Weaver Outrage Meter: Low

Q1 Managed Services Industry Report Card

We have officially wrapped up Q1 2023 and its time to evaluate how the managed services profession did and what the outlook is like.

• Q1 analysis
• MSP outlook
• Tech stock performance

S&P 500 doing well because of IT stocks

Cyber Consultants Continued

We have been discussing (for years) the ongoing evolution and emergence of consultants in the cybersecurity field and the impact they are having on managed service providers (and their clients). We have an update on this topic from actual MSPs who are encountering these consultants in the field and the feedback may surprise you.

• MSP interaction with cyber consultants (mature vs reactive MSPs)
• Agenda of the cyber consultant movement
• What can MSPs do?

AI vs Automation

MSPs need to evolve. Evolutionary change has been a constant in the managed services profession since its beginning in the early 1990s. As MSPs search for ways to become more efficient and scalable, an emerging debate is presenting itself as we understand more about artificial intelligence and automation tools.

• AI vs automation
• AI risks in managed services
• MSP guidance for automation and AI technologies

 

Full Transcript:

 

You’re entering the MSP Zone, a podcast for the managed services community covering news, analysis, and interviews from around the globe. Elevate your MSP game by staying in the MSP Zone. And now your host, Charles Weaver.

 

All right, another busy episode, but lots of good stuff. And we’re going to take a look at the first quarter, which we’ve officially wrapped up now. And we’ve got some actually really good data to talk about on exactly how did Q1 end up for the MSP profession and what does it look like for the rest of the fiscal year? And some good stuff for you, so don’t want to miss that.

 

Then we’re going to talk about cyber consultants. I had a really funny email from one of our members who had a run in with a cybersecurity consultant, and I don’t want to bring up an “I told you so” moment, but this is super funny and you’re going to want to stick around for that.

 

And then finally, we’re going to end up with a conversation, more of a debate, around artificial intelligence versus automation and what those two technologies mean for the future of managed services. What MSPs ought to know about each one. And maybe what strategies you ought to start thinking about for the future relative to AI compared to automation, because they’re not really the same thing at all. And we’ll talk about that.

 

So first off, Q1 performance report card, how did we do?

 

So we have the MSP Alliance Inspire Group, which as many of you know, are MSPs who have been through the MSP Verify certification program. They’ve been certified and they get together, and I don’t even call it a peer group. They are peers to one another and they get together and they’re a group. But I don’t know, they don’t like calling themselves a peer group. I don’t know. They’re a group. I don’t know. They’re inspired. That’s what they like to call themselves, actually. They call themselves a lot of funny things that aren’t for public consumption, but that’s for another episode.

 

The inspired group meets regularly, both in person and virtually. And the last meeting we had, which is a virtual meeting, they actually did talk a lot about some things that are relevant to how the profession has been doing at large in an economic sense. And now that Q1 has completed, we’ve got some data that is interesting and we’ll talk about, and it’s data from all over the sector, different sectors. And we’re going to try to piece together some analysis that hopefully tries to make sense of what we’ve been seeing because talks – are we in a recession? Are we not in a recession? Is the stock market up? Is it down? Is inflation impacting us? Is it not? People are laying off jobs, yet people are still trying to hire people. There’s a lot of contradictory data points out there and it can get confusing. And I don’t blame you if you’re confused, so it’s confusing to me too. So I’m going to try to make some sense of this.

 

But what the Inspire members had to say, this is pretty much uniformly across the board, is that Q1 represented a period of strong demand. So the way it was told me is that they have been having very deep ongoing discussions with existing customers and new prospects, but particularly amongst the existing customers, about spending, about increasing spending. And specifically I’m talking about discretionary projects. So I’m not talking about managed services spend here. This is a constant, right? When MSPs talk, they talk not only about are we closing more managed services deals, but they’re also talking about are we getting new projects in the door?

 

And are those types of customers spending money? And it was a little tight. What does tight mean? They were talking about spending to the MSP, but they weren’t actually pulling the trigger yet. They were delaying some of those discretionary projects to later on. It’s not spending, you might say. Well, not spending is not spending true managed services, there’s no reason to believe, and they did not indicate at all that managed services revenues have dropped. What they were saying was discretionary, non-managed services revenues and projects had been temporarily halted or pushed off or delayed, whatever you want to call it.

