May 11, 2021

Last Updated on January 14, 2024

It’s hard enough for outsourcers to choose the right Managed Service Provider (MSP). But how do MSPs go about finding the right customers?

To inform the MSP industry on everything from customers to trends to standards, a recent episode of The Virtual CISO Podcast features MSPAlliance cofounder Charles Weaver. Hosting the episode is John Verry, Pivot Point Security CISO and Managing Partner.

As John points out, “There’s a statistic that most businesses, especially services businesses, generate 130% of their profit from 80% of their customers. Which basically means those last 20% lose you 30%. I know that we’ve got a lot of good MSP partners that listen to this podcast. So how does an MSP select a good customer?”

“The MSP needs to be quite diligent in getting the right customers,” agrees Charles. “Because if you get the wrong customer, a weak-link customer, they could be just as damaging to you as a bad supply chain vendor, for a variety of reasons.”

“I believe that’s absolutely true with the ransomware epidemic we had the past 24 months,” continues Charles. “Getting back to what I said earlier about [security] controls filtering down to the customer level, that’s important work that we need to do. If the MSP doesn’t get a good handle on that, they’re dealing with a kind of maverick, wildcard customer that could really upend a lot of stuff for them. And that’s dangerous.”

“Is it that the MSP will end up with a customer that doesn’t listen?” clarifies John. “Are the customers that are not going to actually do what you say the ones that are going to cause problems? And if so, what are those problems? And then how do you would not select those customers?

“They would probably be the customer that says, ‘John, do I really have to use multi-factor authentication? It’s kind of tedious. It really is disruptive when I want to get on and do my day trading and play my games online. Can we just avoid that? Can you turn that off please? And, oh, by the way, I’ve got three or four consultants over here. They really need admin access to the servers that you’re managing. Would you mind turning that on for them?’” jibes Charles.

“So this is no different than what we do,” notes John. “What you’re saying is the primary test is ‘tone at the top.’ Get to the manager, get to the owner, get to the person who’s making the decisions. And if that person’s going to run fast and loose, you probably don’t want to work with them.”

“You have different styles, different sizes of customers and MSPs,” explains Charles. “But if the customer says, ‘Look, you’re not handling backup, but we back it up or we have another vendor backing it up. You’re not getting the multi-factor authentication business, but we already do that. Or we had it done by somebody else.’ The point is that it has to be done. And the MSP has to ask those questions. They need to know what they’re dealing with because they’re directly involving themselves in that customer’s business. And it can really blow back on them if something bad happens, ransomware being obvious.”

What’s Next?

“One of the things I’ve talked to MSPs about is that when a client doesn’t follow your guidance, and then you’ve got ransomware or some other type of security breach, [think of] the amount of time, energy and effort you’ll spend cleaning up that breach, and you probably aren’t being compensated for it,” cautions John.

Whether your company offers or consumes managed services, you’ll be glad you caught this candid conversation with MSP thought leader Charles Weaver, cofounder of MSPAlliance.

To hear the complete episode, click here. If you don’t use Apple Podcasts, you can access all our podcast episodes here.

TPRM for SMBs guide

Through our 17 years of experience, we've collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).
Download our free TPRM PDF guide now!