Can MSPs “Guarantee” Compliance?

It’s no secret that many MSPs are helping clients deal with compliance issues. Whether this is gathering evidence for a client audit, or simply offering traditional managed services to demonstrate compliance for a given framework.

However, when it comes to guarantees, compliance may not be the area where you make any guarantees. Here’s why.

  • Compliance within the MSPs’ control
  • Customer interference
  • Making guarantees in the first place
Converting Reactive Clients to Proactive

As some economists are predicting a 2023 Q4 recession, making sure your MSP ship is in excellent condition for potentially rough seas is a good thing. What could you be doing to better prepare your MSP practice for difficult times? Converting as many reactive customers to managed services would likely be a great starting point. Here’s some advice on how to do just that!

  • First, why conversion to proactive is necessary
  • Migration strategies
    • Compliance
    • Security/privacy
    • It’s the only choice!
  • Get creative
    • Offer incentives
    • Sunset your reactive practice
Should MSPs get Involved with Customer Policies

This topic was discussed at the last MSPAlliance Inspire meeting and the debate was interesting. What was unanimously agreed upon was there is a role for the MSP to play in compliance with their customers. What was in dispute was whether working on client policies was something an MSP ought to do.

  • MSP influence customer compliance all the time
  • MSPs compliance roles
  • Compliance can involve controls and policies, or both

Ep 253 Transcript

Can MSPs guarantee compliance?  

 

How to convert reactive to proactive customers?  

 

And should MSPs get involved with customer policies? 

 

Coming up next. You are entering the MSP Zone, 

 

a podcast for the managed services community covering news, 

 

analysis, and interviews from around the globe. 

 

Elevate your MSP game by staying in the MSP Zone. 

 

And now your host, Charles Weaver. 

 

What’s up, folks? 

 

Jam-packed episode this week. 

 

Going to talk about this kind 

 

of issue of compliance guarantees. 

 

Interesting article we saw, we’ll be reading about 

 

that and discussing that and something kind 

 

of quasi touching on the economy. 

 

But it’s a good bit of advice, I think, 

 

on how to convert or how to approach having 

 

a conversation to convert those kind of reactive customers 

 

that a lot of MSPs have and turn them 

 

into proactive managed services customers. 

 

And then finally we’re going to talk about the 

 

issue of compliance policies or customer organizational policies and 

 

should MSPs kind of get involved in that? 

 

If you’re thinking about a compliance as 

 

a service offering, maybe you’re already doing 

 

it not under a CAAS offering, but 

 

you’re just doing it as professional services. 

 

A lot of MSPs have kind of mixed opinions on 

 

whether or not they should delve into the issue of 

 

dealing with a customer and their policies or whether they 

 

should deal with other things like their controls. 

 

And we’ll break down both and give you 

 

some tips on how to approach that. 

 

So, diving right in, the first 

 

topic today – Can MSPs guarantee compliance? 

 

Again, minding my own business, an email 

 

comes in and lo and behold, the 

 

quote is “Benefits of a managed IT 

 

service for proactive, monitoring, maintenance, and support.” 

 

So I figure, all right, I’ve seen a 

 

million of these things over the years. 

 

It’s a generic kind of a puff piece 

 

on why you should use an MSP. 

 

I’m not opposed to that. 

 

I see it a lot more these days. 

 

So I read them and I’m just curious, how do 

 

people phrase the latest trends and how do they put 

 

a spin on why to use an MSP? 

 

And just hoping to get some feedback and 

 

some arguments that maybe we’re not familiar with. 

 

And again, most of it is 

 

like really common sense stuff. 

 

It doesn’t raise any eyebrows. 

 

It’s fairly plain, it doesn’t mean it’s bad. 

 

These are concepts that have been around for 

 

decades and so they’re not really new to 

 

us and to people who follow managed services 

 

for any appreciable amount of time. 

 

I read it and check, yeah, 

 

proactive monitoring, yeah, that’s good. 

 

Regular maintenance, yeah, that’s really good. 

 

Immediate support, sure, no-brainers. 

 

Reduced downtime. 

 

And it gets down to 

 

the security and compliance section. 

 

And I’m thinking, okay, well, maybe 

 

there’ll be something interesting here. 

 

And I’m reading and it’s talking about the MSP 

 

being able to do vulnerability assessments and how to 

 

deliver regular security updates that’s probably patch management or 

 

antivirus definitions and all those things. 