But the overwhelming sentiment, and this could be that they’re all entrepreneurs, they’re people who work for a variety of different-sized businesses, but they’re fairly optimistic folks, MSPs in my estimation and experience, and they all felt that based on conversations that they are having on an ongoing basis, that this kind of pause is going to be unpaused, that spending for nondiscretionary elements or projects are going to start happening. And I took that to mean that they were actually having commitments for a paused project for Q1 that wasn’t going anywhere is now being okayed and green-lighted moving forward. That would make sense in light of other data that we’re seeing.

 

Number one, the stock market is up. Now, that may not mean much to you if you’re one of the tens and tens of thousands of people who are getting laid off by Facebook, Google, and a lot of the other tech sectors, Amazon included. We talked about that in previous episodes. That’s probably coming from the remote-hire, remote-work community and these companies realizing that that work from home environment for them isn’t really panning out and so they’re making a massive shift getting rid of those jobs. Again, we’ve talked about that in other episodes and you’re welcome to go back and listen to those.

 

But the stocks are up. And if you read, there’s a link in the show notes, you can read a story about the S&P 500 doing really, really well, chiefly because of tech stocks driving the S&P 500 up. Now, it didn’t mean that there weren’t non-tech stocks that were performing well, but across the board, tech stocks were driving the growth in the S&P 500. I don’t know if you guys remember, but a few episodes ago, I had been talking about, with this whole Silicon Valley Bank thing, there was a lot of chatter. Go back and watch it and listen to it. There was a lot of chatter in written form and in spoken form about Silicon Valley Bank and the general failure of some of these banks being caused by the tech sector. It was specifically SVB, and I commented to you guys that be careful about this narrative of tech, big tech or general tech, doesn’t matter, causing or dragging down the economy, dragging down banks like SVB and causing them to fail. That’s not what’s going on and that’s not what happened.

 

And if you need evidence, read the story that’s in the show notes for this episode and read what tech stocks are doing for the S&P 500, at least for Q1. We’ve been doing quite well. And again, not all of it, but a lot of it certainly could be attributed to how tech public companies are performing financially. And that’s good, but it also jives with what we’re seeing from the MSPs who are saying, you know what, things were a little bit slow in Q1, but Q2 and beyond, they’re really looking much better. Things are starting to free up, money is starting to be more loose. Those are all good things. Those are all really good things. And so I would say if you’re looking for a general, what’s the outlook for MSPs in Q2? I would say better than Q1. Now, things could change. Are we in a recession or not? I’ll let that question be answered by the professional economists. I’ve learned enough to know that whatever the economy is doing really doesn’t always have a direct correlation to MSPs. That’s really a tricky thing because you can’t look at the stock market, you can’t look at the unemployment rates, you can’t look at anything out there and say, oh well, that’s also having a positive or a negative impact on MSPs. It impacts the MSP market in very strange ways. Meaning bad news does not always correlate to bad news in the MSP community. Good news doesn’t always correlate to good news in the MSP community. Strange, but it’s true. So anyway, I would say we’re doing pretty well. I would say Q2 2023 is looking pretty solid from the MSPs. Everybody that we talk to on that inspired group, meaning really and elsewhere, not just the uninspired MSPs out there that we talk to are equally enthusiastic about what Q2 and the rest of the year is holding for them. So all in all, it could be worse. But I think we’re looking pretty healthy for the remainder of the year.

 

On to our next topic. Got an email from an MSP and I’m going to ask them to come on to the program to kind of talk a little bit more about this experience that they encountered. And I’m going to give you a little bit of a tease, but this is all tying back to going back to multiple episodes over multiple years where we have been talking about this general movement in the cybersecurity consulting class or community who are predominantly pushing CMMC and NIST. Nothing wrong with those frameworks, but we’ve been talking about this group that is suddenly emerging on the scene and they are inserting themselves in somewhat dangerous, in my opinion, dangerous ways in between MSPs and their customers. And I don’t want to repeat all of what I’ve said before, but you can go back and listen to that in the past. There wasn’t any video back then, in case you’re wondering, but we’ve got audio for that. You can go back and listen to those episodes.

