Ep 253: Can MSPs Guarantee Compliance; Converting Reactive Clients to Proactive; Should MSPs Get Involved with Customer Policies


Can MSPs “Guarantee” Compliance?
It’s no secret that many MSPs are helping clients deal with compliance issues. Whether this is gathering evidence for a client audit, or simply offering traditional managed services to demonstrate compliance for a given framework.
However, when it comes to guarantees, compliance may not be the area where you make any guarantees. Here’s why.
- Compliance within the MSPs’ control
- Customer interference
- Making guarantees in the first place
Converting Reactive Clients to Proactive
As some economists are predicting a 2023 Q4 recession, making sure your MSP ship is in excellent condition for potentially rough seas is a good thing. What could you be doing to better prepare your MSP practice for difficult times? Converting as many reactive customers to managed services would likely be a great starting point. Here’s some advice on how to do just that!
- First, why conversion to proactive is necessary
- Migration strategies
- Compliance
- Security/privacy
- It’s the only choice!
- Get creative
- Offer incentives
- Sunset your reactive practice
Should MSPs get Involved with Customer Policies
This topic was discussed at the last MSPAlliance Inspire meeting and the debate was interesting. What was unanimously agreed upon was there is a role for the MSP to play in compliance with their customers. What was in dispute was whether working on client policies was something an MSP ought to do.
- MSP influence customer compliance all the time
- MSPs compliance roles
- Compliance can involve controls and policies, or both
Ep 253 Transcript
Can MSPs guarantee compliance?
How to convert reactive to proactive customers?
And should MSPs get involved with customer policies?
Coming up next. You are entering the MSP Zone,
a podcast for the managed services community covering news,
analysis, and interviews from around the globe.
Elevate your MSP game by staying in the MSP Zone.
And now your host, Charles Weaver.
What’s up, folks?
Jam-packed episode this week.
Going to talk about this kind
of issue of compliance guarantees.
Interesting article we saw, we’ll be reading about
that and discussing that and something kind
of quasi touching on the economy.
But it’s a good bit of advice, I think,
on how to convert or how to approach having
a conversation to convert those kind of reactive customers
that a lot of MSPs have and turn them
into proactive managed services customers.
And then finally we’re going to talk about the
issue of compliance policies or customer organizational policies and
should MSPs kind of get involved in that?
If you’re thinking about a compliance as
a service offering, maybe you’re already doing
it not under a CAAS offering, but
you’re just doing it as professional services.
A lot of MSPs have kind of mixed opinions on
whether or not they should delve into the issue of
dealing with a customer and their policies or whether they
should deal with other things like their controls.
And we’ll break down both and give you
some tips on how to approach that.
So, diving right in, the first
topic today – Can MSPs guarantee compliance?
Again, minding my own business, an email
comes in and lo and behold, the
quote is “Benefits of a managed IT
service for proactive, monitoring, maintenance, and support.”
So I figure, all right, I’ve seen a
million of these things over the years.
It’s a generic kind of a puff piece
on why you should use an MSP.
I’m not opposed to that.
I see it a lot more these days.
So I read them and I’m just curious, how do
people phrase the latest trends and how do they put
a spin on why to use an MSP?
And just hoping to get some feedback and
some arguments that maybe we’re not familiar with.
And again, most of it is
like really common sense stuff.
It doesn’t raise any eyebrows.
It’s fairly plain, it doesn’t mean it’s bad.
These are concepts that have been around for
decades and so they’re not really new to
us and to people who follow managed services
for any appreciable amount of time.
I read it and check, yeah,
proactive monitoring, yeah, that’s good.
Regular maintenance, yeah, that’s really good.
Immediate support, sure, no-brainers.
Reduced downtime.
And it gets down to
the security and compliance section.
And I’m thinking, okay, well, maybe
there’ll be something interesting here.
And I’m reading and it’s talking about the MSP
being able to do vulnerability assessments and how to
deliver regular security updates that’s probably patch management or
antivirus definitions and all those things.
And I think, okay, that’s really good.
And then it says something that’s in my
opinion, just way out there and maybe they
didn’t mean to say it in this way.