 

And I think, okay, that’s really good. 

 

And then it says something that’s in my 

 

opinion, just way out there and maybe they 

 

didn’t mean to say it in this way. 

 

Maybe they didn’t understand what this phrasing 

 

actually means or what its impact is. 

 

But again, it’s one of those statements 

 

that you can’t leave it alone. 

 

It has to be addressed, it has to be corrected. 

 

That’s what we’re going to do. 

 

So after saying all that about vulnerability scanning, 

 

vulnerability assessments, security patches, all legitimate things that 

 

MSPs do all the time, the next sentence 

 

goes like this: “The MSP can also guarantee 

 

that the company’s IT system complies with applicable 

 

laws and standards such as HIPAA and GDPR.” 

 

And I think I’m unaware of any MSP 

 

on the planet who has any type of 

 

language in their service level agreements, in their 

 

master service agreements, in their service attachments, on 

 

their website, on their internal policies. 

 

Nowhere written down or uttered by any member of an 

 

MSP team have I ever seen or heard someone talking 

 

about guaranteed compliance as an outcome of using an MSP. 

 

Now, some of you may be saying, “Hey Charlie, why 

 

do you have to get in the middle of this? 

 

And why do you have to kind of make 

 

it sound like MSPs aren’t doing a good job?” 

 

That’s not what I’m saying. 

 

That’s not what I’m saying at all. 

 

I’m saying quite the opposite. 

 

I’m saying MSPs do tremendous work when 

 

it comes to the issue of compliance 

 

and have been for many, many years. 

 

I’m saying that I just said it. 

 

What I’m not saying is that MSPs should or 

 

do in fact guarantee compliance outcomes, which this article 

 

– and granted, it’s written in an Australian – 

 

it’s in an Australian website, but why they’re talking about HIPAA 

 

and GDPR is kind of a weird thing. 

 

So, maybe they copied the content from someplace else. 

 

Anyway, it’s a little bit odd. 

 

But the point is that any reader, any customer 

 

reading this or if I was a startup MSP, 

 

I just began my practice, there’s a lot of 

 

you out there listening to this podcast or reading 

 

our material and you want to know, “Should we 

 

be guaranteeing compliance with applicable laws and standards?” 

 

No. 

 

The answer is emphatically no. 

 

It should be nowhere found in any of 

 

your agreements, which is arguably the most important 

 

place that you would talk about compliance and 

 

talk about security and deliverables. 

 

It shouldn’t be in your marketing literature. 

 

It shouldn’t be something that your sales 

 

or marketing teams are saying, thinking, it 

 

shouldn’t even enter their minds to talk 

 

about guaranteeing compliance because it’s just impossible. 

 

“Why is it impossible?” you may be asking. 

 

It’s impossible because the MSP, even the MSP, that is 

 

the entire IT department for a company, still does not 

 

have complete control, nor can they be delegated control. 

 

Power can’t be delegated to the MSP 

 

so that the MSP is completely in control 

 

of compliance related decisions for that company. 

 

They’re always going to be outsourced. 

 

The MSP is always going to be 

 

a party, a strategic party, a trusted 

 

advisor, but an external party nonetheless. 

 

And getting into the situation of guaranteeing outcomes, 

 

guaranteeing to a customer that says something like, 

 

“Could you help us become HIPAA compliant? 

 

Can you help us become GDPR compliant?” 

 

An MSP ought to say comfortably, if 

 

they can do this, sure we can. 

 

And if the customer ever said something as 

 

a follow up like, “Could you guarantee that?” 

 

I would hope most MSPs would say, “Well 

 

no, I can’t guarantee that because you ultimately 

 

are the one responsible for any compliance of 

 

your company with a given framework.” 

 

Now, what we can do is our part. 

 

We can say, okay, if GDPR or HIPAA, for example, 

 

are the two implicated frameworks, then the MSP, if they’re 

 

knowledgeable about those frameworks, ought to be able to pull 

 

up their controls, the customer controls that they influence, they 

 

the MSP, and be able to document what exactly they 

 

do and what they don’t do. 

 

And if you have things like an MSP Verify report or 

 

a SoC Two report, you would be able to do exactly 

 

that and be able to tell a customer, this is where 

 

we start and where we end, and where you, the customer, 

 

need to act on your own and make decisions and take 

 

responsibility for your company’s own compliance. 