 

And it’s always nice to hear validation from the field, as I call it, right? An MSP comes out and says, hey, I’ve seen this. I’ve actually witnessed this happening. And it validates what we’re seeing and hearing because, remember, what we do is we aggregate data and information and feedback from MSPs all over the planet, from Enterprise, mid-market, to SMB. It doesn’t matter in different service verticals and different market verticals, we collect a lot of data on MSPs, and so it’s helpful to hear field level, street level input from MSPs who actually have these types of interactions that kind of validate and support what we’re seeing and hearing from elsewhere.

So an MSP goes to a cybersecurity conference. Isn’t that the start of a great joke? An MSP goes to a cybersecurity conference and meets a cybersecurity consultant. And through the conversation over a meal, I think breakfast or something, the MSP is learning more and more about this consultant. And it turns out that not only is this consultant a board member, I think that’s what they said. They said they were a board member of some state-run group of cybersecurity consultants. So they’re a board member of a cybersecurity consulting group or association. Not quite clear. We’ll get hopefully some clarification on that soon, but they occupy some board level position in addition to their other job as a consultant. Their consulting cybersecurity job, however, is also a side gig. It’s not what they really do full time. What do they really do full time? They work in retail.

 

Now, I have nothing against retail. I shop in retail stores all the time, but I don’t generally associate people who work in retail as also being experts in cybersecurity. And apparently, I’m not alone because this MSP actually, not only did they write an email to us, but they wrote a blog, and now it hasn’t been published yet. And I’m hoping that we’ll get permission to at least publish it ourselves, or at least we’ll reference it in a future episode. But this MSP was so startled to hear that a cybersecurity consultant at a cybersecurity conference interacting with an MSP was portraying themselves as a professional in this field when really they are in retail. And here’s the kicker. They’ve only been working in cybersecurity for like a very, very short period of time.

 

Now, I know some of you are out there saying, Charles, how is a youngster, how is someone mid-career wanting a change, ever going to get a break if we don’t accept new people into the profession? Hold your horses. I have nothing against people beginning a career. At some point, I was new in managed services, right? At one point, I was very new and I didn’t know much, and I had to learn, and I had to earn my keep. I had to earn my reputation. I had to learn, absorb information. I talked to hundreds and hundreds and hundreds of MSPs, MSP business owners, to even start to feel comfortable understanding the MSP market. So I get breaking into a new area.

 

But I’ll tell you this. For year one, year two, year three, probably for many, many years, I never considered myself an MSP expert. I don’t think I call myself an MSP expert today. I don’t even like to think of myself in that way. I study MSPs a lot. I’ve got a lot of time invested in managed services companies, as would be obvious. But I see a ton of people who call themselves MSP experts and call themselves cyber experts and cybersecurity experts, and I really got to wonder if people like this are showing up who really are working retail and they’re just breaking into cyber and they call themselves a cyber expert, and they’re being placed on boards for cybersecurity organizations and they’re doing cybersecurity consulting, that’s a problem.

 

And the MSP who emailed us thought it was a problem. The problem they thought was, how are my customers ever to properly judge and evaluate a consultant if they all call themselves an expert? And yet their expertise apparently comes with only a few months of experience? That’s crazy. You can’t operate in a world like that. That makes no sense.

 

Look, I’m not talking about things that haven’t been discussed for hundreds of years, right? That’s why you have trades. And the trades, you know, going back probably a thousand years or more, have had ways to develop apprenticeship programs where if you want to break into things like being an electrician or working in the electrical field, there are ways that you can do it. If you don’t know anything about electricity, you can work your way into that field and begin to earn your keep and become progressively more and more familiar and more and more expert in that field of electrical work. The same with construction, same with engineering, same with legal, same with medical, right?

 

Managed services. We’ve been working on this for a long time. Now, organizationally, that’s where our efforts have been focused, not individually. But these cybersecurity consultants who are individuals at their core, right? This is a problem. I’ve been saying it’s a problem. And you say, Charles, why is it a problem? What’s the big deal, man? So an MSP runs into a cybersecurity consultant at a conference. So what? The so what is if that consultant ends up talking to this MSP’s customer and says, you know what? I think you ought to stop listening to that MSP and start listening to me, is that good or is that bad for that customer? Right? Do you get where I’m going with this? It’s bad. It’s not a good outcome.

