance can involve controls and policies, or both
Can MSPs guarantee compliance? How to convert reactive to proactive customers? And should MSPs get involved with customer policies? Coming up next.
You are entering the MSP Zone, a podcast for the managed services community covering news, analysis, and interviews from around the globe. Elevate your MSP game by staying in the MSP Zone. And now your host, Charles Weaver.
What’s up, folks? Jam-packed episode this week. Going to talk about this kind of issue of compliance guarantees. Interesting article we saw, we’ll be reading about that and discussing that and something kind of quasi touching on the economy. But it’s a good bit of advice, I think, on how to convert or how to approach having a conversation to convert those kind of reactive customers that a lot of MSPs have and turn them into proactive managed services customers.
And then finally we’re going to talk about the issue of compliance policies or customer organizational policies and should MSPs kind of get involved in that? If you’re thinking about a compliance as a service offering, maybe you’re already doing it not under a CAAS offering, but you’re just doing it as professional services. A lot of MSPs have kind of mixed opinions on whether or not they should delve into the issue of dealing with a customer and their policies or whether they should deal with other things like their controls. And we’ll break down both and give you some tips on how to approach that.
So diving right in, the first topic today – Can MSPs guarantee compliance? Again, minding my own business, an email comes in and lo and behold, the quote is “Benefits of a managed IT service for proactive, monitoring, maintenance, and support.” So I figure, all right, I’ve seen a million of these things over the years. It’s a generic kind of a puff piece on why you should use an MSP. I’m not opposed to that. I see it a lot more these days. So I read them and I’m just curious, how do people phrase the latest trends and how do they put a spin on why to use an MSP? And just hoping to get some feedback and some arguments that maybe we’re not familiar with. And again, most of it is like really common sense stuff. It doesn’t raise any eyebrows. It’s fairly plain, it doesn’t mean it’s bad. These are concepts that have been around for decades and so they’re not really new to us and to people who follow managed services for any appreciable amount of time. I read it and check, yeah, proactive monitoring, yeah, that’s good. Regular maintenance, yeah, that’s really good. Immediate support, sure, no-brainers. Reduced downtime. And it gets down to the security and compliance section. And I’m thinking, okay, well, maybe there’ll be something interesting here. And I’m reading and it’s talking about the MSP being able to do vulnerability assessments and how to deliver regular security updates that’s probably patch management or antivirus definitions and all those things. And I think, okay, that’s really good. And then it says something that’s in my opinion, just way out there and maybe they didn’t mean to say it in this way. Maybe they didn’t understand what this phrasing actually means or what its impact is. But again, it’s one of those statements that you can’t leave it alone. It has to be addressed, it has to be corrected. That’s what we’re going to do.
So after saying all that about vulnerability scanning, vulnerability assessments, security patches, all legitimate things that MSPs do all the time, the next sentence goes like this: “The MSP can also guarantee that the company’s IT system complies with applicable laws and standards such as HIPAA and GDPR.”
And I think I’m unaware of any MSP on the planet who has any type of language in their service level agreements, in their master service agreements, in their service attachments, on their website, on their internal policies.
Nowhere written down or uttered by any member of an MSP team have I ever seen or heard someone talking about guaranteed compliance as an outcome of using an MSP.
Now, some of you may be saying, “Hey Charlie, why do you have to get in the middle of this? And why do you have to kind of make it sound like MSPs aren’t doing a good job?” That’s not what I’m saying. That’s not what I’m saying at all. I’m saying quite the opposite. I’m saying MSPs do tremendous work when it comes to the issue of compliance and have been for many, many years. I’m saying that I just said it.
What I’m not saying is that MSPs should or do in fact guarantee compliance outcomes, which this article – and granted, it’s written in an Australian – it’s in an Australian website, but why they’re talking about HIPAA and GDPR is kind of a weird thing. So, maybe they copied the content from someplace else. Anyway, it’s a little bit odd.
But the point is that any reader, any customer reading this or if I was a startup MSP, I just began my practice, there’s a lot of you out there listening to this podcast or reading our material and you want to know, “Should we be guaranteeing compliance with applicable laws and standards?” No. The answer is emphatically no. It should be nowhere found in any of your agreements, which is arguably the most important place that you would talk about compliance and talk about security and deliverables. It shouldn’t be in your marketing literature. It shouldn’t be something that your sales or marketing teams are saying, thinking, it shouldn’t even enter their minds to talk about guaranteeing compliance because it’s just impossible.
