The MSP Zone

The Managed Service Provider (MSP) industry has seen significant changes since 2010, marked by a trend towards Private Equity (PE) expansion, growth, and consolidation. This movement has brought about a critical examination of value creation versus value extraction within the sector. Value creation in this context refers to the process of enhancing a company's value by offering superior products, services, or experiences that customers appreciate. On the other hand, value extraction often involves maximizing profit without necessarily contributing new value to the market or stakeholders. The MSP landscape has also witnessed the emergence of challengers to value extraction vendors. These challengers advocate for practices that prioritize long-term value creation over short-term financial gains. As MSPs become more discerning, they are increasingly supporting vendors that align with their values and business goals, often making choices that reflect their commitment to sustainable and equitable growth. Private Equity's impact on MSPs has been multifaceted. PE firms have been instrumental in driving consolidation in the industry, creating large MSP platforms through acquisitions. While some of these PE-backed platforms have had a positive influence by providing resources for innovation and expansion, others have drawn criticism for prioritizing financial outcomes over the needs of the MSP community and their clients. As the MSP industry continues to evolve, the debate between value creation and value extraction remains central. MSPs are actively participating in shaping the future of the industry by making informed decisions that reflect their preferences and values, which often includes a shift away from vendors and practices associated with value extraction. The influence of Private Equity is undeniable, and its role in the industry's future will likely continue to be a topic of discussion and analysis.

Chris Massey's journey in the IT field is a testament to the dynamic nature of the managed services industry. Starting as an internal IT professional, Chris has traversed various roles, gaining invaluable experience along the way. His tenure at Bocada, DRS, and Involta equipped him with a deep understanding of the industry's intricacies. At N-able, Chris has taken on the mantle of a mentor, guiding MSPs globally. His insights are shared on the N-able podcast, 'Now That's IT,' where he delves into the evolution of managed services. The conversation with Chris Massey reveals the profound transformation within the managed services sector. From its early days of simply providing tools, the industry has matured into a comprehensive support system for partners, encompassing a multitude of their MSP practice facets. This evolution reflects the increasing complexity and sophistication of IT environments and the growing recognition of the strategic value MSPs bring to businesses. As the industry continues to evolve, figures like Chris Massey will be at the forefront, shaping the future of managed services and ensuring that MSPs remain integral to the IT ecosystem. The trajectory of managed services is poised to expand further, driven by innovation and the relentless pursuit of excellence, much like the career of Chris Massey himself.

John Street's contributions to the managed services professional community have been significant and long-lasting. His entrepreneurial journey began with the founding of MX Logic in 2002, a company that quickly became a household name among Managed Service Providers (MSPs) for its robust email security solutions. The acquisition of MX Logic by McAfee in 2009 stands as a testament to the company's success and the value it provided in the realm of cybersecurity. Continuing his visionary approach, Mr. Street established Pax8 in 2012, aiming to revolutionize the way cloud-based products are sold and managed. Pax8's innovative platform has since been instrumental in streamlining the procurement and management of cloud services, further cementing Mr. Street's reputation as a pioneer in the industry. His foresight and dedication to improving the MSP ecosystem have undoubtedly left an indelible mark on the field.

If you are an MSP, chances are you protect, monitor, and manage client data all the time. But the rules around data have changed significantly. Previously used tools, tactics, and rules are no longer applicable as data theft crimes and risk increase. Guy Bavly, CEO of Actifile (actifile.com), enters the MSP Zone to discuss these issues.

Transitioning from a traditional IT model to a managed service provider (MSP) model is a significant change that involves a strategic overhaul of business operations. The process typically includes adopting a proactive approach to IT services, which contrasts with the reactive nature of many legacy IT models. The journey from a reactive IT company to a successful MSP practice, as exemplified by David Besse and the 415 Group, involves several key steps. Initially, it requires a clear understanding of the managed services model, which focuses on proactive monitoring and maintenance, cost efficiency, enhanced security, and scalability and flexibility. A comprehensive transition plan is crucial, which should outline the objectives, assess migration targets, establish success criteria, and prioritize objectives. Overcoming potential challenges such as resistance to change and migration obstacles is also part of the process. David Besse has led the 415 Group through this transition. Under his guidance, the company has focused on offering clients the necessary services and tools for success, emphasizing the importance of a strategic partnership with an MSP that aligns with the business's goals and needs. In summary, transitioning to an MSP requires a well-thought-out plan, a willingness to embrace change, and a proactive approach to IT management. By following these steps and learning from the experiences of those like David Besse and the 415 Group, companies can navigate the complexities of this transition and emerge as successful MSP practices.

