If you have ever considered or called yourself a “trusted advisor” then you may want to pay attention to this. The trusted advisor designation is under attack and is being threatened with the worst possible outcome, irrelevance.
If you doubt this claim, I will present the following emerging trends which are threatening the MSP and need to be addressed by the profession.
The thing you must understand is as trusted advisors, this designation is like a knife’s edge, it must always be sharpened or else it will become dull and cease to have value. MSPs are facing this same threat but from a new direction, the cybersecurity vendor. Not the software or hardware companies, but the cyber consulting firms sprouting up like weeds all over the world. These firms are proliferating at an alarming rate, and they have their sights firmly set on the managed service provider.
Trusted Advisor Status
MSPs have long occupied the position of trusted advisor. If you ask MSPs to describe themselves, it is likely you will hear them use the term “trusted advisor” often. I agree with this designation; I believe it is both well-deserved and accurate.
MSPs enjoy this responsibility (being a trusted advisor is most certainly a responsibility) because of the nature of the work they perform for customers and the relationship necessary to continue delivering this service. I won’t go into detail on this because it has been well documented over the last several decades. Look it up.
Threat of the Cybersecurity Consultant
Earlier this year, I wrote about the emerging threat of a new breed of consultant, those primarily focused on cybersecurity, including those who are proclaiming expertise around CMMC and NIST. I called these consultants “armchair cybersecurity experts” and you can listen to the episode here The Armchair Cybersecurity “Expert” – MSP Alliance
While some may take offense at me characterizing these cybersecurity consultants as “threats”, I do so based on experience and evidence demonstrating a significant amount of misrepresentation, objectively dangerous business outcomes, and growing likelihood of confusion caused by these same consultants. I will explain.
In a recent email I received from one such cybersecurity expert, I noticed (and discussed in an MSP Zone podcast) how the company both claimed to be an “expert” in security matters, but also claimed to be an MSSP, despite no external evidence or services listed on their website suggesting anything close to a managed service.
This was a 100% channel focused consulting firm, claiming to convey instant cybersecurity credentials and credibility to any MSP willing to sign up with them; a dubious claim and not one we like to promote as being part of our canon of professional ethics.
So, to summarize, we have a consulting firm selling consulting services to the MSP channel; consultant claims experience and expertise in this field and tells the MSPs they pass themselves off as experts by virtue of their relationship with the consultant. Oh, and the consultant is a consultant, not an MSSP.
Do you see what is happening here? This scenario is both real and happening more frequently, but it is also having very real and negative consequences involving both MSPs and their clients, as we will explain next.
The Impact on the Client
Everything we have discussed is both real and has the chance of having a negative impact on MSP and customers alike. Here is one such example.
The MSP has an existing relationship with managed services customer; customer engages consultant to assist with unrelated service and yet begins to influence and direct the customer on matters related to cybersecurity. You may be thinking that is no big deal. What is the problem with recommending cybersecurity changes to a customer?
The problem arises when the consultant begins to influence customer change which occurs outside the presence of and awareness of the MSP. Why does this matter? Anyone who understands how MSPs work knows that they have great responsibility over their customer IT assets and making changes to managed objects do not happen casually.
For example, what is the impact of a consultant influencing an IT change within a customer environment which impacts an agreement between the MSP and customer? What if the proposed change creates greater risk due to a technical reason which is beyond the awareness of the consultant?
Consultants have long been viewed as problematic within the confines of a managed services relationship for these same reasons. Consultants tend to make or influence change which can have disastrous effects on the network or system, and they bear no responsibility for the damage they cause, nor the costly remediation needed to get things up and running again.
I do not blame all consultants, nor do I allege they all create the same negative outcomes. Quite the contrary. The cybersecurity consultant, however, is a new creature and one that is making wild statements and promises, few of which are true or beneficial to MSP or customer.
To the MSPs, protect your trusted advisor relationships and status. Do not unnecessarily let it tarnish, grow dull, or become irrelevant. If any of these things happens, you may not be trusted by your clients for long.