“Why is it impossible?” you may be asking. It’s impossible because the MSP, even the MSP, that is the entire IT department for a company, still does not have complete control, nor can they be delegated control. Power can’t be delegated to the MSP so that the MSP is completely in control of compliance related decisions for that company. They’re always going to be outsourced. The MSP is always going to be a party, a strategic party, a trusted advisor, but an external party nonetheless.
And getting into the situation of guaranteeing outcomes, guaranteeing to a customer that says something like, “Could you help us become HIPAA compliant? Can you help us become GDPR compliant?” An MSP ought to say comfortably, if they can do this, sure we can. And if the customer ever said something as a follow up like, “Could you guarantee that?” I would hope most MSPs would say, “Well no, I can’t guarantee that because you ultimately are the one responsible for any compliance of your company with a given framework.”
Now, what we can do is our part. We can say, okay, if GDPR or HIPAA, for example, are the two implicated frameworks, then the MSP, if they’re knowledgeable about those frameworks, ought to be able to pull up their controls, the customer controls that they influence, they the MSP, and be able to document what exactly they do and what they don’t do. And if you have things like an MSP Verify report or a SoC Two report, you would be able to do exactly that and be able to tell a customer, this is where we start and where we end, and where you, the customer, need to act on your own and make decisions and take responsibility for your company’s own compliance. Because there’s actually quite a bit of policy work. We’ll talk about that in the last segment. There’s a lot of decisions that the customer can only make that the MSP can advise, can encourage, can really plead with the customer, “Hey, I think you ought to be doing something, backing up data, turning on the MFA, things like that.” But if the customer says, “I don’t want to, but I’d still like you to guarantee my compliance to any given framework.” – You could see where that becomes a really sticky situation. Hence why nobody, nobody – particularly, I would hope any of your legal representatives who are reviewing your contracts and things like that should be coming even close to offering or stating compliance guarantees. They’re impractical, they’re impossible, and they’re misleading. And I don’t know of any MSP that, again, says those types of things. And it would be a bad thing for any reader to come across this article and to say, “Oh, I should expect compliance guarantees from my MSP because this article says that this is one of the benefits of using an MSP.”
We’ve talked a lot over the years about this idea of the customer offloading risk to the MSP, and this is a great example of that. This is a great example of a mistake. This is not a practice. This is not a best practice, but this is not even a practice in the managed services community, nor should it ever be. And this ought to be corrected. There’s no name of the author in this. And if there was someone should write them and say, “Hey, you ought to correct this article because it just doesn’t convey what is reality in the MSP global channel.”
So again, a lot of the stuff we, we talked about, folks. You may be saying, “Jeez, this is stuff we already know.” If it’s stuff that you already know, number one, I’m really glad, I’m happy. But if you don’t know about it, now you do. And whether you did or didn’t know about it before, now you know what is being talked about and written about your profession and what is being communicated to your potential customers or maybe your existing customers. And that’s why we bring these types of things up. We don’t bring them up to call negative attention to the MSP sector. Because again, I don’t think this is something that I see a lot of MSPs doing. I haven’t seen any MSPs offer these types of guarantees. But you should be aware of it. You should be having these types of conversations because they are very much – they’re tied at the hip, these conversations with the concept and the topic of risk, risk apportionment, risk sharing between MSP and customer and vendor. We’ve been through that so many times. I’m just telling you this is a good practical example of that. Be aware of it. Go check out the article. If someone could find out who wrote it, maybe tell them, “Hey, you should probably clean up that last section.”
Okay, moving on.
Converting reactive to proactive customers. Very popular topic 20 years ago. I think it still is today because there’s still too many reactive customers being served by legitimate MSPs. And in my opinion, that is a symptom not of bad MSP’ing, but that’s a symptom of too many customers just not taking their responsibility of internal risk, internal compliance, and internal security, IT security, seriously. That’s a bold statement, some of you may say, but I stand by it. Now, there are many reasons, right, going back 20 plus years, there are many strategies about how to convert them, why to convert them. And most of the early on strategies were all about, hey, it’s a lot easier. Turn the maintenance and the grunt work over to the MSP. Let us do it so you can focus on what’s core to you. I think we’ve done that to death and people know about that. Today, we’re in a very different cycle of rationale and motive for why you would want to employ an MSP, in my opinion, in the MSP’s favor, a lot more serious types of topics.