State and local governments are under attack like never before. Drive by cyber-attacks are crippling already overwhelmed governments and creating unnecessary financial and political pressure on these organizations. The source of these attacks and the methods being used is not in dispute. What is not being discussed, is the solution. So, I am going to present a very simple, immediately available solution to any governmental employee out there listening to this podcast: managed service providers! Now, I know what you're going to say. I thought MSPs added risk to our cybersecurity. That is simply not true. It has never been true. In fact, it is a falsehood propagated by inept cybersecurity insurance companies who can't figure out how to quantify their own cyber risk, so they blame the only visible party in the equation, the MSP. Now, you may be also saying, well why would I use an MSP when they are being sued by their clients for failing to prevent cyberattacks? Well, again, that's a falsehood being propagated by uneducated people in the media and elsewhere, who just don't know what they are talking about.  MSPs do not practice reactive or break/fix services. The oxymoronic phrase "reactive IT management" does not make sense because you cannot manage IT in a reactive mode. Only proactive services (i.e., managed services can truly "manage IT." Recent headlines claiming MSPs being sued by their clients are really reactive or break/fix IT companies…not MSPs! Finally, MSPs are the only organization capable of addressing the systemic issue here; the lack of consistently applied policies, procedures, and controls, designed to radically reduce (not eliminate) the chance of a cyberattack being successful.

I commonly get questions related to MSP documentation. When is a good time to start? I only need documentation for when I get certified, right? I'm going to get to that, only later on when I'm established.    The truth is, MSP documentation should start early in your practice; ideally, during the planning stages before you've started to deliver services. Here are some helpful tips so you can better understand why MSP documentation is so important, what is involved, and when you should start.    Why is MSP documentation so important?    MSP Documentation Policies - HR, legal,  Procedures/process Controls   When should you start documenting?

FUD: what does it mean? Should you use it in your MSP practice? And, is there a risk to using FUD style tactics? Fear uncertainty and doubt, otherwise known as FUD, may have been created by IBM sales professionals in the 1970s, but it certainly is still being used today by many sales and marketing professionals beyond IBM.

Niraj Tolia, CEO of Alcion, enters the MSP Zone. The deployment of AI in MSP backup tools addresses several critical challenges in the managed services industry. By integrating AI, MSPs can automate routine and repetitive tasks, such as system monitoring, patch management, and backups, which significantly reduces human error, enhances efficiency, and optimizes resource allocation. This automation leads to cost savings and improved service delivery, which is essential in a competitive market where talent is scarce and operational efficiency is paramount. The adoption of AI was driven both by MSPs' desire to stay ahead of technological advancements and by internal motivations to improve service quality and reliability. AI has made a substantial positive impact on MSPs and their service delivery by enabling proactive issue resolution. Niraj discusses his thoughts around AI in data backup, what MSPs need in a modern-day backup solution, why he decided to enter the legacy MSP backup marketplace, and how AI will empower MSPs to succeed.

In the evolving landscape of IT services, the distinction between Managed Service Providers (MSPs) and other IT service models, like break/fix or security consultancy, has become increasingly important.    MSPs offer a comprehensive suite of services that manage and assume the responsibility of a defined set of day-to-day management services for their clients, proactively and under a subscription model. This is in contrast to break/fix services that operate reactively, or security consultants who may focus solely on specific aspects like penetration testing.    The confusion arises when companies misrepresent their services as managed services, which can lead to a misunderstanding of the value and scope of what an MSP truly offers. It's crucial for businesses to recognize the signs of a genuine MSP, such as a proactive approach to IT management, a broad range of services beyond just security, and a partnership mentality rather than an adversarial one.    Understanding these differences can help businesses make informed decisions when choosing an IT service provider that aligns with their needs.

I had the opportunity to play golf with an executive who shared some very insightful perspectives about risk, cyber insurance, and MSPs. The interaction was completely by accident but the information I got was invaluable.