 

Because there’s actually quite a bit of policy work. 

 

We’ll talk about that in the last segment. 

 

There’s a lot of decisions that the customer can 

 

only make that the MSP can advise, can encourage, 

 

can really plead with the customer, “Hey, I think 

 

you ought to be doing something, backing up data, 

 

turning on the MFA, things like that.” 

 

But if the customer says, “I don’t want 

 

to, but I’d still like you to guarantee 

 

my compliance to any given framework.” – You could 

 

see where that becomes a really sticky situation. 

 

Hence why nobody, nobody – particularly, I would hope any 

 

of your legal representatives who are reviewing your contracts 

 

and things like that should be coming even close 

 

to offering or stating compliance guarantees. 

 

They’re impractical, they’re impossible, 

 

and they’re misleading. 

 

And I don’t know of any MSP 

 

that, again, says those types of things. 

 

And it would be a bad thing for any reader to 

 

come across this article and to say, “Oh, I should expect 

 

compliance guarantees from my MSP because this article says that this 

 

is one of the benefits of using an MSP.” 

 

 

We’ve talked a lot over the years about this 

 

idea of the customer offloading risk to the MSP, 

 

and this is a great example of that. 

 

This is a great example of a mistake. 

 

This is not a practice. 

 

This is not a best practice, but this 

 

is not even a practice in the managed 

 

services community, nor should it ever be. 

 

And this ought to be corrected. 

 

There’s no name of the author in this. 

 

And if there was someone should write them 

 

and say, “Hey, look, you ought to correct 

 

this article because it just doesn’t convey what 

 

is reality in the MSP global channel.” 

 

So again, a lot of the stuff we, 

 

we talked about, folks. You may be saying, 

 

“Jeez, this is stuff we already know.” 

 

If it’s stuff that you already know, 

 

number one, I’m really glad, I’m happy. 

 

But if you don’t know about it, now you do. 

 

And whether you did or didn’t know about it before, 

 

now you know what is being talked about and written 

 

about your profession and what is being communicated to your 

 

potential customers or maybe your existing customers. 

 

And that’s why we bring these types of things up. 

 

We don’t bring them up to call 

 

negative attention to the MSP sector. 

 

Because again, I don’t think this is something 

 

that I see a lot of MSPs doing. 

 

I haven’t seen any MSPs 

 

offer these types of guarantees. 

 

But you should be aware of it. 

 

You should be having these types of conversations 

 

because they are very much – they’re tied at 

 

the hip, these conversations with the concept and 

 

the topic of risk, risk apportionment, risk sharing 

 

between MSP and customer and vendor. 

 

We’ve been through that so many times. 

 

I’m just telling you this is 

 

a good practical example of that. 

 

Be aware of it. 

 

Go check out the article. 

 

If someone could find out who wrote it, maybe tell 

 

them, “Hey, you should probably clean up that last section.” 

 

Okay, moving on. 

 

Converting reactive to proactive customers. 

 

Very popular topic 20 years ago. 

 

I think it still is today because there’s still 

 

too many reactive customers being served by legitimate MSPs. 

 

And in my opinion, that is a symptom not 

 

of bad MSP’ing, but that’s a symptom of too 

 

many customers just not taking their responsibility of internal 

 

risk, internal compliance, and internal security, 

 

IT security, seriously. 

 

That’s a bold statement, some of you 

 

may say, but I stand by it. 

 

Now, there are many reasons, right, going back 

 

20 plus years, there are many strategies about 

 

how to convert them, why to convert them. 

 

And most of the early on strategies were 

 

all about, hey, it’s a lot easier. 

 

Turn the maintenance and the grunt 

 

work over to the MSP. 

 

Let us do it so you can focus on what’s core to you. 

 

I think we’ve done that to 

 

death and people know about that. Today. 

 

We’re in a very different cycle of rationale and 

 

motive for why you would want to employ an 

 

MSP, in my opinion, in the MSP’s favor, a 

 

lot more serious types of topics. 

 

I’m going to give you one good example that’s relevant 

 

right now that I think is something that any company 

 

that you represent as an MSP can understand. 

 

Whether they’re for profit, not 

 

for profit, doesn’t matter. 

 

This should work. 