 

Now I understand why these consultants are doing it because they’re being pushed out there. And quite frankly, we’ve been making such a racket and probably justifiably so, we’ve been making such a racket about the cybersecurity skills gap, that we are apparently filling that gap with anybody who has just got a heartbeat and willing to go in there and say, yeah, I’m a cybersecurity consultant. Sure. Am I a cybersecurity expert? Why not? I’ll call myself an expert. It’s a problem. I don’t just see it. This MSP saw it. And I know a lot of you out there see it because I’ve talked to a lot of you MSPs and I’ve talked to a lot of you MSPs over the last three years who have seen these consultants start to wedge themselves into your relationships with your customers and have been very destructive, very disruptive, not helpful. And believe me, if the guidance that we were seeing from cybersecurity consultants was good, I’d be the first one to say, MSPs, you ought to up your game, folks, if you want to compete with these consultants. I’m not seeing that. I’m not seeing that at all. And I don’t mean that there aren’t some good consulting security firms and people out there. That is not what I’m saying. But they are few and far between compared to the mass horde of probably thousands of cybersecurity consultants that are out there just coming out of the woodwork saying, yeah, I’m a consultant. Yeah, I’m an expert. What do you need? And you know, unless you have an MSP who can say, this is a problem, right, you clearly don’t have experience. You clearly don’t have – and that’s what we’re getting at, right?

 

It wasn’t that this MSP had a threatening experience with this person. I’m imagining, and we’ll find out if we get this MSP on the podcast, I’m imagining that this MSP talked enough to this consultant to understand enough that this consultant didn’t know what they were talking about. That’s my suspicion because I know this person. They’re really smart. They’re technically proficient. They’re a good business person. This is one of those rare combinations where they actually have good business acumen. And they have, I think this person has an engineering degree or engineering background, and so they have really good, strong technical understanding and they probably realize very quickly this cybersecurity consultant expert, they don’t know what they’re talking about, they don’t know anything. They should stay in retail instead of going out there in these conferences, portraying themselves as something that they’re not.

 

So what can MSPs do? You can be informed. You can start to say something. I mean, if you don’t want to speak publicly about it, if you don’t want to go on your Reddit channel and get jumped on by a bunch of people, whatever, email us, we’ll keep it confidential. I haven’t mentioned this person’s name or his company name. If he wants to come on and voluntarily talk about it, we’d love to have him. But send us an email if you’re seeing these types of things in conferences that you go to. And I know these consultants are showing up everywhere; they’re probably even showing up at MSP conferences and events. And if you spot these people, I want you to email us and say if we’re wrong, tell me we’re wrong and tell me why. Because then we need to change our opinion; we need to change our guidance. But if we’re right, I want to know that as well. And tell us how we’re right. Tell us what you’re seeing. Tell us your opinion.

 

Now this MSP was very clear. Dangerous was the word they put in the email to describe this consultant – dangerous. And they know full well that there are many, many others like this consultant they met at this conference. And so, like I said, just keep your eyes peeled. If you see something, let us know. We just want to know, we want to know where the market’s headed. And you know, look, I think we could use cybersecurity consultants, just for the record, I think we could use them. But it’s important that we have kind of a proper view of the world and don’t just accord someone who is brand-spanking new into cybersecurity some level of authority that they ought not to have.

 

So enough about that. On to artificial intelligence and automation. We’ve talked a lot about automation here in the past and we’ve talked a lot about the need for MSPs to as they look to drive down cost. Just as for the last three years through the pandemic especially, particularly the cost of cybersecurity talent has gone up. The cost of technical talent in general has gone up. Maybe I think it’s leveling off now. What are some ways that MSPs could be reducing their service delivery costs? And we’ve historically said automation is the way to do it. Now automation is the objective. You could say that artificial intelligence, machine learning, things like that are the means to the objective.

 

And I want to circle back to that conversation now particularly because we’re starting to see a lot of really fast emerging data come out about artificial intelligence – AI. And, it’s pretty alarming. Now if you don’t follow this stuff, that’s fine. I’ll try to summarize what I’ve been seeing and what I’ve been hearing. And if you follow people like Elon Musk, He and about 100 other people, I haven’t read the letter, but I’ve heard about it in general, and the concept behind the letter is that they signed, hey, nations of the world, we ought to stop, like, right now, stop development of AI because it’s already, in a short period of time, reached a place where it could do some real damage. And this is all on the heels of things like ChatGPT, which I’ll admit, even I’ve been curious about and played around with because it’s a curious thing. It’s new tech, and it’s fun to play around with. But the idea that AI could actually become dangerous faster than we would even recognize its capacity to be dangerous is a problem because it’s a question of control. It’s a question of, can AI be managed? Can it be controlled? And in our context, can it be controlled and managed by an MSP versus the other way around? Right? That’s the risk. That’s the ultimate we don’t ever want to go there scenario.

