The three opportunities for MSP’s moving forwardAlex Fields
The writing has been on the wall a while now; with a mass exodus to cloud services such as Microsoft 365 from traditional on-premises infrastructure, it was only a matter of time before those selling MSP services had to either evolve or die off. And with recent high-profile attacks against traditional MSP platforms like Kaseya, plus the recent announcement about Microsoft 365 Lighthouse for MSPs, we finally have more providers scratching their heads and wondering whether the old ways aren’t on their way out after all. One of my friends and fellow MVP, Amy Babinchak, runs an MSP that does not even use an RMM. Amazing? Or is that the direction we are heading in general?
The sea change that is coming is not just being driven by security concerns, either. Yes, cybersecurity is one major area of opportunity (and still the one I receive the most inquiries about), but the Cloud-First, Mobile-First era we are in is much larger than say, the ‘Zero Trust’ conversation. Modernizing our approach to security is but one facet of a larger puzzle, and I hope to draw out some of what the future might look like, from the perspective of Managed Services, here today.
I believe that we are now at a time in our history where we have never had greater opportunity to expand our service offerings and provide more value to customers than ever before. In fact, it is difficult to impossible for me to list all of the various projects, products, and services that one could build even just leveraging Microsoft 365 and Azure (to say nothing of the other tech vendors out there). Instead, I will try to distill the three major categories of opportunity, as I see it, for the Managed Services Provider, especially if they work in the Microsoft space.
If you manage a Microsoft environment, with Windows desktops, email in Office 365 Exchange Online, document collaboration taking place in OneDrive and SharePoint Online, and meetings and teamwork taking place in Teams, then why not tie your management tools into the same infrastructure? The benefits are many (Conditional Access is but one that we harp on here at ITProMentor.com). You can even tie your phone system into a Teams-integrated solution in this case, so that voice, messaging, voicemails, meetings, etc. can all live in one place. The more you simplify and consolidate, the more life gets easier for admins and users alike.
When all the pieces of productivity, communication, software deployment, and asset management are connected and working together (something Microsoft refers to as “Native Management,” then you can expect faster boot times, smoother operations, stronger security, and more satisfied end users. At least, this is what the marketing says (it is backed by Microsoft’s own telemetry and data). Some folks doubt this amounts to anything in the real world, but look: I have yet to see MSP’s bringing the full experience home to their customers, so how can you knock it until you give it an honest go?
Looking at it another way, modernizing your management and consolidating functions into as few vendors as possible has certain efficiency benefits simply in terms of total cost of ownership: training, software licensing, fewer points of management and so on. While we know this is intuitively correct, we still resist it for some reason. I believe that this is born mostly from an inability to distinguish between what is merely a cost (e.g. utility bill) and what is actually value-added benefits from a customer’s perspective. Many of my MSP customers are still obsessed with finding the “best of breed” in each area, even if those areas are not really valued by customers. For example: your customer doesn’t care which endpoint security solution you use, as long as you have ways of monitoring their endpoints and keeping them reasonably protected.
I now work with a few MSP’s who are getting OK at implementing new pieces of the puzzle like Intune (usually in addition to everything else they are doing), but not many (yet) are really jumping ship from a traditional toolset and embracing a fuller expression of “Native Management” as Microsoft defines it. This takes more commitment and work, but in the end it will pay dividends. Why? Because everything you are outsourcing is the commodity stuff that you don’t want to be doing anyway. Like I said, your customer just wants stuff to be fast and safe to use, and for their service providers to be responsive to any issues as they crop up. Simple, yes? Then do not over complicate things by trying to architect and manage your own management infrastructure: you can literally lease it from Microsoft for free (well, more accurately the infrastructure is just included in the price paid for a subscription), but unless you are managing it then your customer experiences none of its benefits.
The opportunity that probably represents the largest piece of the financial pie is the one that is still the most ignored amongst MSP’s at large, and I have no idea why. I can only assume that they have so long been pre-occupied with infrastructure and management (much of which we can outsource and simplify now per the conversation above), that they simply remain blind to this massive pile of future cash waiting to flow into the pockets of those willing to lead the way and take the risks.
As I mentioned, Modern Management is an inevitability because it is basically a commodity; there is nothing the customer values less than the infrastructure. They don’t care how or why their tech works, they just want it to work with as little interruption as possible, and of course, to remain reasonably safe while doing so. This also implies that the customer is going to be more miserly in spending money on this category. So what does the customer care about then? What would make them want to loosen the purse strings, so to speak, and spend more money with you? Simple, my friends: you need to help them get more value from their data, apps, and services!
Most MSP’s pretty much ignore the ins and outs of the businesses they serve. They were good at Microsoft, or Citrix, or whatever technologies were supporting their customers’ businesses, but what the customer did with that technology was ultimately something that lived behind a big curtain; MSP’s didn’t really care to peek behind it either. Well, time to ditch that mentality. Your new pitch is: Look Mr. or Mrs. Customer, I can slap this new technology in place for you, but how will you get any benefit from it unless I can teach you how to use it in your business more effectively? For that, I need to see how you work today with your clunky old tools, so I can recommend something even better using this new toolbox.
This type of engagement has existed for a long time with platforms like Dynamics; there have been application integrators for decades, just as there have been MSPs. But shifting into the productivity space, understand that your work will of necessity include discovery and consulting time, as well as training and projects, and most likely, on-going support and maintenance of any solutions that are taught and built alongside with the customer. Even just in terms of better collaboration using modern tools like Teams and SharePoint, to say nothing of PowerApps, PowerAutomate, PowerBI and so on. Many organizations are seriously underutilizing their modern software subscriptions, or do not understand what is possible (and that goes for MSPs as well, which is part of the problem).
