The MSP Zone

Ep 277
The Great MSP Reset
Recently, at the MSPAlliance Inspire meeting, I witnessed something I've never seen before, something I'm now calling the "great MSP reset." This reset is an accumulation of several different things happening at roughly the same time and I think it bodes well for the future of the managed services profession. Here's what I witnessed.
MSPs are going through significant equity changesRetirement
Change of leadership
Making room for new blood
These are not M&A deals, but continuity of MSP operations
 
MSPs are making tool changesIf you don't innovate as an MSP tool vendor, you risk being replaced
Some MSPs are taking 20 year relationships (such as a PSA tool) and switching to newer vendors who promise more innovation, new approaches to technology, and better attention to the needs of the MSP
MSP process overhaulsA lot of the MSPs are going through sweeping changes to their policies, procedures, and processes.
Much of this is organic and is NOT due to the change in their vendor tools, but a lot of the MSPs are using the tool changes as an excuse to overhaul their processes
 
These activities, taken in their totality, represent a very clear sign that there is a lot of positive change taking place in the managed services profession.

Does EBITDA Matter for MSPs?
The term EBITDA is not something a lot of MSPs fullly understand or use regularly. As a financial tool, it is worth knowing how it is used and why. But, should you use EBITDA as a metric for managing your MSP practice? Maybe, maybe not.
To answer this question, we must define EBITDA, look at how it is used within general accounting, and more specifically how it is used within MSP M&A and investing. Only then can you know whether EBITDA is something you should use regularly as a guidepost for running your MSP practice.

A lot of MSPs spend the majority of their time focused on revenue growth, and for good reason. If you're not growing, you're shrinking.
But, not all revenue is the same. In fact, some revenue types may actually be harming your managed services growth. Confused? Don't be. There are some really simple metrics you can use to begin aligning your MSP practice towards a pro-growth future.
 
Revenue Mixture: What is it? Proactive IT offerings (i.e., your managed services deliverables)
Professional services (non-recurring services such as consulting)
Hardware & Software
Revenue Mixture and Why It's ImportantRevenue mixture can tell you a lot about who you really are
One of the most important MSP KPIs you can track
Revenue mixture can help your MSP practice Promote proactive IT products
Properly prioritize your reactive revenue streams
Add discipline to your practice regarding new clients
Improve valuation

Recently, one of our members reached out with some questions about how to achieve growth while simultaneously addressing a sizeable break/fix client base. It's a really good question and one that I know a lot of MSPs face.
First, acknowledge that break/fix customers inhibit managed services growth
Second, have a plan to migrate those break/fix customers to managed services plans
Third, execute your plan and have a timeline. Don't make it an "open-ended" strategy.

It's that time of year again. Time to review the past year and look to the future and predict what is likely to happen.
 
The MSP world is changing more rapidly than ever before. Let's take a look at what 2024 has in store for the MSP profession.
 
Ransomware Responses Changing: MSPs (and customers) have to look at ransomware in a very different way in 2024. As numerous governments worldwide continue to march towards inevitable prohibition of ransomware payments, MSPs need to adapt to this evolving threat response and develop new service delivery models to help their clients prepare for breaches and attacks.
 
Break/Fix is still dead. If you are clinging to reactive IT service delivery models, be aware that the break/fix business model is still dead. If you have reactive clients, either a) convert them to managed services, or b) terminate your relationship with them. It may sound harsh, but times change and we all have to keep up with change!
 
AI or no AI, that is the question: No matter what your opinion of AI happens to be, you have to have one (an opinion, that is). Some MSPs are pursuing AI technology to be a force multiplier of their existing team, while other MSPs are having to confirm to customers that AI will not be part of their managed services experience.
 
Create your MSP Baseline: All MSPs should be entering 2024 with the objective of creating an MSP baseline. What is an MSP baseline? The minimum requirements you have for any managed services customer. This baseline will be different for each MSP. But you should have one because we are now at a point in our profession where all organizations ought to be practicing some minimal level of security standards.
 
Review/Adjust MSP Pricing: Once you have created your MSP baseline, then the fun begins. It's now time to establish or adjust your risk based pricing models. It does not matter what type of pricing model you use, you can always apply a risk based pricing element to that model. Implementing a risk based pricing model with the aid of managed services baseline becomes incredibly easy; or at least much easier than trying to apply some regional minimum wage labor rate model.
 
What's your compliance situation? Compliance is one of those topics (like AI) where you have to have a position. As so many customers are turning to their MSPs for help with compliance related matters, MSPs cannot claim ignorance on the subject of compliance. Whether you have a formally developed CaaS/vCISO/vCIO program, or you are just casually helping clients fill out cyber insurance forms, MSPs have an undeniable role to play in modern compliance and should act as such.
 
XDR Upgrade: For those of you still using (or selling) legacy anti-virus and firewall technologies, it's time to upgrade your tool belt. For MSPs, it is considered a current best practice to have some form of XDR technology deployed internally in your MSP practice. For customers, XDR would also be considered a modern day best practice for any sized organization. If your NOC/helpdesk team is stretched thin, consider a managed XDR/EDR solution (they'll thank you for it).
 
Get Cyber Verified: It's 2024. If you haven't started the process of getting your Cyber Verify certification, you should start your planning. Not only will it open up new opportunities for your MSP practice, it's also a great way to simultaneously achieve compliance with many globally recognized certifications and audits!