I’m going to give you one good example that’s relevant right now that I think is something that any company that you represent as an MSP can understand. Whether they’re for profit, not for profit, doesn’t matter. This should work. And that’s related to the economy and finances and making a fiscal monetary decision to employ a managed services provider in a true managed services fashion, not just, “Hey, I work with an MSP, but I only use them for break-fix work.” That’s not really taking the benefit of managed services. But here’s one of the chief reasons this year. I think this could be a very compelling rationale and a time frame to make that conversion and have that kind of strategy discussion with these types of reactive customers.
Just this week, we saw some new – this is US economic data – Inflation seems to be softening a little bit in certain segments. In others, it’s still quite high. It’s too high across the board, but it seems to be softening in certain segments of the market, which is good. Unemployment claims in the US. Again are up, which is not good. And so all of these things, not to get too much into the economics of it, but basically indicate a landing. If you heard about the soft versus hard landing of a recessionary cycle or a deflationary cycle, that’s what we’re talking about. They’re talking about how if we had a hot market before and it led to hyperinflation, it led to very cheap money, which we had before because they were printing it all over the place. And now we’re easing back on the stick and the money supply is shrinking up and unemployment is going up and inflation is coming back down. Those are the things that the US fed are trying to do.
But it’s going to involve a little bit of pain, a little bit of rugburn. If you know that, if you’re prepared for that… And just this week, some economists have been saying, I think we’re looking at a recession in Q4, fourth quarter of 2023. Again, I’m not saying they’re right or wrong. I’m just saying that’s what is being reported and hypothesized by some economists out there. If you reasonably believe that that’s a possibility, why wouldn’t you have a conversation today with your customers, particularly those who are in a reactive relationship with you? But this definitely applies to proactive managed services customers as well, but for the reactive ones, have a conversation today about what you think is happening in the economy. Maybe see if they have opinions on the recession. If they think that a recession in the fourth quarter of this year is likely, start by talking these things through with them. And then start to have the conversation about what is that going to do to your IT? Your IT availability. What’s it going to do to your security, what’s it going to do to your ability to fend off a cyber attack? Remember, the bad people do not discriminate against good economic or bad economic times. They will strike whenever it is opportune for them. So don’t hinge your thoughts on, hey, well, it’s a recession. I’m not going to get hit because it’s a recession by a cyberattack. That’s not true at all. Have those conversations. Talk to your customers and say, look, the way we interact now MSP to customer is not in a managed services fashion. And if we go into a recession, I can’t guarantee that I’m going to have bandwidth to be able to spend on a customer like you because there’s no predictability. We don’t have that relationship. You call me when you have a problem and I bill you for the work that I do. I’m just role playing here. This is what I might say to a reactive customer, but I have a lot of other customers who are managed services customers of ours and whether they are going through difficult economic times or not, they have a couple of things which I think you would greatly value. They have predictability, they know what their IT management costs are going to be. They can predict it, they can budget for it. And that is a real relief for a lot of business owners and financial directors and managers if they want to predict what is going to happen through some potentially turbulent economic times.
Number two, they can also predict or have a fair degree of certainty about what type of IT performance they’re going to get from that budgeted amount. Right?
Remember, this is not just about the financial economics. It’s also about the outcome of less bumpy, again, we’re not talking about guarantees here, we’re talking about less bumpy IT performance. No zigzags up and down – on spending – but certainly less zigzag up and down, erratic behavior in terms of performance and availability of these IT assets.
I know a lot of MSPs who have this really dialed in. If hardware fails, they’ve got replacement hardware ready to go depending on how available that asset needs to be for that customer.
And so you can have these conversations and there’s many others, right? It’s not just economic or IT performance. I think cyber, I think security, I think data privacy risk in general is an incredibly powerful seller and selling point today.
And if that didn’t do it, you could always rely back to – look, there’s going to be a time maybe in the near future, maybe not this year, maybe not next year. Maybe it will. Where you say to a reactive customer, “I’m not going to be able to service you because I’m going to be busy taking care of all my managed services customers. And I would like you to be in that group because I think, honestly, you’re going to be safer and you’re going to like it. You’re going to be better prepared for what is coming and you’re going to be better able to predict your budget and allocate your resources accordingly. But if you don’t want to do that, that’s fine. But we at some point are going to have a parting of ways.”