There is a lot of wiggle room when it comes to knowledge and implementation of compliance in a managed services environment. More precisely, MSPs must understand and operate with accurate knowledge of the difference between preparing for an audit or certification and the testing or auditing of an environment. Both components are important, but the MSP is more suited to one and not the other. Here's what MSPs need to know. Audit and certifications in a compliance setting Preparation for and audit or certification Consulting vs testing Role of the MSP in audits and certifications Preparation and consulting are the domain of the MSP MSPs actively manage infrastructure, networks, and objects being tested, therefore, the MSP should not be the one testing

For a lot of MSPs, trying to convert reactive (i.e., break/fix) clients into proactive (managed services) clients can be a struggle. No matter how hard you try, those reactive clients just won't budge. Fortunately, there is a pretty effective technique you can use to begin to impress upon your reactive clientele all the benefits and reasons they would be better off as a managed services client. Step 1: Communication. You have to have a conversation with your reactive clients about everything. Times are changing. Everyone is taking cybersecurity more seriously these days. Explain how reactive IT management isn't IT management at all; it's IT disaster cleanup. And, it can get pretty ugly. The point is, talk to your clients and let them know what's about to happen. Step 2: Put your reactive clientele through some sort of security baseline. Don't get fancy. You can use something like the CIS framework. CIS does not have a certification so you just will be assessing the client's existing controls, policies, and procedures against the CIS controls. By the way, this technique can also be used quite effectively for all new managed services prospects. Step 3: Deliver the results of the assessment and make your adjustments. What does this mean? If the client is doing everything they should be, there is no reason for them not to become a managed services client. Their billings should stabilize, their level of trust in their IT investments should be solid, and both client and MSP can sleep better at night. For clients below the CIS level, you can let them know where the gaps are, that you can fix those gaps, but that a managed services relationship is what is needed. Finally, if the reactive client still won't budge, you can raise your rates due to the provable increase in risk they represent to your MSP practice.  This technique is a combination of compliance baseline plus risk-based pricing, and it can be a very powerful and persuasive tool in getting reactive clients to understand the modern cyber world in which we live. 

Ep 276 - The term EBITDA is not something a lot of MSPs fullly understand or use regularly. As a financial tool, it is worth knowing how it is used and why. But, should you use EBITDA as a metric for managing your MSP practice? Maybe, maybe not. To answer this question, we must define EBITDA, look at how it is used within general accounting, and more specifically how it is used within MSP M&A and investing. Only then can you know whether EBITDA is something you should use regularly as a guidepost for running your MSP practice.

Recently, at the MSPAlliance Inspire meeting, I witnessed something I've never seen before, something I'm now calling the "great MSP reset." This reset is an accumulation of several different things happening at roughly the same time and I think it bodes well for the future of the managed services profession. Here's what I witnessed. MSPs are going through significant equity changes MSPs are making tool changes MSP process overhauls These activities, taken in their totality, represent a very clear sign that there is a lot of positive change taking place in the managed services profession.

A lot of MSPs spend the majority of their time focused on revenue growth, and for good reason. If you're not growing, you're shrinking. But, not all revenue is the same. In fact, some revenue types may actually be harming your managed services growth. Confused? Don't be. There are some really simple metrics you can use to begin aligning your MSP practice towards a pro-growth future.   Revenue Mixture: What is it? Proactive IT offerings (i.e., your managed services deliverables) Professional services (non-recurring services such as consulting) Hardware & Software Revenue Mixture and Why It's Important Revenue mixture can tell you a lot about who you really are One of the most important MSP KPIs you can track Revenue mixture can help your MSP practice Promote proactive IT products Properly prioritize your reactive revenue streams Add discipline to your practice regarding new clients Improve valuation

Recently, one of our members reached out with some questions about how to achieve growth while simultaneously addressing a sizeable break/fix client base. It's a really good question and one that I know a lot of MSPs face. First, acknowledge that break/fix customers inhibit managed services growth Second, have a plan to migrate those break/fix customers to managed services plans Third, execute your plan and have a timeline. Don't make it an "open-ended" strategy.