MSPs vs Vendor Controlled Remote Access
The FBI advisory to private sector industries was released and raises some interesting questions regarding MSPs. While not specifically mentioning MSPs by name, the advisory covers general threats from ransomware and how they are being executed.
Doesn't mention MSPs, but they are clearly being addressed in this notice
3rd parties and legitimate system tools
All the guidance the FBI provides is already well established in the MSP Verify program
 
Unmanaged vs Managed IT
Unmanaged Devices - still think break/fix is an effective IT management model?
“80 to 90 % of all compromises originate from unmanaged devices...Most human-operated ransomware attacks attempt to compromise or gain access to unmanaged or bring-your own devices (personal devices used to access work-related systems and information). These typically have fewer security controls and defenses" - Microsoft
 
If you read this Microsoft quote and still think reactive IT is a viable business model or IT management model, think again.
Break/fix or reactive IT is not managed IT, it's IT crime scene clean up
If you are like many MSPs have a mixture of managed services and reactive IT clients, have a plan to deal with this situation
If rising cyber premiums, guidance from the FBI and countless other government agencies, and overall awareness about cyber threats are not enough to convince your break/fix clients, guess what, they're using you to offload their risk.
 
My M&A Challenge to MSPs in 2024
I would like to encourage those MSPs out there attempting M&A strategies to consider this challenge for 2024. You may be surprised by what I have to say, but if you think about it I hope you will see the logic and value behind it.
What is your M&A strategy and how does it fit into your overall strategy?
M&A isn't a corporate growth strategy
M&A challenge for 2024Geography
Service expansion
Market/customer expansion
Revenue doubling

The end of Ransomware?
You may have seen some news lately about the US government working with other governments to ban ransomware payments. Well, I'm not so sure it will stop ransomware but it is an interesting topic and something we should discuss.
Banning ransomware; what impact would it have?
Government bans on ransomware payments will change how MSPs "manage" those clients
Private sector should pay attention
 
 
Can MSPs be more proactive?
I read an article who's headline talked about MSPs being more "proactive" with their customers. It occurred to me that this type of guidance is not aimed at MSPs, but instead at break/fix companies. Which begs the question, why include MSP in the title at all? And there lies the problem. These articles cannot distinguish between MSP and non-MSP.
Reactive IT providers…there are expectations you must meet when joining the ranks of the professional MSP
Being more proactive means being an MSP; that's the point!
You can't be a little proactive; it's either all in or nothing at all
 
You can't "resell" compliance
 
vCIO or CaaS offerings depend on your familiarity in speaking the MSP compliance language. We are talking to a lot of MSPs today who look at compliance in a way that is very short sighted and not what will make a competitive difference in the MSP organization over the long run.
 
What does it mean to "speak MSP compliance?"
Understand compliance frameworks which matter to your customers
Understand the role your MSP organization plays in customer compliance
Reselling a GRC tool does not make you a compliance expert

There is no recession in managed services
You may be watching the economic news out there and thinking to yourself, how will this impact my managed services business. It’s a good question to ask.
 
Economic indicators seem to be pointing to some form of recession or slowdown (some call it a soft landing) in the near future. For all we know we might already be in a recession. But, does a recession mean MSPs are going to be hit as well? Not if the past is any indicator.
Historical recessions impact on MSPs
Gartner IT spending projections looking really good
How to prepare for economic downturns
Managed services (including security) should be a significant shelter from any storm
vCISO, vCIO, CaaS offerings will strengthen any managed services practice
 
Should MSPs be concerned about job loss to AI?
Ever since ChatGPT launched many articles have been written about AI causing massive job loss in the future. While I would agree there are industries in dire need of innovation which typically cause large scale job shifts, managed services is not one of them.
Job openings in managed services profession still unfilled
AI is not going to solve anything close to all the labor shortages facing MSPs
AI still needs to be managed (managed AI?)
AI should be evaluated as an extension of your MSP workforce, not a replacement of it
 
Advice for 1 person MSPs
There is nothing more exciting (or scary) than being a one person business owner. Managed services, like many other professions, has its share of one person MSP shops. I recently talked to one such MSP who wanted advice on how to grow beyond just himself.
Partners
Employees
Capital
Organic (can be tough and take a while to see results)

In this riveting podcast episode, join us as we delve deep into the intricate landscape of recent high-profile cyber-attacks that have sent shockwaves through the digital realm. Our seasoned guests, Shannon Wilkinson, the CEO of Tego Cyber, and Brent Watkins, the Director of Business Development at Tego Cyber, step into the MSP Zone to unravel the layers of these incidents, providing invaluable analysis and guidance that every Managed Service Provider (MSP) should heed.
 
Our exploration begins with a meticulous examination of three notable targets—MGM, Caesars, and Okta—each falling victim to distinct cyber onslaughts. We not only examine the sophisticated methods employed by the attackers but also dissect the responses undertaken by the affected organizations.
 
As organizations increasingly rely on dynamic and interconnected systems, change management processes become a potential vulnerability ripe for exploitation. Our guests shed light on how attackers leverage change management loopholes, emphasizing the critical need for MSPs to redefine their strategies and bolster defenses in this evolving threat landscape.
 
Tune in for a captivating journey through the intricacies of cyber warfare. Whether you are an MSP looking to sharpen your defense strategies or a cybersecurity enthusiast keen on staying ahead of the curve, this episode promises to be a compelling source of insights and actionable takeaways.

How are MSPs dealing with CMMC? John Burgess, from Mainstream Technologies drops into the MSP Zone to discuss how MSPs should deal with the changes coming from CMMC, but how they can stay ahead of them as well. 
Regardless of where you stand on the issue, having something to say about compliance is a wise thing these days. MSPs with exposure to CMMC have a lot of revenue and trust potential, if they act. If MSPs stay silent on the issue when asked, that could lead to an erosion of trust and lost opportunities.
MSP Zone Highlights:
What is happening right now in the CMMC/DIB community?
What opportunities are there for MSPs and CMMC?
What can MSPs do during cybersecurity awareness month?