And if MSPs are going to look at AI, and I know it’s already there, right? So I know MSPs are already dabbling with AI because it’s already seeping through in forms like some SOC and SIM platforms. Some EDR XDR platforms are starting to dabble in AI for better, deeper levels of scanning and monitoring of security-related events. And I think that that’s a good thing.

I would say machine learning is a term that I’ve heard a lot from the engineering teams at some of these SOC and SIM as a service platforms. Maybe they knew this before, but they have always, by my recollection, used machine learning as a term kind of compared to AI. But what are we to do as a profession with AI moving forward? And does anything need to be done at all?

I think we do need to be concerned about it, and I think that there are some things we need to study and ask right now, starting with – MSPs need to talk to their vendors who are using AI and talk to them about safety, risk, data privacy. A vendor that uses AI is to be treated no differently than they would a vendor who doesn’t use AI. That is to say, they go through the same level of scrutiny.

 

Now, if a vendor that you use uses AI, you have extra reason, perhaps to be concerned and to ask for information, but you should still do the same level of due diligence, the same level of review on that vendor compared to a non-AI using vendor. Makes sense?

 

If you were going through MSP Verify, or even if you were going through Cyber Verify and you weren’t getting a report, you would still be encouraged and asked about your third-party external service providers or your vendors, to put it in layman’s terms. And you would still be asked, well, what level of access do those third-party vendors have in your environment and your customer’s environment? And especially if AI is involved now, the question has to be asked – what level of access does that AI have and what can that platform do? What can it do that you aren’t aware of or you weren’t approving? Right?

 

And that really is the comparison and the distinction between AI versus automation. I think every MSP ought to be already involved in automating as much as you can in your MSP service delivery practice, which is not to say that you are replacing people with machines. I am not suggesting that at all. Because one of the things I’ve realized, and I think people are – there’s content being created right now about AI producing a lot of stuff on its own that still is incomplete. It’s still unpolished. It still needs a human to look at it and to evaluate it and to edit it in the form of, like, writing text, producing video, producing audio, what have you. And the same is true with managed services.

 

I think whatever AI does there ought to be, there properly should be people at some level of review doing oversight on any technology, including AI. But automation is a separate issue. Automation is a question of – can you use technology to force multiply maybe ten times the number of people that you actually have and use technology to perform things at a level that you couldn’t otherwise do without that headcount? And that’s not only appropriate, I think that’s to be encouraged.

 

The question is when does that automation go beyond automation and go into the platform, the technology in the platform actually doing things on its own, that the MSP didn’t know about, didn’t approve, and didn’t want. These are issues that aren’t – I’m not knocking vendors who use AI, right? I’m talking about AI as a general concept. I’m talking about AI as something to be controlled, understood first and foremost, and then, and only then, implemented into a managed services supply chain.

 

And I think that we’re at the very, very beginning of this, folks. I think that we are going to learn so much more about AI over the next months and years. We’re going to see it in play in managed services environments. We already do see it to some extent. We do see machine learning in a lot of XDR platforms. But I think that those things are controlled. I think they’re very well-defined. I think that they are, as far as I’ve seen, they are not security threats at all. In fact, they’re very necessary for the security for MSPs and their customers.

 

It’s this other next-gen AI that we’re seeing that we really need to make sure serves our interests rather than its own interest. And before this starts to sound like a spooky Sci-Fi movie, let’s just leave it at that as something that we keep a close eye on.

 

If you have any thoughts or inputs on your experience, if you have any with AI in your MSP practice, we’d love to hear about them. We’d love to have you on the program and talk about them because I think it’s really fascinating and I think the more people that hear about it and watch it, the better it is.

 

But yeah, automation, anything related to automation that MSPs can do today, my vote is, my suggestion is do it. Do it as soon as possible because that’s ultimately going to help you drive down your cost, meet service delivery demands of more and more customers and ultimately that’s a good thing.

 

Until next time. Thanks for listening. If you enjoyed today’s episode, please give us a like. Make sure you are subscribed to the podcast so you will get notified when future episodes are released. We will see you next time in the MSP Zone.