Now, you all have very different relationships and different types of communication with your customers depending on the customer. I appreciate that. But a potential pending recession in the fourth quarter of this year gives you plenty of opportunity to start having conversations where you could really do yourself as an MSP practitioner and your customer, particularly those reactive customers, do them a lot of favor and a lot of good by having these conversations now. And help them prepare. Help them get onto a managed services plan. Help them streamline and normalize their IT budget, streamline their IT performance and availability, help improve security across the board. Hopefully, you’re doing that as well. And it’s just a good conversation and it should be a no brainer conclusion and decision.
Now, it’s not going to be for everybody and maybe having these conversations is good for one thing only, which is you figure out who those people are in your customer base who really don’t care about IT, IT performance, IT availability and maybe, just maybe, the reason why they don’t care about it is because they think all the risk is on your shoulders. Wouldn’t be the first time we heard that argument, would we? Give it a try. I think you might be surprised at how easy it can work.
Lastly, at the Inspire – the MSP Alliance Inspire Meeting, we had a rather spirited conversation – debate. It’s not a debate, it was a good conversation amongst the MSPs who were talking about Compliance as a Service and they were talking specifically about the issue of customer policies and whether MSPs ought to or ought not to get involved in consulting around customer policies. And it got me thinking and I wanted to express some of the opinions that were shared and offer some of my own opinions so you can make hopefully a well informed decision on your own.
Number one, I think this is true with certainly the Inspire group, but it’s also true with most of the MSPs that I talk to who are of a medium-level maturity or higher, which is to say MSPs influence customer compliance all the time. And they have for many years, for decades now, you may not have had a Compliance as a Service offering, but most MSPs, if you really probe and they are really honest and open about it, they would admit that they have a very big impact on the compliance of their customers. It could manifest itself in a lot of different ways. MSPs in the banking sector who have to respond to bank customer examinations from the FFIEC would be a great example of that type of direct compliance impact or relationship.
It’s more indirect but the point is that it’s very much there, that connection exists. Without the MSP, that bank can’t progress and meet its compliance obligations to the federal government and that’s why the MSPs frequently get involved in talking directly to the bank examiners and answering questions related to firewalls and IT security and data handling and things like that. It’s a great example, been happening for many, many years. I think it proves my point. MSPs and compliance, it’s long existed in our sector.
The trend happening now is whether MSPs ought to go a step further and deliver a service offering. I’ll call that Compliance as a Service to customers who have, let’s say, more pressing, more involved needs around compliance than they may have had previously. What does that look like? Well, certainly helping your bank customer go through a banking examination and audit from the federal examiners would be a really good thing. But let’s take the example of we’ve talked about this in the past, filling out customer cyber insurance questionnaires. We’ve talked about that a lot. I think you guys may remember. I know a few MSPs who actually charge money because the customer says, “Hey, I’ve got this 15-page questionnaire from my cyber insurance guy and he wants me to fill it out. I have no idea what this stuff means. Can you do it?”
Some of you say, yeah, I’ll do it. And you spend all weekend filling out a 15-page questionnaire. That doesn’t really make a lot of sense, but you’re the only one that can answer it because it’s a bunch of tech questions and you do it for free and you just consider it part of your managed services relationship. It’s goodwill to the customer. All right, I get that. Others say, “Sure, I can fill out that 15-page form for you! Here’s the fee we’ll charge. Based off of our professional services arrangement, it’ll cost this much per hour. We estimate that it’ll probably take us about three to 4 hours to gather all the information because it is 15 pages, it’s quite lengthy and we can do all the stuff for you. Absolutely.”
And a lot of customers are willing to pay that because they have no idea and it’s a legitimate valuable service.
Now, in point of fact, and the argument for developing a compliance offering to your customers, again, using as an example that cyber insurance questionnaire, if the customer had an internal compliance manager or director capable of doing this, that’s what they would be doing, among other things.
But a lot of small and medium-sized businesses, they don’t, even large organizations, they don’t have a compliance person, much less a team. And so they don’t have these types of resources to be able to say, “Hey, go get Frank over in compliance and make him complete that 15-page questionnaire we just got.” They don’t have someone who could do that.
