I’ve spoken to countless MSPs looking to elevate their security game and provide a stronger offering for their clients. Yet, many find themselves stuck—unsure where to begin or what roadmap to follow to help them scale and meet compliance standards. If that sounds familiar, you’re in the right place.
In this post, I’m excited to share a framework I built specifically for MSPs to scale their operations and boost the cybersecurity of their downstream clients. It’s all done in four repeatable steps, and I’ll show you how to streamline this process using CloudCapsule, a tool that automates your Microsoft 365 security assessments against the CIS Controls.
By adopting this framework, you’ll:
- Organize your MSP to a standard: Deliver consistent services across all clients.
- Boost client profitability: Reduce operational overhead and open up new revenue streams
- Reduce reactive hours: Spend less time firefighting and more on strategic work.
- Monitor and continuously improve: Track security progress across all your clients.
So, let’s dive into how you can scale your MSP while improving client security.
Why Standardization Matters for MSPs
Before we jump into the framework, it’s critical to understand the power of standardization. One of the biggest challenges MSPs face is the tendency to be reactive. This often stems from the “break-fix” days, where we were constantly putting out fires. But in today’s landscape, where security is paramount, being proactive and standardizing your operations is key to success.
Standardization involves organizing your MSP processes so you deliver consistent services across all clients. This reduces reactive hours and increases profitability by ensuring that the same high standards are applied universally. Standardizing also helps with managing client security policies, reducing alert fatigue, and enabling your team to focus on more valuable work. While you can built out your own standards model, I would recommend using the CIS Controls or NIST CSF as a north star to stay organized and have a great message to deliver to clients.
The Problem with Vendor Overload
A common issue I see in the MSP space is the overwhelming number of security vendors being used to “fill gaps.” While this might seem like a good idea at first, it often leads to a vicious cycle of managing too many tools and getting bogged down in alerts, leading to alert fatigue and reduced profitability.
A metric I recommend tracking is Reactive Hours per Endpoint per Month (RHEM), which measures how much time your technicians spend on reactive tasks for each endpoint. The more vendors you have, the more your RHEM goes up. To truly scale, you need to simplify your vendor stack and move away from reactive security management.
To be clear, I am not picking on any of the vendors in this diagram. I am simply making the point that many MSPs layer in a bunch of vendors vs thinking strategically about the standards they apply across customers.
Step 1: Audit & Assess
The first step in the framework is to audit your clients’ environments. This involves taking a deep dive into their current security posture and comparing it to your standardized security baseline.
At this stage, you’re conducting a gap analysis, identifying where each client stands in terms of security maturity and what needs to be done to bring them up to your standards. Whether you’re onboarding a new client or reviewing an existing one, the audit provides the foundation for the work ahead.
Using CloudCapsule, you can automate these audits for Microsoft 365 environments, mapping them directly to the CIS Controls. This gives you a clear picture of where your clients stand and helps you start closing security gaps.
Step 2: Plan & Prioritize
Next, you’ll need to plan your next steps. This is where you prioritize the key security projects based on their impact and effort.
For example, rolling out MFA (Multi-Factor Authentication) might be a higher-effort project that requires careful planning, while enabling third-party app restrictions may be a quick win with high security impact.
During this phase, you can also identify upsell opportunities by offering project work to improve the client’s security posture. MSPs that take this approach not only increase their revenue but also demonstrate their value by proactively improving client security.
Step 3: Implement & Automate
Once you’ve planned, it’s time to implement the necessary changes. I prefer the term “implement” over “remediate” because we’re talking about building proactive systems, not just fixing issues as they arise.
For instance, if you find a bunch of dormant user accounts in a tenant, you don’t just want to disable them—you want to implement policies that prevent dormant accounts from piling up in the first place. This might involve tightening up your user offboarding process and automating the removal of dormant accounts with tools like Power Automate or third-party solutions like Rewst.
The goal here is to standardize your processes across all clients and reduce manual effort by automating as much as possible. CloudCapsule can help by acting as your baseline to ensure all tenants are configured to your standards.
Step 4: Monitor & Continuously Improve
The final step in the framework is monitoring. You’ll want to keep a close eye on any drift or deviations from your established standards. For example, if a user is excluded from an MFA policy or a non-compliant device is added, you should have alerts in place to detect and correct these issues proactively.
The beauty of this framework is that it’s repeatable. By monitoring security continuously, you can ensure that clients are always compliant, and you can provide regular updates on their security posture.
In addition to monitoring, make sure you report your progress back to the client. This helps reinforce the value of your service and keeps clients engaged in their own security journey.
Wrapping Up
By following this four-step framework, you’ll be able to scale your MSP operations while improving security across your entire client base. You’ll also reduce reactive hours, increase profitability, and set your MSP apart as a proactive, security-first provider.
Ready to level up your security assessments? Check out CloudCapsule—a powerful tool that helps MSPs like you automate and streamline Microsoft 365 security assessments. You can run a free assessment to see what it’s all about.