For years, the managed services industry has largely treated cybersecurity as a tooling problem. As a result, many MSPs now operate sprawling security stacks filled with endpoint tools, SaaS backup platforms, security awareness training systems, compliance frameworks, identity products, SIEM platforms, MDR services and automation tools. Yet breaches keep happening.
MSPs need to ask themselves an uncomfortable question: What if the real problem isn’t the stack?
For all the innovation in cybersecurity, many of the failures that hurt MSPs the most still come down to operational basics:
- Documentation
- Asset management
- Backup testing
- Process consistency
- Technician discipline
- Standardization
You know, the kind of work no MSP flaunts on their website.
Tools matter, of course, but security stacks are becoming commodities. Most MSPs today can access some version of the same core technologies like EDR, MFA, SaaS backup, security awareness training, vulnerability scanning, SIEM and identity protection, among others. The real differentiator is whether your organization can consistently operationalize them.
Frameworks don’t magically make you secure
One of the more dangerous traps MSPs fall into is assuming that implementing a framework equals operational maturity. It doesn’t, according to Corey Kirkendoll, president and CEO of 5K Technical Services. “You’re not secure just because you follow the framework.”
Corey Kirkendoll
A framework provides structure and guidance. It helps MSPs prioritize controls, establish standards and document procedures. Frameworks don’t enforce operational discipline, however. That job still falls on the shoulders of real people.
It’s an important distinction because many MSPs approach frameworks like a compliance finish line. They adopt policies, configure controls, update documentation and mentally check the “security” box. Then operational drift starts almost immediately afterward:
- New technicians arrive and learn shortcuts from existing staff.
- Exceptions get made for difficult clients.
- Backup verification becomes less frequent.
- Processes that were documented six months ago no longer reflect reality.
- Somebody disables a security control temporarily and forgets to turn it back on.
Sound familiar? None of those failures are particularly dramatic on their own. Collectively, they create operational gaps that attackers love to exploit.
Kirkendoll warned that too many MSPs implement frameworks and make everything “nice and pretty.” But then MSPs “put it on the shelf and don’t look at it again.”
That problem extends far beyond compliance documentation. Unlike missing software, operational inconsistency is hard to spot until something breaks.
The green checkmark problem
Most MSPs already have backup platforms in place. In many cases, they have multiple backup layers. Backup dashboards show successful jobs every morning. Reports look healthy and customers feel protected. At least, until someone actually needs to recover something.
Henry Timm
“Test your backups,” advised Henry Timm, vice chair of the GTIA Cybersecurity Leadership Executive Council and founder of Phantom Technology Solutions. “Don’t trust the green check mark. Spot check those backups, because [we’ve had cases] where the snapshot showed it had backed up and booted on the vendor system, but it absolutely was not a restored image.”
One of the most common operational failures in managed services today is incomplete recoverability, not failed backups. A backup may technically run successfully while still missing critical dependencies needed to restore a customer environment properly.
“What you find is you probably missed the RDP server, the SQL server didn’t get backed up or something didn’t happen,” said Kirkendoll. In other words, many MSPs may technically have backup coverage while still lacking reliable recovery readiness, which is important. Ransomware groups are increasingly targeting operational weak points rather than just infrastructure vulnerabilities.
The same issue shows up in business continuity conversations. Many SMB customers believe “We have backups” automatically means “We can keep operating during an outage.” However, restoring data is not the same thing as restoring productivity. That’s why mature MSPs increasingly treat backup validation as an ongoing operational process rather than a software deployment.
You can’t protect what you can’t see
Asset management is another unsexy operational discipline that’s critical. Visibility is one of the industry’s most persistent problems. “You can’t protect what you don’t know is in the network,” Kirkendoll pointed out.
Modern SMB environments are messy. Shadow IT creeps into environments faster than most MSPs can document it. Meanwhile, customers continue adding cloud services independently because signing up for a new platform these days takes about five minutes and a corporate credit card. No amount of security tooling can compensate for missing visibility. If an MSP doesn’t fully understand what devices, identities, applications and systems exist in a customer environment, everything else becomes reactive.