Maybe they didn’t understand what this phrasing
actually means or what its impact is.
But again, it’s one of those statements
that you can’t leave it alone.
It has to be addressed, it has to be corrected.
That’s what we’re going to do.
So after saying all that about vulnerability scanning,
vulnerability assessments, security patches, all legitimate things that
MSPs do all the time, the next sentence
goes like this: “The MSP can also guarantee
that the company’s IT system complies with applicable
laws and standards such as HIPAA and GDPR.”
And I think I’m unaware of any MSP
on the planet who has any type of
language in their service level agreements, in their
master service agreements, in their service attachments, on
their website, on their internal policies.
Nowhere written down or uttered by any member of an
MSP team have I ever seen or heard someone talking
about guaranteed compliance as an outcome of using an MSP.
Now, some of you may be saying, “Hey Charlie, why
do you have to get in the middle of this?
And why do you have to kind of make
it sound like MSPs aren’t doing a good job?”
That’s not what I’m saying.
That’s not what I’m saying at all.
I’m saying quite the opposite.
I’m saying MSPs do tremendous work when
it comes to the issue of compliance
and have been for many, many years.
I’m saying that I just said it.
What I’m not saying is that MSPs should or
do in fact guarantee compliance outcomes, which this article
– and granted, it’s written in an Australian –
it’s in an Australian website, but why they’re talking about HIPAA
and GDPR is kind of a weird thing.
So, maybe they copied the content from someplace else.
Anyway, it’s a little bit odd.
But the point is that any reader, any customer
reading this or if I was a startup MSP,
I just began my practice, there’s a lot of
you out there listening to this podcast or reading
our material and you want to know, “Should we
be guaranteeing compliance with applicable laws and standards?”
No.
The answer is emphatically no.
It should be nowhere found in any of
your agreements, which is arguably the most important
place that you would talk about compliance and
talk about security and deliverables.
It shouldn’t be in your marketing literature.
It shouldn’t be something that your sales
or marketing teams are saying, thinking, it
shouldn’t even enter their minds to talk
about guaranteeing compliance because it’s just impossible.
“Why is it impossible?” you may be asking.
It’s impossible because the MSP, even the MSP, that is
the entire IT department for a company, still does not
have complete control, nor can they be delegated control.
Power can’t be delegated to the MSP
so that the MSP is completely in control
of compliance related decisions for that company.
They’re always going to be outsourced.
The MSP is always going to be
a party, a strategic party, a trusted
advisor, but an external party nonetheless.
And getting into the situation of guaranteeing outcomes,
guaranteeing to a customer that says something like,
“Could you help us become HIPAA compliant?
Can you help us become GDPR compliant?”
An MSP ought to say comfortably, if
they can do this, sure we can.
And if the customer ever said something as
a follow up like, “Could you guarantee that?”
I would hope most MSPs would say, “Well
no, I can’t guarantee that because you ultimately
are the one responsible for any compliance of
your company with a given framework.”
Now, what we can do is our part.
We can say, okay, if GDPR or HIPAA, for example,
are the two implicated frameworks, then the MSP, if they’re
knowledgeable about those frameworks, ought to be able to pull
up their controls, the customer controls that they influence, they
the MSP, and be able to document what exactly they
do and what they don’t do.
And if you have things like an MSP Verify report or
a SoC Two report, you would be able to do exactly
that and be able to tell a customer, this is where
we start and where we end, and where you, the customer,
need to act on your own and make decisions and take
responsibility for your company’s own compliance.
Because there’s actually quite a bit of policy work.
We’ll talk about that in the last segment.
There’s a lot of decisions that the customer can
only make that the MSP can advise, can encourage,
can really plead with the customer, “Hey, I think
you ought to be doing something, backing up data,
turning on the MFA, things like that.”
But if the customer says, “I don’t want
to, but I’d still like you to guarantee
my compliance to any given framework.” – You could
see where that becomes a really sticky situation.
Hence why nobody, nobody – particularly, I would hope any
of your legal representatives who are reviewing your contracts
and things like that should be coming even close
to offering or stating compliance guarantees.
They’re impractical, they’re impossible,
and they’re misleading.