Cybersecurity and Compliance Management
The third category is one that I have (so far) spent most of my time with here at ITProMentor.com. This is an area that has been extremely hot among MSPs for a few years now, however, I still find that the majority of them are doing very poorly with it. This is mostly due to the fact that they are “product focused” and lack a comprehensive approach to security and compliance. In my courses, I encourage providers to follow a formal cybersecurity framework such as NIST or its simpler cousin, CIS.
Now I place both Security and Compliance into a single bucket here, but of course some will argue with me that these are distinct practices. Certainly; I just think that it is somewhat simpler to abstract to three major categories rather than four, especially because of how I view the overall picture. You see, modernizing management is basic level stuff (infrastructure, remember?), while Digital Transformation delves into the applications and business processes support “add-ons” which get layered on top. Cybersecurity and Compliance are necessary at every level; whether your work is focused on infrastructure, or on apps & services, there is always a need to keep things secure and compliant (both within the bits and bytes of the tech, as well as in the real-world policies, processes, and procedures).
Here in the United States, we do not have that many compliance requirements (relatively speaking). Unless you are in a specific industry like Financial Services or Healthcare, or if you do contract work with the DoD, for example, you can pretty much do whatever you want and accept or mitigate risks to your own tolerance level. But I would not expect this to last, especially with the major cybersecurity incidents that have been in the news lately, and which are affecting businesses of all sizes, private and public sectors alike. Even though we do not have formal legislation yet, we can see the outlines starting to form; the Biden administration has proposed some initial steps via executive order, and I suspect that any proposed legislation at the national level in the wake of these nation-state cyber attacks will have bipartisan support.
While it is true that compliance doesn’t necessarily equal security, the thrust of most compliance requirements is usually related to staying more secure. So as I tell my customers, if you do cybersecurity really well, then you will find it is much easier to meet compliance requirements when and where they crop up (now and in the future). Helping organizations understand the risks they face and tracking their progress against a formal plan is an area that is still underserved. Most MSPs still think about security in terms of reselling endpoint security software or some other set of security products; you want to go beyond this thinking and help establish a permanent out-sourced CISO function and SOC services for your customers. Then on top of that, help them build a compliance management practice that they participate in maintaining (every organization should have a compliance officer as well as someone who is responsible for interfacing with any security & compliance vendors such as MSSPs).
In a nutshell
Perhaps you will think that my framework is too simple. It is deceptively simple, perhaps, only because this is a fairly high-level abstraction. There is a lot of stuff to work on here, just within the areas I have shared! And MSP’s who want to thrive in the new world will need to embrace and excel in at least one of these three categories.
Some people imagine a fourth category that is purely business consulting of some type. Well, that’s fine if you want to pursue it, but just understand that I think “pure consulting” is a bit of a vague prospect for someone whose purpose has traditionally been tied to the technology that enables small and mid-sized businesses to do whatever it is they do. In other words, I think you are just starting a different business in that case (not Managed Services). If you are going to start a so-called pure business consulting practice then you have to get more concrete: come up with a very clearly defined benefit (i.e. measurable outcome) that you are delivering. In my mind, instead, it makes more sense to stick with focusing on how technology can be used to help businesses accomplish whatever it is they already do, but better, easier, in less time, with less risk, or whatever.
Last, if you believe that there are opportunities I have not seen, which are not captured in some way by one of these three categories, then I would love to hear your thoughts in the comments, below.
Another timely post. I’ve been thinking a lot about this of late and trying to write my own go to market strategic plan of what I can actually do to make things better for the users I’m trying help be awesome at their jobs. But wondering if it is possible to be a one person MSP or MSSP successfully?
A couple of great books that can help get our heads out of the technology space and into the “Make End Users Awesome” space, which I believe is where we need to go, are:
1. Badass: Making Users Awesome by Kathy Sierra (also some YouTube videos that are highly watchable).
2. Ultralight IT: How I learned to stop worrying and love the cloud by Andrew R Schwab
I think if you find something you are really good at in one of the three areas, you will likely not run out of work. I know some who are only consulting on compliance, for example, and nothing else. Another who is running a small SOC based on Sentinel. Another who is 100% “Teams adoption” focused. Still early in the game, but some folks have already started specializing to great effect.
Larger MSPs will be able to do more, but they will have specialty roles or departments looking after each area.
Yes, I’m thinking of specializing in the area of Security and Privacy (can’t have one without the other). I’m not sure about audit, would need some sort of certification, ISO 27001 or perhaps CISA. NIST has recently updated SP-800-53a to Rev 5. SP 800-53A Rev. 5 (Draft)
Assessing Security and Privacy Controls in Information Systems and Organizations.
Our peer group just spent a lot of time taking a few of these a part to examine the future potential and we couldn’t agree more!
I just read the post on Regarding365. To the point. European MSP and MS Gold Partner here. Move! We’ve been working for a year to make ourselves more visible in the cloud security space (we’ve been doing on-premises security very successfully for 10 years). Biggest success so far: one of our regular customers (worldwide business, 1400 employees) is very afraid of ransomware (but no incident yet). We recently won a competitive bid to move him to the cloud and provide security for him. Scope: over 100 person days. Migration only until end of December 2021. SIEM setup to follow in 2022. Customer has already called ahead.