Security operations for MSPs are undergoing a structural shift from simply deploying additional tools to establishing a liability-focused accountability model, where the ability to provide operational evidence of controls is becoming as critical as the tools themselves. This shift is catalyzed by corporate insurance, procurement, and third-party verification structures—such as those cited by WatchGuard, Assurix, and the NIST AI cybersecurity overlays—demanding verifiable security outcomes and alignment with external standards, rather than relying on provider assertions alone.
Survey data referenced from Cybersmart and Beta News reveals that 75% of MSPs experienced at least one breach in the past year, while 54% endured multiple incidents; concurrently, SMB buyers state security is a top priority, but only 13% of microbusinesses operate proactively. According to WatchGuard’s global survey of 842 professionals, 94% of clients using dedicated MSPs feel adequately protected, yet 58% indicate intent to change providers within three years—highlighting a disconnect between perceived and delivered value. The emergence of Assurixs’ live MSP Trustmark, based on 64 operational controls, further formalizes evidence requirements as market prerequisites.
These dynamics are reinforced by shifts in insurer behavior and regulatory alignment. Huntress and Acrisure are collectively rolling out a cyber insurance package contingent on adoption of Huntress’s managed detection and response, explicitly tying coverage eligibility to verifiable provider-side controls. The maturing of NIST’s AI cybersecurity overlays introduces new standardized control checklists likely to become operational requirements. Additionally, reports from Omdia and MSP Channel Insights note that vendor ecosystems are now rewarded for integrating security as an outcome with automation and multi-tenant integration—reflecting market demand for reliable, defensible evidence of controls.
For MSPs and IT leaders, these developments drive the need to restructure contracts to clearly delineate evidence obligations, manage liability exposure, and price evidence production as a formal deliverable rather than as unreimbursed support. Failing to do so risks absorbing unfunded post-incident evidence work, margin erosion, and loss of control over the security value conversation. Operationally, maintaining live accreditations, standing up a formal evidence management function, and explicitly excluding unmanaged SaaS, identity, and AI workflows from baseline service tiers are becoming necessary to maintain profitability and accountability.
04:52 SaaS Blind Spot
07:16 Prove or Pay
10:24 Why Do We Care?
Supported by:
💼 All Our Sponsors
Support the vendors who support the show:
👉 https://businessof.tech/sponsors/
🚀 Join Business of Tech Plus
Get exclusive access to investigative reports, vendor analysis, leadership briefings, and more.
👉 https://businessof.tech/plus
🎧 Subscribe to the Business of Tech
Want the show on your favorite podcast app or prefer the written versions of each story?
📲 https://www.businessof.tech/subscribe
📰 Story Links & Sources
Looking for the links from today’s stories?
Every episode script — with full source links — is posted at:
🎙 Want to Be a Guest?
Pitch your story or appear on Business of Tech: Daily 10-Minute IT Services Insights:
💬 https://www.podmatch.com/hostdetailpreview/businessoftech
🔗 Follow Business of Tech
LinkedIn: https://www.linkedin.com/company/28908079
YouTube: https://youtube.com/mspradio
Bluesky: https://bsky.app/profile/businessof.tech
Instagram: https://www.instagram.com/mspradio
TikTok: https://www.tiktok.com/@businessoftech
Facebook: https://www.facebook.com/mspradionews
Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
[00:00:02] Security is consolidating into a liability stack where governance, evidence, and ecosystem alignment increasingly matter as much as the tools themselves. The MSP opportunity is not simply to add more security products, but to turn control evidence into a paid operating model. If consumers, insurers, and procurement teams begin treating proof as a condition of renewal, coverage, or premium service. This is the Business of Tech. I'm Dave Solt.
[00:00:33] The observable shift starts with four facts showing up at the same time. MSPs are reporting repeated breaches, customers are signaling willingness to switch providers, third-party verification models are emerging, and S&B buyers say security matters, even as their own readiness remains weak. Start with beta news, which cites a CyberSmart survey that found 75% of MSPs experienced at least one breach in the past year
[00:01:02] and more than half, at 54%, were breached two or more times, with 32% hit three or more times. In the same reporting, MSPs ranked AI as the top threat they're facing, and a majority said their customers' risk increased over the last 12 months. That's not a theoretical exposure. It's repeat, measurable incidents inside the provider layer.
[00:01:26] Now pair that with new research from WatchGuard, based on a global survey of 842 IT and cybersecurity professionals across 20 countries. WatchGuard's headline is a paradox. 94% of clients using a dedicated MSP say they feel adequately protected, yet 58% say they plan to change providers within three years.
