In response to an article published on another site asking whether MSPs are struggling to keep up with IT security, MSPs need to be aware of such online conversations and be prepared to enter the discussion. As for my views, I will happily offer them here. 

MSP Practices

Our profession has well-established best practices and standards of conduct that extend throughout the world. Taking the MSPAlliance as just one example, our community has created a customer bill of rights, an MSP code of ethics, and a standard called the MSP Verify. We took these measures to provide guidance to the MSP community and help the consumers of managed services make better-informed decisions about outsourcing their IT. 

For over 20 years, MSPs have been stewards of IT management on behalf of their clients. Starting with the enterprise community, those early-stage MSPs implemented policy at the direction of the clients they served. Yes, the MSPs needed to have strong internal controls and processes in place, but they were mainly directed by their clients. Even as early as the mid-1990s, managed services clients had well-established IT processes and controls in place and understood how to outsource IT management to MSPs. 

As the years passed and smaller organizations began to understand the benefits of using MSPs, something interesting happened. The managed services customers practiced outsourcing IT without the experience of having a robust internal IT control framework. 

As the mid-market and SMB communities embraced IT outsourcing, MSPs began to see disparities between their IT controls and those belonging to their clients. Only one thing stands in the way of MSPs implementing IT security controls: the customer. 

Now, to avoid the inevitable outraged emails from end-user organizations, I acknowledge there are exceptions to the rule. I recognize there are practicing MSPs (or companies calling themselves MSPs) who have had lapses in security, made mistakes, or just have poorly constructed policies and procedures that require updating. 

I also know that thousands of MSPs I have spoken with complain about the state of IT security within their clients precisely because the clients have rejected these improvements. Suppose a customer refuses to allow an MSP to implement a best practice such as multi-factor authentication, regular data backups, and change management controls through their MSP. In that case, the client should at least be performing these same controls internally and on their own. This rarely happens, especially at the smaller end of the market. After all, that’s why the client is outsourcing their IT management in the first place. 

Are MSPs Struggling? 

True MSPs are not struggling to keep up. That is my opinion. There are many IT service providers still early in their maturity path who need to continue to improve. Indeed, all MSPs should be striving to continually improve and learn to become better at their craft. 

Mature MSPs struggle with keeping clients aware of what needs to change, but that change cannot happen due to the unilateral action of the MSP. Clients need to be alignment with their MSPs in making these decisions to reach better IT security. When this alignment occurs, amazing things can happen for those clients.