 

And that’s related to the economy and finances and 

 

making a fiscal monetary decision to employ a managed 

 

services provider in a true managed services fashion, not 

 

just, “Hey, I work with an MSP, but I 

 

only use them for break-fix work.” 

 

That’s not really taking the 

 

benefit of managed services. 

 

But here’s one of the chief reasons this year. 

 

I think this could be a very compelling 

 

rationale and a time frame to make that 

 

conversion and have that kind of strategy discussion 

 

with these types of reactive customers. 

 

Just this week, we saw some new – this is US economic data – 

 

Inflation seems to be softening a 

 

little bit in certain segments. 

 

In others, it’s still quite high. 

 

It’s too high across the board, but it seems to be 

 

softening in certain segments of the market, which is good. 

 

Unemployment claims in the US again, are up, which is not good. 

 

And so, all of these things, not to get too much 

 

into the economics of it, but basically indicates a soft landing. 

 

If you heard about the soft versus hard 

 

landing of a recessionary cycle or a deflationary 

 

cycle, that’s what we’re talking about. 

 

They’re talking about how if we had a hot 

 

market before and it led to hyperinflation, it led 

 

to very cheap money, which we had before because 

 

they were printing it all over the place. 

 

And now we’re easing back on the stick and 

 

the money supply is shrinking up and unemployment is 

 

going up and inflation is coming back down. 

 

Those are the things that the US fed are trying to do. 

 

But it’s going to involve a little bit 

 

of pain, a little bit of rugburn. 

 

If you know that, if you’re prepared for that… 

 

And just this week, some economists have been 

 

saying, I think we’re looking at a recession 

 

in Q4, fourth quarter of 2023. 

 

Again, I’m not saying they’re right or wrong. 

 

I’m just saying that’s what is being reported 

 

and hypothesized by some economists out there. 

 

If you reasonably believe that that’s a 

 

possibility, why wouldn’t you have a conversation 

 

today with your customers, particularly those who 

 

are in a reactive relationship with you? 

 

But this definitely applies to proactive managed services 

 

customers as well, but for the reactive ones, 

 

have a conversation today about what you think 

 

is happening in the economy. 

 

Maybe see if they have opinions on the recession. 

 

If they think that a recession in the 

 

fourth quarter of this year is likely, start 

 

by talking these things through with them. 

 

And then start to have the conversation about what 

 

is that going to do to your IT? 

 

Your IT availability. 

 

What’s it going to do to your security, what’s it going 

 

to do to your ability to fend off a cyber-attack? 

 

Remember, the bad people do not discriminate 

 

against good economic or bad economic times. 

 

They will strike whenever it is opportune for them. 

 

So don’t hinge your thoughts on, 

 

hey, well, it’s a recession. 

 

I’m not going to get hit because 

 

it’s a recession by a cyberattack. 

 

That’s not true at all. 

 

Have those conversations. 

 

Talk to your customers and say, look, the 

 

way we interact now MSP to customer is 

 

not in a managed services fashion. 

 

And if we go into a recession, I can’t guarantee 

 

that I’m going to have bandwidth to be able to 

 

spend on a customer like you because there’s no predictability. 

 

We don’t have that relationship. 

 

You call me when you have a problem and 

 

I bill you for the work that I do. 

 

I’m just role playing here. 

 

This is what I might say to a reactive customer, 

 

but I have a lot of other customers who are 

 

managed services customers of ours and whether they are going 

 

through difficult economic times or not, they have a couple 

 

of things which I think you would greatly value. 

 

They have predictability, they know what their 

 

It management costs are going to be. 

 

They can predict it, they can budget for it. 

 

And that is a real relief for a lot 

 

of business owners and financial directors and managers if 

 

they want to predict what is going to happen 

 

through some potentially turbulent economic times. 

 

Number two, they can also predict or have a 

 

fair degree of certainty about what type of It 

 

performance they’re going to get from that budgeted amount. 

 

Right? 

 

Remember, this is not just 

 

about the financial economics. 

 

It’s also about the outcome of less bumpy, 

 

again, we’re not talking about guarantees here, 

 

we’re talking about less bumpy IT performance. 

 

No zigzags up and down – on spending – but certainly 

 

less zigzag up and down, erratic behavior in terms 

 

of performance and availability of these IT assets. 

 

I know a lot of MSPs who have this really dialed in. 

