by Charles Weaver


Until today, there has been no significant motivation through public policy for organizations to adopt proactive IT management and cybersecurity practices. A new and simple public policy technique, however, may be capable of producing dramatic change across organizations of all sizes utilizing a concept we can classify as managed services immunity. 

Many cyber regulations and public policies have yet to produce meaningful change in reducing cyber-attacks or improving cyber defenses amongst public and private sector organizations. A quick look at the cyber insurance industry and its inconsistent approach to MSPs (Managed Service Providers) and end-user organizations should provide ample evidence of the work remaining to be done.  

MSPs have been, and remain today, agents of cyber risk reduction. For the past three decades, MSPs have provided invaluable services to their clients in a variety of ways, including IT (Information Technology) infrastructure, security, and data protection, all achieving technology and business outcomes.  

Since the beginning of managed services in the early 1990s, MSP’s have made recommendations to their customers based on industry best practices. These recommendations, however, are not always followed. There are a variety of reasons why the recommendations of an MSP may not be implemented by the client: budget, complexity of use, and lack of perceived value, may all be accurate reasons for the failure of a client to adopt industry best practices and effective cybersecurity measures. 

Reactive to Proactive Cyber Management 

Public policy needs to promote proactive IT management and cybersecurity measures. The good news is the global community is already moving in this direction.  

Indeed, nearly all major global cybersecurity frameworks and legislation are promoting a model of IT management which can only be described as proactive in nature. Put differently, it is impossible to meet these global cyber frameworks without first proactively managing IT. A reactive IT management posture simply will not meet the current cyber frameworks we see today.  

NIST, CMMC, ISO 27001, Trust Services Criteria (SOC 2), Cyber Verify (Unified Certification Standard for Cloud & Managed Service Providers), GDPR, UK Cyber Essentials, data breach notification laws/rules, and others, all point in the same general direction: achieving improved cyber defensive postures from enterprise down to SMB (Small to Medium Business) organizations.  

These frameworks do have differences, but they have many commonalities. One of those commonalities is that complying with these frameworks is nearly impossible without some form of proactive IT management and governance approach within the organization. It is surely impossible to comply with these frameworks while purely relying on reactive IT models. Proactive IT management is a necessity to achieve compliance.  

Since most small and mid-sized organizations do not have sufficient internal IT resources to accomplish fundamental proactive IT management, these organizations are left defenseless and incapable of mounting any significant cyber defense against competent, well financed, and evolving cyber bad actors. Enter the MSP.  

Managed Services = Proactive IT Management 

Managed IT services, delivered by managed service providers, is proactive IT management. For at least three decades, MSPs have been helping their clients achieve proactive IT management, security, and data protection, while simultaneously doing so within a “pay as you go” billing model. While there are many organizations who claim to be MSPs, a true MSP will only apply a proactive IT management model to their clients. Any organization delivering a reactive IT management model a) should not be considered an MSP, and b) should not be considered a credible deterrent to modern day cyber threats1 

Cyber Immunity 

One of the challenges faced when shaping public policy concerning cybersecurity is how to differentiate between organizations adopting proactive IT management and those who do not. Understanding proactive vs reactive IT management is challenging enough within the IT profession, so comprehending these complex issues outside professional IT circles is not to be taken likely.  

The goal for all organizations ought to be proper cyber hygiene. Proper cyber hygiene is not really in debate amongst industry experts. Where it gets tricky is enforcing cyber hygiene among less mature organizations who do not fully understand or appreciate cyber risk. It should also be noted that even smaller organizations who fully appreciate proactive IT management and cyber hygienic practices, may not be capable of meeting those objectives without external assistance. The failure to properly respect and understand cyber risk is something which must be addressed and rectified and is a goal we must all undertake.  

At the end of the evolutionary journey towards cyber hygiene is the crown jewel of IT management, data management, and cyber security preparedness we can characterize as cyber immunity.  

What is cyber immunity? As cybercrime continues to run rampant globally, the number and scope of cyber legislation is also increasing. Cyber immunity addresses the issue of practicing proper cyber hygiene and offering some measure of protection for the organization against cyber legislation which may otherwise be adverse to the organization. 

Cyber immunity, in its most basic form, treats cyber hygienic organizations who have been attacked by cybercriminals as victims, and not as entities deserving of additional persecution and shame.  Already, several US states have been passing “cyber immunity” legislation to incentivize positive cyber practices.  

Managed Services Immunity 

Having introduced the concept of cyber immunity, we now must address the question of how cyber immunity will be realistically implemented. Organizations, even those aware of cyber security issues and desirous of achieving cyber hygiene, must deal with the reality of how to achieve effective cybersecurity and IT management goals.  

We have already examined the distinctions between reactive and proactive IT management and the need for a proactive approach to IT management and cybersecurity to achieve cyber hygiene. The path towards cyber immunity must follow the path already well paved called managed services.  

Managed IT services is the only way to achieve cyber hygiene, and therefore, cyber immunity. Which brings us to the issue of managed services immunity. Providers of managed services are quite capable of delivering scalable and proactive IT and cybersecurity solutions to their clients, thereby equipping those organizations with the cloak of managed services immunity against future cyber-criminal activity and potential legislative repercussions resulting from any cyber activity.  

Tags : cyber immunity,managed services immunity

Sorry, the comment form is closed at this time.

YouTube Logo | MSPAlliance

Subscribe to MSPAlliance on YouTube!

Explore a world of valuable content, including full-length podcast episodes and clips, thought-provoking special interviews, immersive events, enriching webinars, live streams, and more.

Join our community on YouTube, subscribe to our channel, and elevate your MSP journey!

Mobile and Laptop device image of YouTube MSPAlliance Channel | MSPAlliance

Have questions?

We're here to help! Fill out the form below and we will get back to you as soon as possible.

First Name *
Last Name: *
Contact Email: *
*Required Fields
Note: It is our responsibility to protect your privacy and we guarantee that your data will be completely confidential.





Contact us


510 Meadowmont Village Cir, #289 | Chapel Hill, NC 27517

MSP News

Sign up for MSP News, the weekly newsletter bringing you news and analysis from the managed services industry.