Skip to content
Blog Your MSP Isn't Your Security Advisor. And That's Okay.

Your MSP Isn't Your Security Advisor. And That's Okay.

You hired a Managed Service Provider (MSP) for a reason.

You need someone to manage your help desk, patch your software, and keep your business running smoothly. The last thing you want is another thing to manage. You trust them to handle the tech, and maybe even a little bit of the security. 

But here’s a hard truth most people won't tell you: your MSP, no matter how good, is not an independent security advisor. And thinking they are could be one of the biggest risks your business faces. No criticism of MSPs—but this is a critical distinction you need to make that can save you from a major security incident. 

A successful security partnership with a managed security provider (MSP) isn't about outsourcing your strategy; it's about executing a shared one.  

Before engaging an MSP, you must first develop your own clear security strategy, defining your specific objectives and what success looks like for your organization. This foundational work allows you to enter the partnership as an informed client, ready to jointly establish KPIs and a mutual scorecard. This proactive approach ensures their performance is measured against your standards and that the partnership remains focused on achieving the outcomes that truly matter to your business. 

The "Superstore" Analogy 

Think of your MSP as a superstore. They sell everything from antivirus software to cloud services. This convenience is great, but just like the superstore might push a brand that gives them a better margin, an MSP may favor a security tool because it fits their business model, not because it's the absolute best fit for your unique needs. 

Sometimes this is a problem of alignment. They are motivated to sell and support the tools they are familiar with.  

But your business is motivated by a different set of factors: 

  • Your specific industry compliance requirements (e.g., HIPAA or HITRUST for healthcare, SOC2, ISO, or CMMC for other industries). 
  • Your executive team’s risk tolerance. 
  • Budget and resource realities. 
  • The contractual demands of your biggest clients. 

When your MSP is the one making the recommendations, you're not getting a bespoke security strategy—and again, that’s okay. Shopping at a superstore is extremely useful. Just know that the available products at the Health food store down the street are different, and you might need those too.  

“The allure of new technology often overshadows the less glamorous, but more critical, work of defining policies and procedures. Yet, without that governance, even the most advanced security tools will fall short.” 

The Audit Nightmare: From Template to Trainwreck?  

You’ve heard it before: “We need to get our policies in order.” Many MSPs will offer a quick-fix solution—a generic security policy template. It’s an easy checkbox to tick. But as Cody Rivers pointed out, this is a dangerous shortcut. 

Auditors aren't fooled by shelfware. They'll ask for evidence that you're actually following those policies. They'll want to see how your team handles data, responds to incidents, and trains employees. If your documents are just downloaded templates, you'll fail this test every time. The gap isn't in the tech; it's in the operational, procedure-driven stuff that most MSPs aren't built to handle. This is the difference between merely having a policy and having an authentic culture of security. 

The Path to True Security: Building a Smarter Partnership  

The goal isn't to replace your MSP—it's to empower them. Here's how a more innovative approach works: 

  • Get a Plan First: Before you buy a single security tool, work with an independent advisor to create a strategic roadmap. This plan should be based on your specific industry, your data, and your compliance needs. It's your "retirement plan" for business technology. 
  • Define Your Needs: The advisor helps you understand what you need, not just what's being sold to you. This might mean you need a specific compliance framework, a more robust disaster recovery plan, or better risk management processes. 
  • Empower Your MSP: Once you have the plan, you can go to your MSP and say, "Here's our security roadmap. We need your team's technical expertise to implement these specific controls." You're no longer asking them to lead your strategy; you're directing them to execute it. 

This approach creates a powerful and honest partnership. Your MSP can focus on what they do best—providing excellent IT services and remediation. Meanwhile, your business benefits from a security strategy that is truly its own. In the end, it’s not about finding the perfect MSP; it's about making sure your MSP fits perfectly into your bigger picture. 

“MSPs are phenomenal and they’re necessary, especially in a small or medium ecosystem.”

Final thought: Don't let the promise of a one-stop shop leave you with a patchwork of solutions and a false sense of security. Take control of your security strategy, and let your partners do what they're truly great at. 
About the author
Cody Rivers
Cody Rivers is a Consulting Director at Reveal Risk. Cody helps lead a consulting practice that specializes in creating and maturing cybersecurity programs that focus on risk reduction while aligning their work to client budget realities.​ ​Prior to joining Reveal Risk, Cody served as Chief Technology Officer (CTO) for a successful Midwest-based IT Managed Services Provider (MSP) with clients that spanned the US and Western Europe. While there, he built the cloud security practice that assisted clients to overcome technical obstacles on their path to security maturity and regulatory compliance.​ ​Cody’s experience spans 15+ years working with local professional sports teams to Fortune 1000 companies in nearly all major industries. He’s worked within such frameworks as SOC, NIST, and SOX. In 2021, Cody was recognized as a CTO of the Year by the Indianapolis Business Journal.

Related content.