For MSPs, It’s Time to Go Pro

Author: Rich Freeman

To amend the famous words Marc Andreessen wrote over a dozen years ago, software and services are eating the world.

Unless it’s really just the services. True, global software spending will spike 12.7% to just over $1 trillion this year, according to data from Gartner this week, but global services spending will rise an also robust 8.7% to a bit more than $1.5 trillion, surpassing outlays on software, hardware, telco, and everything else the analyst tracks for the first time ever.

Not all of that money will flow to providers of managed services specifically, but a lot of it will if 2024 is anything like 2023. As of September, worldwide managed services revenue was on track to climb 12.7% last year to $472 billion, according to Cisco-funded research by Canalys.

A pile of money that big inevitably draws attention from people who might like to pocket some of it. And sure enough, according to Canalys, the number of IT providers worldwide making at least 30% of their revenue from managed services grew an estimated 17.3% between 2019 and 2022, the most recent year for which data is available.

Would it shock you to learn that some of those managed services newcomers aren’t terribly good at what they do?

“When people saw that there’s so much money in managed services, they rushed in, signed the contracts, took the money, and didn’t deliver the services,” says managed services consultant Karl Palachuk (pictured), who is also founder and a board member of the National Society of IT Service Providers (NSITSP), a professional association for IT consultants serving SMBs. “A good piece of our business, unfortunately, remains cleaning up after those people.”

That’s not the only way they’re making life harder for legitimate MSPs either. “We have enough of those bad actors that we’re almost entering a perception that we’re like used car salesmen,” Palachuk laments.

Except, of course, that it’s harder to be a used car dealer than an MSP. Used car dealers are subject to federal regulations.

“People who do tech can call themselves an MSP any time of day,” notes David Jooste, an MSP who also serves as president of the Managed Services Provider Association of America (MSPAA), which helps businesses find trustworthy MSPs. “You get students coming straight out of school who are now calling themselves MSPs.”

All of which brings up a not exactly new but arguably neglected topic: What constitutes professionalism in managed services, who gets a say in the matter, and how much power should they have to prevent fly-by-night amateurs from harming reputable MSPs and their clients alike?

Answers are scarce right now. The NSITSP, which some two and a half years after its founding has just shy of 1,000 members, has developed a code of ethics for MSPs to follow and promote, while the MSPAA is building a directory of MSPs capable of passing an eminently reasonable vetting process that begins with confirming they have an SSL-certified website.

“An MSP is supposed to be a specialist in technology,” Jooste observes. “If they can’t do security certification on their website, then they’re someone we’re not really interested in.” Further steps determine if the MSP has a business license and provides reasonably responsive support from a U.S.-based help desk during U.S. business hours (MSPAA staff call to make sure).

All of that is baby steps in a process that Jooste and Palachuk agree should ultimately graduate from defining professionalism to enforcing professionalization, regulations of the kind that make calling yourself a doctor, lawyer, or accountant without clearing rigorous standards illegal.

“In the long term, we would like to move towards some minimum requirements,” Palachuk says. “If you’re going to call yourself a professional in this industry, in any industry, you should have a business license, you should have insurance, you should have workers comp, you should sign contracts with your clients,” says Palachuk, who like his NSITSP peers believes IT providers themselves should be the ones to determine qualifications and decide who meets them.

We’re nowhere near there at the moment, but joining organizations like the NSITSP is one way MSPs can help shorten the journey. Holding yourself to high standards, if no one else will, is a good interim step too.

“Professionalism is one of those things where I know it when I see it,” Palachuk says. “It’s that view that there’s a right way to do things. At the end of the day, I think that’ll take you a long ways.”

The more things change in BDR, the more they stay the same

Professionalized MSPs would be new to our industry. So too, it unfortunately seems, would be fully protected data.

Such appears to be the case, anyway, for a huge majority of organizations, according to Veeam’s 2024 Data Protection Trends report, out this week. A whopping 85% of participants in that study acknowledged an “Availability Gap” between how quickly they can recover data after an outage or cyber incident and how quickly users need them to, and 76% admitted a “Protection Gap” between how often they backup data and how much of it they can afford to lose.

Indeed, just 58% of servers inspected during backup tests are ready in time to meet SLAs, according to the 1,200 organizations of all sizes Veeam polled this year. “Businesses are not as recoverable as they think they are,” says Dave Russell (pictured), Veeam’s vice president of enterprise strategy.

Note the words “during backup tests” in that last paragraph too. On average, participants in Veeam’s study test once every 7.3 months, way up from every 4.4 months just two years ago. Many organizations, according to Russell, pretty much never test.

“Ignorance is not bliss in this scenario,” he says.

One big reason organizations choose ignorance over regular testing, Veeam surmises, is how many of them rely on manual processes to recover servers. Just 13% of surveyed end users include automated, orchestrated workflows in their failover/failback procedures.

“It is impossible, literally impossible, to do cyber or disaster recovery if you are not using orchestration,” says Jason Buffington, Veeam’s vice president of market strategy.

But fear not, readers. While businesses clearly don’t excel at protecting their most valuable asset, they are making progress. A hair under three-fourths of them now use a third-party backup or backup-as-a-service solution to safeguard their Microsoft 365 data. The first time Veeam published this report in 2020, fewer than one in five did, with most of the others assuming the recycle bin was all the protection they required.

“I love the fact that in really just a three- or four-year window, we really have seen this mega shift where the majority of organizations now recognize, yes, you’ve got to back up SaaS,” Buffington says.

Two more noteworthy findings in the study, which is worth reading in full:

1. BDR and security are as previously reported increasingly indivisible parts of one big, urgent necessity. Integration with cybersecurity tools was the most widely cited characteristic of a “modern” or “innovative” data protection solution among survey participants, in fact, and enhanced detection/remediation capabilities was the second most widely named reason businesses would consider switching backup solutions.

“That’s just showing that cyber activity, ransomware, is becoming an enormous opportunity cost in organizations,” says Russell, noting that roughly 60% of poll respondents have been hit with two or more ransomware attacks in the last 12 months. “Organizations are scrambling to try to figure out how they’re going to respond.”

2. Data protection professionals don’t much love their jobs. Some 47% of them call it very likely or a sure thing that they’ll change employers within the next year, and another 12% say it’s somewhat likely. Bad news for corporate IT departments. Good news for the channel.

“As organizations are struggling with onboarding or losing key individuals, managed service providers and experts and integrators become even more valuable,” Buffington says.