AI is about to amplify operational problems
Right now, MSPs everywhere are racing to automate workflows, improve efficiency, reduce technician workloads and integrate AI into service delivery. Some of that is absolutely necessary; the economics of managed services increasingly demand operational scale, and the future security will largely depend on automation to fight automated attacks.
Unfortunately, automation has a nasty habit of amplifying existing problems. “You can put a real big turbo on a crappy engine,” said Ronnie Parisella, an MSP consultant and project management specialist at DataBit. “It’s going to help you crash faster.”
Ronnie Parisella
Parisella’s analogy resonates because it applies far beyond AI. It illustrates how AI can magnify operational weaknesses instead of solving them:
- If your onboarding process is inconsistent, automation creates faster inconsistency.
- If your ticket routing process is sloppy, automation scales sloppy routing decisions.
- If technicians follow different procedures, AI-driven workflows simply make those differences harder to detect.
That’s why process documentation suddenly matters so much.
“You have to have all of your process documented first,” said Dawn Sizer, CEO of 3rd Element Consulting. “It doesn’t matter which ones they are, even your business processes themselves. They have to be documented if you’re going to put any type of AI around it, or you’re going to miss things.”
Many MSPs have discovered they can’t meaningfully automate workflows because their internal processes only exist as tribal knowledge inside technician heads. While that may work at smaller scale, it breaks quickly once automation enters the picture.
AI, especially, depends heavily on operational consistency. Without a solid foundation, it just creates confusion faster. Or worse, confidence in broken processes.
Standardization as a Security Strategy
Dawn Sizer
For years, many MSPs treated customization around the client as a competitive advantage. Increasingly, mature MSPs are moving toward standardized environments for both operational efficiency and security consistency.
Technicians cannot realistically become experts across dozens of overlapping products and wildly inconsistent client environments, Parisella argued. “Smaller MSPs make a big mistake of trying to bring too large of a stack, too many logos and too many services.”
Standardization, he said, simplifies training, support, troubleshooting, documentation and incident response. It also makes automation dramatically easier. More importantly, it reduces the operational variance that causes mistakes.
When every customer uses different MFA workflows, endpoint tools, backup policies and support procedures, technicians inevitably make assumptions. Those assumptions create shortcuts, which, in turn, create security gaps.
MSPs need to stop treating security as an optional add-on service, Kirkendoll advised. Instead, they must establish minimum security standards across their customer base. He also warned that trying to support too many different products and configurations creates operational strain internally.
“How do you have a team that can walk through all of those different standards and products, expect to get excellent customer service and know what they’re doing?” Kirkendoll said. “It’s impossible.”
Operational discipline is harder than buying software
The difficult reality for MSPs is that operational maturity is much harder to purchase than technology. There’s no single product that fixes inconsistent onboarding, weak documentation, poor technician habits, incomplete inventories, process drift or reactive customer management.
Those problems require leadership, accountability, process ownership, culture, repetition, training and measurement. Coincidentally, all of those require harder work than buying another security product.
Thankfully, it’s also where the industry appears to be heading.
Customers are becoming more sophisticated. Cyber insurance carriers want proof of operational practices, not just of software deployment. Compliance requirements are expanding and legal exposure is growing as attackers are targeting operational weaknesses more than technical vulnerabilities.
The next phase of managed services security won’t be about who has the biggest stack, but about who can execute consistently. In the end, most catastrophic security failures happen because a process broke down somewhere along the line, not because the technology failed.
As ChannelPro’s online director and tech editor for over a decade, Matt Whitlock has spent years blending sharp tech insight with digital know-how. He brings more than 25 years’ experience working in the technology industry to his reviews, analysis and general musings about all things gadget and gear.
Images: Kazi — stock.adobe.com, DALL-E