And I don’t know of any MSP
that, again, says those types of things.
And it would be a bad thing for any reader to
come across this article and to say, “Oh, I should expect
compliance guarantees from my MSP because this article says that this
is one of the benefits of using an MSP.”
We’ve talked a lot over the years about this
idea of the customer offloading risk to the MSP,
and this is a great example of that.
This is a great example of a mistake.
This is not a practice.
This is not a best practice, but this
is not even a practice in the managed
services community, nor should it ever be.
And this ought to be corrected.
There’s no name of the author in this.
And if there was someone should write them
and say, “Hey, look, you ought to correct
this article because it just doesn’t convey what
is reality in the MSP global channel.”
So again, a lot of the stuff we,
we talked about, folks. You may be saying,
“Jeez, this is stuff we already know.”
If it’s stuff that you already know,
number one, I’m really glad, I’m happy.
But if you don’t know about it, now you do.
And whether you did or didn’t know about it before,
now you know what is being talked about and written
about your profession and what is being communicated to your
potential customers or maybe your existing customers.
And that’s why we bring these types of things up.
We don’t bring them up to call
negative attention to the MSP sector.
Because again, I don’t think this is something
that I see a lot of MSPs doing.
I haven’t seen any MSPs
offer these types of guarantees.
But you should be aware of it.
You should be having these types of conversations
because they are very much – they’re tied at
the hip, these conversations with the concept and
the topic of risk, risk apportionment, risk sharing
between MSP and customer and vendor.
We’ve been through that so many times.
I’m just telling you this is
a good practical example of that.
Be aware of it.
Go check out the article.
If someone could find out who wrote it, maybe tell
them, “Hey, you should probably clean up that last section.”
Okay, moving on.
Converting reactive to proactive customers.
Very popular topic 20 years ago.
I think it still is today because there’s still
too many reactive customers being served by legitimate MSPs.
And in my opinion, that is a symptom not
of bad MSP’ing, but that’s a symptom of too
many customers just not taking their responsibility of internal
risk, internal compliance, and internal security,
IT security, seriously.
That’s a bold statement, some of you
may say, but I stand by it.
Now, there are many reasons, right, going back
20 plus years, there are many strategies about
how to convert them, why to convert them.
And most of the early on strategies were
all about, hey, it’s a lot easier.
Turn the maintenance and the grunt
work over to the MSP.
Let us do it so you can focus on what’s core to you.
I think we’ve done that to
death and people know about that. Today.
We’re in a very different cycle of rationale and
motive for why you would want to employ an
MSP, in my opinion, in the MSP’s favor, a
lot more serious types of topics.
I’m going to give you one good example that’s relevant
right now that I think is something that any company
that you represent as an MSP can understand.
Whether they’re for profit, not
for profit, doesn’t matter.
This should work.
And that’s related to the economy and finances and
making a fiscal monetary decision to employ a managed
services provider in a true managed services fashion, not
just, “Hey, I work with an MSP, but I
only use them for break-fix work.”
That’s not really taking the
benefit of managed services.
But here’s one of the chief reasons this year.
I think this could be a very compelling
rationale and a time frame to make that
conversion and have that kind of strategy discussion
with these types of reactive customers.
Just this week, we saw some new – this is US economic data –
Inflation seems to be softening a
little bit in certain segments.
In others, it’s still quite high.
It’s too high across the board, but it seems to be
softening in certain segments of the market, which is good.
Unemployment claims in the US again, are up, which is not good.
And so, all of these things, not to get too much
into the economics of it, but basically indicates a soft landing.
If you heard about the soft versus hard
landing of a recessionary cycle or a deflationary
cycle, that’s what we’re talking about.
They’re talking about how if we had a hot
market before and it led to hyperinflation, it led
to very cheap money, which we had before because
they were printing it all over the place.
And now we’re easing back on the stick and
the money supply is shrinking up and unemployment is
going up and inflation is coming back down.
Those are the things that the US fed are trying to do.
But it’s going to involve a little bit
of pain, a little bit of rugburn.
If you know that, if you’re prepared for that…
And just this week, some economists have been
saying, I think we’re looking at a recession
in Q4, fourth quarter of 2023.