So they turn to the next best thing, which is their trusted advisor, their MSP. I think you ought to charge for it. If you’re good at it, you ought to charge for it. And especially if you have the ability to understand how you interact and influence your customers’ compliance. Again, stuff we’ve talked about and stuff that I’m trying to bring up over and over again to try to get you guys to start thinking about this because it’s the wave of the future.
But stopping at the example of filling out a customer cyber insurance questionnaire form. And going beyond that to, let’s say, the hypothetical, I’m a customer and I go to my MSP and I say, “Hey MSP, could you help me, oh, I don’t know, write an information security policy? That’s a little bit different than answering an insurance form, right? You could see why.”
And that’s why the Inspire members in Boston last week had such a spirited conversation about this because some of them were saying, “Well, this is really not good, right? I mean, for risk’s sake alone, we don’t want to be responsible for writing a customer’s information security policy.” And then another MSP said, “Well, that’s very true, but what about just advising them on what it might look like? Or giving them – going to the SANS Institute and getting one of those – their information security templates and giving it to the customer and saying, ‘Here you go, fill it out, and then we’ll tell you what we think about it.'”
Somewhere in there, and I admit that’s a very big chasm or a very big kind of latitude that you could take somewhere in there is a sweet spot of something that would make you comfortable from a risk standpoint, but that would be very valuable to your customer.
Now, I get not wanting to take complete ownership of developing a customer’s information security policy for the reasons that I’ve said on the record many, many times. There are certain things that can’t be delegated to an MSP, and in my opinion, developing and writing an entire information security policy or something similar, another similar policy, eventually the customer has to own it.
The customer, even if the MSP wrote it word for word, handed the customer that infosec policy. “Here you go.” The customer at some point has to read it, accept it, and take ownership and responsibility for that information security policy becoming practice and policy within their organization. That can’t be pushed off on the MSP.
Now, the MSP can help the customer comply with that or meet what happens in that information security policy. And a great example might be if your Infosec policy talks about, let’s say, backing up data and the MSP is actually offering backup as a service, you could understand why that would be really natural for the MSP to say, “Look, we backup your data, so we think that you ought to have backup as a service backup in your information security policy. And we can help you talk about exactly what we do for you to document that.” That very natural, very synergistic. Hopefully that makes sense.
But again, you have to be comfortable. You have to have a certain amount of knowledge about where your authority starts and where it ends. Go back to the first comment. The MSPs influence customer compliance all the time today and for many, many decades past. You just may not be aware of it.
And so whether you’re going to get involved in compliance policies for your customers or not, or at what level. It’s something that you may want to start to think about. And I’m not trying to force one way or the other on you. What I am trying to say is all MSPs should have a very good understanding of the compliance situation within their customers’ environment, at least to the extent that the MSP influences that particular area. Again, my example was backup as a service. If the MSP does that and that alone, then the MSP is eminently qualified to talk about the role of backup in that organization and to help document controls.
It might be frequency. How often is the data backed up? Where is it backed up? Is it encrypted? Is it encrypted at rest? Or is it encrypted in transit? Is it replicated? Is it air gapped? Is the restoration tested periodically to see that the backup sets are really good? All those things factor into that one little element called backup. But it can go on and on. It can go into many, many other areas. And I’ve just talked about the information security policy. There are many other types of policies that might be relevant, might be impactful to a customer that involve an MSP.
Now, again, if you don’t want to cross that line and get too close to the customer because maybe they’re a little bit reckless, maybe I get that type of thing. Especially if maybe they’re on the more reactive side. Compliance for a reactive customer would probably be really dangerous. And maybe that’s what some of the folks at Inspire in Boston were talking about. Maybe you shouldn’t be involved in Compliance as a Service at all with any reactive customer, because how would you, how would you in any way seriously be able to play a positive role when you’re just being a reactive agent waiting for that next disaster to happen from the customer?
So at the very least, I think MSPs ought to be familiar with the controls, familiar with the frameworks that are impacting their MSP customer and generally be aware of the types of policies that you might want to have within that type of organization and be at least willing to have a conversation with the customer. Even if you’re not advising them, you should at least be aware of it. Being aware of it will help you in one critical area. At least you have something to say in the conversation and you can participate in the conversation compared to saying, “Gee, I have no idea what you ought to write in there.”
The next call from your customer is to someone else who will. Food for thought. Thanks for listening. If you enjoyed today’s episode, please give us a like. Make sure you are subscribed to the podcast so you will get notified when future episodes are released. We will see you next time in the MSP Zone!