 

If hardware fails, they’ve got replacement hardware ready 

 

to go depending on how available that asset 

 

needs to be for that customer. 

 

And so you can have these 

 

conversations and there’s many others, right? 

 

It’s not just economic or It performance. 

 

I think cyber, I think security, I think 

 

data privacy risk in general is an incredibly 

 

powerful seller and selling point today. 

 

And if that didn’t do it, you could always rely 

 

back to – look, there’s going to be a time 

 

maybe in the near future, maybe not 

 

this year, maybe not next year. 

 

Maybe it will. 

 

Where you say to a reactive customer, “I’m not going 

 

to be able to service you because I’m going to 

 

be busy taking care of all my managed services customers. 

 

And I would like you to be in that 

 

group because I think, honestly, you’re going to be 

 

safer and you’re going to like it. 

 

You’re going to be better prepared for what is 

 

coming and you’re going to be better able to 

 

predict your budget and allocate your resources accordingly. 

 

But if you don’t want to do that, that’s fine. 

 

But we at some point are going 

 

to have a parting of ways.” 

 

Now, you all have very different relationships 

 

and different types of communication with your 

 

customers depending on the customer. 

 

I appreciate that. 

 

But a potential pending recession in fourth quarter of 

 

this year gives you plenty of opportunity to start 

 

having conversations where you could really do yourself as 

 

an MSP practitioner and your customer, particularly those reactive 

 

customers, do them a lot of favor and a 

 

lot of good by having these conversations now. 

 

And help them prepare. 

 

Help them get onto a managed services plan. 

 

Help them streamline and normalize their IT budget, 

 

streamline their IT performance and availability, 

 

help improve security across the board. 

 

Hopefully, you’re doing that as well. 

 

And it’s just a good conversation and it should 

 

be a no brainer conclusion and decision. 

 

Now, it’s not going to be for everybody and maybe having 

 

these conversations is good for one thing only, which is 

 

you figure out who those people are in your customer 

 

base who really don’t care about IT, 

 

IT performance, IT availability and maybe, just maybe, the 

 

reason why they don’t care about it is because 

 

they think all the risk is on your shoulders. 

 

Wouldn’t be the first time we 

 

heard that argument, would we? 

 

Give it a try. 

 

I think you might be surprised at how easy it can work. 

 

Lastly, at the Inspire – the MSP Alliance Inspire Meeting, 

 

we had a rather spirited conversation – debate. 

 

It’s not a debate, it was a good 

 

conversation amongst the MSPs who were talking about 

 

Compliance as a Service and they were talking 

 

specifically about the issue of customer policies and 

 

whether MSPs ought to or ought not to 

 

get involved in consulting around customer policies. 

 

And it got me thinking and I wanted to 

 

express some of the opinions that were shared and 

 

offer some of my own opinions so you can 

 

make hopefully a well informed decision on your own. 

 

Number one. 

 

And I think this is true with certainly the 

 

Inspire group, but it’s also true with most of 

 

the MSPs that I talk to who are of 

 

a medium-level maturity or higher, which is to 

 

say MSPs influence customer compliance all the time. 

 

And they have for many years, for decades now, you may 

 

not have had a Compliance as a Service offering, but most 

 

MSPs, if you really probe and they are really honest and 

 

open about it, they would admit that they have a very 

 

big impact on the compliance of their customers. 

 

It could manifest itself in a lot of different ways. 

 

MSPs in the banking sector who have to 

 

respond to bank customer examinations from the FFIEC 

 

would be a great example of that type 

 

of direct compliance impact or relationship. 

 

It’s more indirect but the point is that 

 

it’s very much there, that connection exists. 

 

Without the MSP that bank can’t progress and 

 

meet its compliance obligations to the federal government 

 

and that’s why the MSPs frequently get involved 

 

in talking directly to the bank examiners and 

 

answering questions related to firewalls and IT security 

 

and data handling and things like that. 

 

It’s a great example, been 

 

happening for many, many years. 

 

I think it proves my point. 

 

MSPs and compliance, it’s long existed in our sector. 

 

The trend happening now is whether MSPs ought to 

 

go a step further and deliver a service offering. 

 

I’ll call that Compliance as a Service to customers 

 

who have, let’s say, more pressing, more involved needs 

 

around compliance than they may have had previously. 

 

What does that look like? 