Again, I’m not saying they’re right or wrong.
I’m just saying that’s what is being reported
and hypothesized by some economists out there.
If you reasonably believe that that’s a
possibility, why wouldn’t you have a conversation
today with your customers, particularly those who
are in a reactive relationship with you?
But this definitely applies to proactive managed services
customers as well, but for the reactive ones,
have a conversation today about what you think
is happening in the economy.
Maybe see if they have opinions on the recession.
If they think that a recession in the
fourth quarter of this year is likely, start
by talking these things through with them.
And then start to have the conversation about what
is that going to do to your IT?
Your IT availability.
What’s it going to do to your security, what’s it going
to do to your ability to fend off a cyber-attack?
Remember, the bad people do not discriminate
against good economic or bad economic times.
They will strike whenever it is opportune for them.
So don’t hinge your thoughts on,
hey, well, it’s a recession.
I’m not going to get hit because
it’s a recession by a cyberattack.
That’s not true at all.
Have those conversations.
Talk to your customers and say, look, the
way we interact now MSP to customer is
not in a managed services fashion.
And if we go into a recession, I can’t guarantee
that I’m going to have bandwidth to be able to
spend on a customer like you because there’s no predictability.
We don’t have that relationship.
You call me when you have a problem and
I bill you for the work that I do.
I’m just role playing here.
This is what I might say to a reactive customer,
but I have a lot of other customers who are
managed services customers of ours and whether they are going
through difficult economic times or not, they have a couple
of things which I think you would greatly value.
They have predictability, they know what their
It management costs are going to be.
They can predict it, they can budget for it.
And that is a real relief for a lot
of business owners and financial directors and managers if
they want to predict what is going to happen
through some potentially turbulent economic times.
Number two, they can also predict or have a
fair degree of certainty about what type of It
performance they’re going to get from that budgeted amount.
Right?
Remember, this is not just
about the financial economics.
It’s also about the outcome of less bumpy,
again, we’re not talking about guarantees here,
we’re talking about less bumpy IT performance.
No zigzags up and down – on spending – but certainly
less zigzag up and down, erratic behavior in terms
of performance and availability of these IT assets.
I know a lot of MSPs who have this really dialed in.
If hardware fails, they’ve got replacement hardware ready
to go depending on how available that asset
needs to be for that customer.
And so you can have these
conversations and there’s many others, right?
It’s not just economic or It performance.
I think cyber, I think security, I think
data privacy risk in general is an incredibly
powerful seller and selling point today.
And if that didn’t do it, you could always rely
back to – look, there’s going to be a time
maybe in the near future, maybe not
this year, maybe not next year.
Maybe it will.
Where you say to a reactive customer, “I’m not going
to be able to service you because I’m going to
be busy taking care of all my managed services customers.
And I would like you to be in that
group because I think, honestly, you’re going to be
safer and you’re going to like it.
You’re going to be better prepared for what is
coming and you’re going to be better able to
predict your budget and allocate your resources accordingly.
But if you don’t want to do that, that’s fine.
But we at some point are going
to have a parting of ways.”
Now, you all have very different relationships
and different types of communication with your
customers depending on the customer.
I appreciate that.
But a potential pending recession in fourth quarter of
this year gives you plenty of opportunity to start
having conversations where you could really do yourself as
an MSP practitioner and your customer, particularly those reactive
customers, do them a lot of favor and a
lot of good by having these conversations now.
And help them prepare.
Help them get onto a managed services plan.
Help them streamline and normalize their IT budget,
streamline their IT performance and availability,
help improve security across the board.
Hopefully, you’re doing that as well.
And it’s just a good conversation and it should
be a no brainer conclusion and decision.
Now, it’s not going to be for everybody and maybe having
these conversations is good for one thing only, which is
you figure out who those people are in your customer
base who really don’t care about IT,
IT performance, IT availability and maybe, just maybe, the
reason why they don’t care about it is because
they think all the risk is on your shoulders.
Wouldn’t be the first time we
heard that argument, would we?
Give it a try.
I think you might be surprised at how easy it can work.