[00:01:50] WatchGuard points to the drivers being rising costs without added value, major security incidents, and slow response times. Whatever good enough used to mean, it's being redefined in the market right now, and buyers are telling us they'll move. Then look at how the industry is formalizing proof.
[00:02:10] IT Channel Oxygen reports on Asurex, awarding what it describes as its first MSP trust mark in the UK, built around 64 security and operational controls, with the accreditation designed to be live evidence and subject to suspension if standards slip. The founders claim is that dozens of providers are already in assessment, and the goal is to scale to 1,500 UK MSPs over five years.
[00:02:37] Regardless of whether that specific number is achieved, the important observable fact is that third-party verification structures are showing up, and they're being marketed as buyer-facing credibility. And finally, MSP Channel Insights pulls in data from a global IDC study of 2,210 SMBs. 52% put cybersecurity and data protection among their top priorities. 60% plan to increase spend.
[00:03:04] Yet only 13% of micro-businesses describe their approach as proactive. The same coverage notes that half of SMBs reported a breach or attack in the past year, and that 81% say they're unprepared for AI-related threats. So those are the signals. More breaches, more switching intent, more formal verification, and buyers saying security matters, while admitting they're not ready.
[00:03:32] If you're listening to this and haven't hit follow yet on Apple Podcasts, search Business of Tech. It takes five seconds, and you'll get the next episode automatically. This episode is supported by Zero Networks. Cyber resilience is no longer a security team problem. It's a board-level business imperative. When an attacker gets inside a network, the real questions become, how far can they move? Can they get to the crown jewels? And how much of the business can they impact? And for how long?
[00:04:02] That's where Zero Networks comes in. Zero Networks helps organizations prevent attacks, minimize blast radius, and maintain business continuity, even when attackers get inside. Their micro-segmentation platform automatically builds segmentation policies based on how legitimate users and systems actually communicate, making every access and connection verified and intentional.
[00:04:27] The result for a threat actor is lateral movement is blocked and threats are contained before they can cause damage. Because it's not the breach, it's the damage. Contain the breach before it spreads. The question isn't if attackers gets in, it's whether your business stays running when they do. Zero Networks was built for exactly that. Visit them at ZeroNetworks.com
[00:04:53] The mechanism underneath this shift is that security has moved into the messy middle of modern operations. Identity, SaaS sprawl, cloud apps, and now AI-connected workflows. And most organizations don't have a clean, consistent way to see what's happening across all of it, let alone enforce the same controls everywhere. So the market keeps pushing security towards systems that can impose consistency.
[00:05:17] One view, one set of policies, one workflow for detection and response, one place to prove what happened. That's exactly what WatchGuard is signaling with its acquisition of Perimeters.io, and the launch of WatchGuard Cloud Detection and Response, Cloud DR. The pitch is not another tool. It's continuous visibility and automated response across more than 40 cloud applications.
[00:05:41] Microsoft 365, Salesforce, HubSpot, even OpenAI, delivered in a multi-tenant service designed for MSP operations. In plain terms, the control problem isn't at the endpoint anymore. It's in the cloud application layer, where misconfigurations, identity misuse, and shadow usage hide in plain sight, unless someone is stitching the story together. The same gravitational pull shows up in Omnia's cybersecurity MSP Ecosystems Leadership Matrix for 2026.
[00:06:11] The champions Omnia calls out, Acronis, Bitdefender, ESET, Sentinel-1, Sophos, WatchGuard, aren't being rewarded for single features. They're being rewarded for building ecosystems that assume security is delivered as an outcome through automation, multi-tenant integration, and tight linkage into PSA and RMM operations. That's the market preference. Fewer handoffs, fewer swivel chair processes, more repeatable execution. That's the mechanism.
[00:06:40] Evidence becomes valuable only when an outside party makes it economically consequential. That can happen when a customer makes proof part of renewal or procurement. An insurer makes controls part of eligibility or claims review. A trust mark becomes recognized enough to influence selection. Or the MSP uses evidence obligations to separate premium-managed environments from unsupported risk. Without one of those triggers, evidence ops is internal overhead.
[00:07:10] With one, it becomes a pricing, retention, and liability management tool. So the consequence is not just more security work. It's a change in where responsibility lands. That is the operator consequence. Insurance, AI governance, and cloud application security are all turning evidence into an operational deliverable.