 

Well, certainly helping your bank customer go through 

 

a banking examination and audit from the federal 

 

examiners would be a really good thing. 

 

But let’s take the example of we’ve 

 

talked about this in the past, filling 

 

out customer cyber insurance questionnaires. 

 

We’ve talked about that a lot. 

 

I think you guys may remember. I know a few 

 

MSPs who actually charge money because the customer says, 

 

“Hey, I’ve got this 15-page questionnaire from my cyber insurance 

 

guy and he wants me to fill it out. 

 

I have no idea what this stuff means. 

 

Can you do it? 

 

Some of you say, yeah, I’ll do it. 

 

And you spend all weekend filling 

 

out a 15-page questionnaire. 

 

That doesn’t really make a lot of sense, but you’re the 

 

only one that can answer it because it’s a bunch of 

 

tech questions and you do it for free and you just 

 

consider it part of your managed services relationship. 

 

It’s goodwill to the customer. 

 

All right, I get that. 

 

Others say, “Sure, I can fill out 

 

that 15-page form for you! 

 

Here’s the fee we’ll charge. 

 

Based off of our professional services arrangement, 

 

it’ll cost this much per hour. 

 

We estimate that it’ll probably take us about three 

 

to 4 hours to gather all the information because 

 

it is 15 pages, it’s quite lengthy and we 

 

can do all the stuff for you. Absolutely.” 

 

And a lot of customers are willing 

 

to pay that because they have no 

 

idea and it’s a legitimate valuable service. 

 

Now, in point of fact, and the argument 

 

for developing a compliance offering to your customers, 

 

again, using as an example that cyber insurance 

 

questionnaire, if the customer had an internal compliance 

 

manager or director capable of doing this, that’s 

 

what they would be doing, among other things. 

 

But a lot of small and medium sized 

 

businesses, they don’t, even large organizations, they don’t 

 

have a compliance person, much less a team. 

 

And so they don’t have these types of resources to be 

 

able to say, “Hey, go get Frank over in compliance and 

 

make him complete that 15-page questionnaire we just got.” 

 

They don’t have someone who could do that. 

 

So, they turn to the next best thing, 

 

which is their trusted advisor, their MSP. 

 

I think you ought to charge for it. 

 

If you’re good at it, you ought to charge for it. 

 

And especially if you have the ability to understand 

 

how you interact and influence your customers compliance. 

 

Again, stuff we’ve talked about and stuff that I’m 

 

trying to bring up over and over again to 

 

try to get you guys to start thinking about 

 

this because it’s the wave of the future. 

 

But stopping at the example of filling 

 

out a customer cyber insurance questionnaire form. 

 

And going beyond that to, let’s say, the hypothetical, I’m 

 

a customer and I go to my MSP and I 

 

say, “Hey MSP, could you help me, oh, I don’t 

 

know, write an information security policy? That’s a little bit 

 

different than answering an insurance form, right? 

 

You could see why. 

 

And that’s why the Inspire members in Boston 

 

last week had such a spirited conversation about 

 

this because some of them were saying, “Well, 

 

this is really not good, right? 

 

I mean, for risk’s sake alone, we 

 

don’t want to be responsible for writing 

 

a customer’s information security policy.” 

 

And then another MSP said, “Well, that’s 

 

very true, but what about just advising 

 

them on what it might look like? 

 

Or giving them – going to the SANS Institute and 

 

getting one of those – their information security templates and 

 

giving it to the customer and saying, “Here you 

 

go, fill it out, and then we’ll tell you 

 

what we think about it.” 

 

Somewhere in there, and I admit that’s a very big 

 

chasm or a very big kind of latitude that you 

 

could take somewhere in there is a sweet spot of 

 

something that would make you comfortable from a risk standpoint, 

 

but that would be very valuable to your customer. 

 

Now, I get not wanting to take 

 

complete ownership of developing a customer’s information 

 

security policy for the reasons that I’ve 

 

said on the record many, many times. 

 

There are certain things that can’t be delegated 

 

to an MSP, and in my opinion, developing 

 

and writing an entire information security policy or 

 

something similar, another similar policy, eventually the customer 

 

has to own it. 

 

The customer, even if the MSP wrote it 

 

word for word, handed the customer 

 

that infosec policy. “Here you go.” 

 

The customer at some point has to read it, 

 

accept it, and take ownership and responsibility for that 

 

information security policy becoming practice and policy within their 

 

organization. That can’t be pushed off on the MSP. 