Lastly, at the Inspire – the MSP Alliance Inspire Meeting,
we had a rather spirited conversation – debate.
It’s not a debate, it was a good
conversation amongst the MSPs who were talking about
Compliance as a Service and they were talking
specifically about the issue of customer policies and
whether MSPs ought to or ought not to
get involved in consulting around customer policies.
And it got me thinking and I wanted to
express some of the opinions that were shared and
offer some of my own opinions so you can
make hopefully a well informed decision on your own.
Number one.
And I think this is true with certainly the
Inspire group, but it’s also true with most of
the MSPs that I talk to who are of
a medium-level maturity or higher, which is to
say MSPs influence customer compliance all the time.
And they have for many years, for decades now, you may
not have had a Compliance as a Service offering, but most
MSPs, if you really probe and they are really honest and
open about it, they would admit that they have a very
big impact on the compliance of their customers.
It could manifest itself in a lot of different ways.
MSPs in the banking sector who have to
respond to bank customer examinations from the FFIEC
would be a great example of that type
of direct compliance impact or relationship.
It’s more indirect but the point is that
it’s very much there, that connection exists.
Without the MSP that bank can’t progress and
meet its compliance obligations to the federal government
and that’s why the MSPs frequently get involved
in talking directly to the bank examiners and
answering questions related to firewalls and IT security
and data handling and things like that.
It’s a great example, been
happening for many, many years.
I think it proves my point.
MSPs and compliance, it’s long existed in our sector.
The trend happening now is whether MSPs ought to
go a step further and deliver a service offering.
I’ll call that Compliance as a Service to customers
who have, let’s say, more pressing, more involved needs
around compliance than they may have had previously.
What does that look like?
Well, certainly helping your bank customer go through
a banking examination and audit from the federal
examiners would be a really good thing.
But let’s take the example of we’ve
talked about this in the past, filling
out customer cyber insurance questionnaires.
We’ve talked about that a lot.
I think you guys may remember. I know a few
MSPs who actually charge money because the customer says,
“Hey, I’ve got this 15-page questionnaire from my cyber insurance
guy and he wants me to fill it out.
I have no idea what this stuff means.
Can you do it?
Some of you say, yeah, I’ll do it.
And you spend all weekend filling
out a 15-page questionnaire.
That doesn’t really make a lot of sense, but you’re the
only one that can answer it because it’s a bunch of
tech questions and you do it for free and you just
consider it part of your managed services relationship.
It’s goodwill to the customer.
All right, I get that.
Others say, “Sure, I can fill out
that 15-page form for you!
Here’s the fee we’ll charge.
Based off of our professional services arrangement,
it’ll cost this much per hour.
We estimate that it’ll probably take us about three
to 4 hours to gather all the information because
it is 15 pages, it’s quite lengthy and we
can do all the stuff for you. Absolutely.”
And a lot of customers are willing
to pay that because they have no
idea and it’s a legitimate valuable service.
Now, in point of fact, and the argument
for developing a compliance offering to your customers,
again, using as an example that cyber insurance
questionnaire, if the customer had an internal compliance
manager or director capable of doing this, that’s
what they would be doing, among other things.
But a lot of small and medium sized
businesses, they don’t, even large organizations, they don’t
have a compliance person, much less a team.
And so they don’t have these types of resources to be
able to say, “Hey, go get Frank over in compliance and
make him complete that 15-page questionnaire we just got.”
They don’t have someone who could do that.
So, they turn to the next best thing,
which is their trusted advisor, their MSP.
I think you ought to charge for it.
If you’re good at it, you ought to charge for it.
And especially if you have the ability to understand
how you interact and influence your customers compliance.
Again, stuff we’ve talked about and stuff that I’m
trying to bring up over and over again to
try to get you guys to start thinking about
this because it’s the wave of the future.
But stopping at the example of filling
out a customer cyber insurance questionnaire form.
And going beyond that to, let’s say, the hypothetical, I’m
a customer and I go to my MSP and I
say, “Hey MSP, could you help me, oh, I don’t
know, write an information security policy? That’s a little bit
different than answering an insurance form, right?
You could see why.