[00:07:33] If the MSP does not define that deliverable in the service model, the market will define it during renewals, audits, incidents, and claims reviews. Here's your first proof point. Huntress and Acresure are rolling out a cyber insurance program that offers eligible businesses access to cyber or tech E&O coverage with no deductible,
[00:07:54] and a streamlined application process, specifically tied to organizations using Huntress' managed endpoint detection and response and identity threat detection. That's a clean market signal. Insurance is increasingly being packaged around the assumption that the provider's security operations are part of the risk process. When underwriting starts to ride on whether a certain kind of managed detection and response is in place, you're no longer just selling security.
[00:08:21] You're selling something that has to survive an external review of controls, coverage terms, eligibility criteria, and the conditions under which a claim gets paid. In that world, the MSP gets pulled into the question of what was deployed, how it was run, and what proof exists that it was operating as intended. Your second proof point is NIST moving quickly toward AI cybersecurity guidance,
[00:08:48] including staged control overlays for predictive AI and then agentic AI. The detail that matters here is the direction, guidance that can be turned into checklists, assessments, and show your work requirements. Once those overlays exist, the conversation stops being, are we being responsible, and becomes which controls are in place, how do we know, and where is the record?
[00:09:13] One path is to become the MSP that simplifies and governs the automation layer, documenting controls, managing identity and permissions, preserving logs, producing audit-ready artifacts, and making security something you can prove. The other path is to keep absorbing complexity as it spills out of cloud apps, AI workflows, and compliance overlays.
[00:09:34] Getting the incident call, getting the blame-adjacent questions, and doing the evidence work anyway, just without scope, contrast language, or margin. This episode is supported by Halo. Halo. There's a moment many MSPs eventually reach. The PSA they started with worked well early on, but as the business grows, workflows get harder to manage, automation becomes complicated, and the systems start shaping how the company operates.
[00:10:03] Halo PSA is designed for service providers who want more control over how their operations run, from ticketing and service delivery to billing and workflow automation. That's one reason Halo PSA often comes up when MSPs start evaluating their next PSA platform. You can learn more at usehalo.com. Why do we care? Because the bad MSP decision is to treat this as another tool selection cycle.
[00:10:32] The structural shift is not that customers need one more security product. It's that customers, insurers, procurement teams, and trust frameworks are beginning to ask whether security can be proven after the fact. If an MSP administrator stands that, it will keep selling protection while giving away proof. It will absorb evidence requests during renewals, claims reviews, incidents, and audits as unpaid support work.
[00:10:58] This is where margin leaks, liability expands, and the provider loses control of the security conversation. The strategic question is whether evidence-backed security becomes a paid operating model or remains a reactive burden hidden inside support. So what to consider? Restructure contracts to explicitly scope evidence obligations.
[00:11:23] Unmanaged SaaS applications, unmanaged identities, and ungoverned AI workflows should carry explicit exclusions, separate line items, or premium tier requirements. Otherwise, the MSP absorbs post-incident evidence work without contract language, margin, or liability boundaries. Treat trust marks as a 12- to 18-month investment with uncertain payback.
[00:11:51] Assurex and similar frameworks are worth monitoring for buyer adoption signals, specifically whether enterprise procurement teams, insurers, or channel buyers start recognizing them. The hidden flaw is that trust marks only create pricing power if the market understands them. Pursue accreditation only if you have the operational infrastructure to maintain it continuously.
[00:12:17] A suspended trust mark is worse than no trust mark. And stand up an evidence op function, even if it starts as one named owner with defined scope. That owner should be responsible for control mapping, log retention standards, monthly evidence packs, and post-incident documentation. Without ownership, evidence production stays reactive, inconsistent, and unpriced.
[00:12:44] If this trend continues, MSPs will be selling evidence-backed security tiers within three years. Premium packages will be priced around insurer-recognized controls, monthly evidence packs, and contractual response documentation. While lower-tier customers receive explicit exclusions for unsupported SaaS, unmanaged identities, and ungoverned AI workflows. This is the business of tech.
[00:13:15] Want more from the business of tech? Join Business of Tech Plus for ad-free episodes, early interviews, extended cuts, subscriber-only shows, and exclusive member perks and analysis. Sign up at businessof.tech.com. And follow this show on your podcast app. And if you're on YouTube, hit subscribe and the bell so you never miss a story. Reviews and comments help spread the word, too. Interested in advertising?
[00:13:42] Head to mspradio.com slash engage. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. Thanks for listening. I'll see you on the next episode. Part of the MSP Radio Network.