 

Now, the MSP can help the customer comply with that 

 

or meet what happens in that information security policy. 

 

And a great example might be if your Infosec policy 

 

talks about, let’s say, backing up data and the MSP 

 

is actually offering backup as a service, you could understand 

 

why that would be really natural for the MSP to 

 

say, “Look, we backup your data, so we think that 

 

you ought to have backup as a service backup in 

 

your information security policy. 

 

And we can help you talk about exactly 

 

what we do for you to document that.” 

 

That very natural, very synergistic. 

 

Hopefully that makes sense. 

 

But again, you have to be comfortable. 

 

You have to have a certain amount of knowledge 

 

about where your authority starts and where it ends. 

 

Go back to the first comment. 

 

The MSPs influence customer compliance all the time 

 

today and for many, many decades past. 

 

You just may not be aware of it. 

 

And so whether you’re going to get 

 

involved in compliance policies for your customers 

 

or not, or at what level. 

 

It’s something that you may want 

 

to start to think about. 

 

And I’m not trying to force one 

 

way or the other on you. 

 

What I am trying to say is all MSPs 

 

should have a very good understanding of the compliance 

 

situation within their customers environment, at least to the 

 

extent that the MSP influences that particular area. 

 

Again, my example was backup as a service. 

 

If the MSP does that and that alone, then the 

 

MSP is eminently qualified to talk about the role of 

 

backup in that organization and to help document controls. 

 

It might be frequency. 

 

How often is the data backed up? 

 

Where is it backed up? Is it encrypted? 

 

Is it encrypted at rest? 

 

Or is it encrypted in transit? 

 

Is it replicated? 

 

Is it air gapped? 

 

Is the restoration tested periodically to see 

 

that the backup sets are really good? 

 

All those things factor into that 

 

one little element called backup. 

 

But it can go on and on. 

 

It can go into many, many other areas. 

 

And I’ve just talked about 

 

the information security policy. 

 

There are many other types of policies 

 

that might be relevant, might be impactful 

 

to a customer that involve an MSP. 

 

Now, again, if you don’t want to cross that line and 

 

get too close to the customer because maybe they’re a little 

 

bit reckless, maybe I get that type of thing. 

 

Especially if maybe they’re on the more reactive side. 

 

Compliance for a reactive customer 

 

would probably be really dangerous. 

 

And maybe that’s what some of the folks 

 

at Inspire in Boston were talking about. 

 

Maybe you shouldn’t be involved in Compliance as a 

 

Service at all with any reactive customer, because how 

 

would you, how would you in any way seriously 

 

be able to play a positive role when you’re 

 

just being a reactive agent waiting for that next 

 

disaster to happen from the customer? 

 

So at the very least, I think MSPs ought to 

 

be familiar with the controls, familiar with the frameworks that 

 

are impacting their MSP customer and generally be aware of 

 

the types of policies that you might want to have 

 

within that type of organization and be at least willing 

 

to have a conversation with the customer. 

 

Even if you’re not advising them, you 

 

should at least be aware of it. 

 

Being aware of it will help you in one critical area. 

 

At least you have something to say in 

 

the conversation and you can participate in the 

 

conversation compared to saying, “Gee, I have no 

 

idea what you ought to write in there.” 

 

The next call from your customer 

 

is to someone else who will. 

 

Food for thought. 

 

Thanks for listening. 

 

If you enjoyed today’s episode, please give us a like. 

 

Make sure you are subscribed to the podcast so 

 

you will get notified when future episodes are released. 

 

We will see you next time in the MSP Zone. 

 

 

Tags : compliance,proactive IT management,reactive IT

Sorry, the comment form is closed at this time.

Have questions?

We're here to help! Fill out the form below and we will get back to you as soon as possible.


First Name *
Last Name: *
Contact Email: *
Phone: 
Questions: 
*
*Required Fields
Note: It is our responsibility to protect your privacy and we guarantee that your data will be completely confidential.

Phone:

1-800-672-9205

Email:

info@MSPAlliance.com

Contact us

Address:

510 Meadowmont Village Cir, #289 | Chapel Hill, NC 27517

[/qode_elements_holder_item][/qode_elements_holder]

MSP News

Sign up for MSP News, the weekly newsletter bringing you news and analysis from the managed services industry.