And that’s why the Inspire members in Boston
last week had such a spirited conversation about
this because some of them were saying, “Well,
this is really not good, right?
I mean, for risk’s sake alone, we
don’t want to be responsible for writing
a customer’s information security policy.”
And then another MSP said, “Well, that’s
very true, but what about just advising
them on what it might look like?
Or giving them – going to the SANS Institute and
getting one of those – their information security templates and
giving it to the customer and saying, “Here you
go, fill it out, and then we’ll tell you
what we think about it.”
Somewhere in there, and I admit that’s a very big
chasm or a very big kind of latitude that you
could take somewhere in there is a sweet spot of
something that would make you comfortable from a risk standpoint,
but that would be very valuable to your customer.
Now, I get not wanting to take
complete ownership of developing a customer’s information
security policy for the reasons that I’ve
said on the record many, many times.
There are certain things that can’t be delegated
to an MSP, and in my opinion, developing
and writing an entire information security policy or
something similar, another similar policy, eventually the customer
has to own it.
The customer, even if the MSP wrote it
word for word, handed the customer
that infosec policy. “Here you go.”
The customer at some point has to read it,
accept it, and take ownership and responsibility for that
information security policy becoming practice and policy within their
organization. That can’t be pushed off on the MSP.
Now, the MSP can help the customer comply with that
or meet what happens in that information security policy.
And a great example might be if your Infosec policy
talks about, let’s say, backing up data and the MSP
is actually offering backup as a service, you could understand
why that would be really natural for the MSP to
say, “Look, we backup your data, so we think that
you ought to have backup as a service backup in
your information security policy.
And we can help you talk about exactly
what we do for you to document that.”
That very natural, very synergistic.
Hopefully that makes sense.
But again, you have to be comfortable.
You have to have a certain amount of knowledge
about where your authority starts and where it ends.
Go back to the first comment.
The MSPs influence customer compliance all the time
today and for many, many decades past.
You just may not be aware of it.
And so whether you’re going to get
involved in compliance policies for your customers
or not, or at what level.
It’s something that you may want
to start to think about.
And I’m not trying to force one
way or the other on you.
What I am trying to say is all MSPs
should have a very good understanding of the compliance
situation within their customers environment, at least to the
extent that the MSP influences that particular area.
Again, my example was backup as a service.
If the MSP does that and that alone, then the
MSP is eminently qualified to talk about the role of
backup in that organization and to help document controls.
It might be frequency.
How often is the data backed up?
Where is it backed up? Is it encrypted?
Is it encrypted at rest?
Or is it encrypted in transit?
Is it replicated?
Is it air gapped?
Is the restoration tested periodically to see
that the backup sets are really good?
All those things factor into that
one little element called backup.
But it can go on and on.
It can go into many, many other areas.
And I’ve just talked about
the information security policy.
There are many other types of policies
that might be relevant, might be impactful
to a customer that involve an MSP.
Now, again, if you don’t want to cross that line and
get too close to the customer because maybe they’re a little
bit reckless, maybe I get that type of thing.
Especially if maybe they’re on the more reactive side.
Compliance for a reactive customer
would probably be really dangerous.
And maybe that’s what some of the folks
at Inspire in Boston were talking about.
Maybe you shouldn’t be involved in Compliance as a
Service at all with any reactive customer, because how
would you, how would you in any way seriously
be able to play a positive role when you’re
just being a reactive agent waiting for that next
disaster to happen from the customer?
So at the very least, I think MSPs ought to
be familiar with the controls, familiar with the frameworks that
are impacting their MSP customer and generally be aware of
the types of policies that you might want to have
within that type of organization and be at least willing
to have a conversation with the customer.
Even if you’re not advising them, you
should at least be aware of it.
Being aware of it will help you in one critical area.
At least you have something to say in
the conversation and you can participate in the
conversation compared to saying, “Gee, I have no
idea what you ought to write in there.”
The next call from your customer
is to someone else who will.
Food for thought.
Thanks for listening.
If you enjoyed today’s episode, please give us a like.
Make sure you are subscribed to the podcast so
you will get notified when future episodes are released.
We will see you next time in the MSP Zone.