It's that time of year again. Time to review the past year and look to the future and predict what is likely to happen.   The MSP world is changing more rapidly than ever before. Let's take a look at what 2024 has in store for the MSP profession.   Ransomware Responses Changing: MSPs (and customers) have to look at ransomware in a very different way in 2024. As numerous governments worldwide continue to march towards inevitable prohibition of ransomware payments, MSPs need to adapt to this evolving threat response and develop new service delivery models to help their clients prepare for breaches and attacks.   Break/Fix is still dead. If you are clinging to reactive IT service delivery models, be aware that the break/fix business model is still dead. If you have reactive clients, either a) convert them to managed services, or b) terminate your relationship with them. It may sound harsh, but times change and we all have to keep up with change!   AI or no AI, that is the question: No matter what your opinion of AI happens to be, you have to have one (an opinion, that is). Some MSPs are pursuing AI technology to be a force multiplier of their existing team, while other MSPs are having to confirm to customers that AI will not be part of their managed services experience.   Create your MSP Baseline: All MSPs should be entering 2024 with the objective of creating an MSP baseline. What is an MSP baseline? The minimum requirements you have for any managed services customer. This baseline will be different for each MSP. But you should have one because we are now at a point in our profession where all organizations ought to be practicing some minimal level of security standards.   Review/Adjust MSP Pricing: Once you have created your MSP baseline, then the fun begins. It's now time to establish or adjust your risk based pricing models. It does not matter what type of pricing model you use, you can always apply a risk based pricing element to that model. Implementing a risk based pricing model with the aid of managed services baseline becomes incredibly easy; or at least much easier than trying to apply some regional minimum wage labor rate model.   What's your compliance situation? Compliance is one of those topics (like AI) where you have to have a position. As so many customers are turning to their MSPs for help with compliance related matters, MSPs cannot claim ignorance on the subject of compliance. Whether you have a formally developed CaaS/vCISO/vCIO program, or you are just casually helping clients fill out cyber insurance forms, MSPs have an undeniable role to play in modern compliance and should act as such.   XDR Upgrade: For those of you still using (or selling) legacy anti-virus and firewall technologies, it's time to upgrade your tool belt. For MSPs, it is considered a current best practice to have some form of XDR technology deployed internally in your MSP practice. For customers, XDR would also be considered a modern day best practice for any sized organization. If your NOC/helpdesk team is stretched thin, consider a managed XDR/EDR solution (they'll thank you for it).   Get Cyber Verified: It's 2024. If you haven't started the process of getting your Cyber Verify certification, you should start your planning. Not only will it open up new opportunities for your MSP practice, it's also a great way to simultaneously achieve compliance with many globally recognized certifications and audits!

MSPs vs Vendor Controlled Remote Access The FBI advisory to private sector industries was released and raises some interesting questions regarding MSPs. While not specifically mentioning MSPs by name, the advisory covers general threats from ransomware and how they are being executed. Doesn't mention MSPs, but they are clearly being addressed in this notice 3rd parties and legitimate system tools All the guidance the FBI provides is already well established in the MSP Verify program   Unmanaged vs Managed IT Unmanaged Devices - still think break/fix is an effective IT management model? “80 to 90 % of all compromises originate from unmanaged devices...Most human-operated ransomware attacks attempt to compromise or gain access to unmanaged or bring-your own devices (personal devices used to access work-related systems and information). These typically have fewer security controls and defenses" - Microsoft   If you read this Microsoft quote and still think reactive IT is a viable business model or IT management model, think again. Break/fix or reactive IT is not managed IT, it's IT crime scene clean up If you are like many MSPs have a mixture of managed services and reactive IT clients, have a plan to deal with this situation If rising cyber premiums, guidance from the FBI and countless other government agencies, and overall awareness about cyber threats are not enough to convince your break/fix clients, guess what, they're using you to offload their risk.   My M&A Challenge to MSPs in 2024 I would like to encourage those MSPs out there attempting M&A strategies to consider this challenge for 2024. You may be surprised by what I have to say, but if you think about it I hope you will see the logic and value behind it. What is your M&A strategy and how does it fit into your overall strategy? M&A isn't a corporate growth strategy M&A challenge for 2024 Geography Service expansion Market/customer expansion Revenue doubling

The end of Ransomware? You may have seen some news lately about the US government working with other governments to ban ransomware payments. Well, I'm not so sure it will stop ransomware but it is an interesting topic and something we should discuss. Banning ransomware; what impact would it have? Government bans on ransomware payments will change how MSPs "manage" those clients Private sector should pay attention     Can MSPs be more proactive? I read an article who's headline talked about MSPs being more "proactive" with their customers. It occurred to me that this type of guidance is not aimed at MSPs, but instead at break/fix companies. Which begs the question, why include MSP in the title at all? And there lies the problem. These articles cannot distinguish between MSP and non-MSP. Reactive IT providers…there are expectations you must meet when joining the ranks of the professional MSP Being more proactive means being an MSP; that's the point! You can't be a little proactive; it's either all in or nothing at all   You can't "resell" compliance   vCIO or CaaS offerings depend on your familiarity in speaking the MSP compliance language. We are talking to a lot of MSPs today who look at compliance in a way that is very short sighted and not what will make a competitive difference in the MSP organization over the long run.   What does it mean to "speak MSP compliance?" Understand compliance frameworks which matter to your customers Understand the role your MSP organization plays in customer compliance Reselling a GRC tool does not make you a compliance expert