Regulation is coming to MSPs, who will stand up and lead?

Louisiana was the first state to sign into law any sort of regulation around MSPs and MSSPs, but it won't be the last. Someone from within the industry must step up now.

Dave Sobel is the host of the podcast "The Business of Tech" and co-host of the podcast "Killing IT." In addition, he wrote Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business.

This week, Sobel examines how Louisiana's law regulating managed service providers and managed security service provider has now gone into effect. He doesn't see this as a one off, but rather sees more to come. So, he dives into how the industry needs leadership and discusses who may be an option.

Transcript follows below

Doctors have been regulated since the beginning of time. The Code of Hammurabi (circa B.C. 1740), included sections for physicians, surgeons, vets, midwives and nurses. The Hippocratic Oath dates to the Greeks and Galen, A.D. 130-200, established clinical guidelines and regulations. Even in the medieval days, guilds and universities managed the marketplace. Today, this is managed by organizations like the American Medical Association, having progressed from informal to more formal training programs.

Lawyers likely started as orators in ancient Greece, and by the time of the Roman Empire, Emperor Claudius is recognized as establishing rules in the space. In the U.S. -- even in the early days of the colonies -- a move to formality began a process initially grounded in apprenticeships, and early local bar associations were social groups with little to no responsibilities for quality of admission or performance. By 1890, these groups were leveraged to organize, discipline and professionalize lawyers, eventually leading to the national American Bar Association to maintain control over state bar examinations.

Modern accounting can be traced all the way back to Mesopotamia, and the Greeks and Romans had detailed processes for the accounting of money. Medieval Europe established double-entry bookkeeping, and the modern profession of the chartered accountant originated in Scotland in the nineteenth century, and in July 1854, the Institute of Chartered Accountants of Scotland in Glasgow petitioned for a Royal Charter. Similarly, this spread to England and the U.S. with the American Institute of Certified Public Accountants was established in 1887.

Why all this history regarding regulation?

Technology companies want to be engaged the same way doctors, lawyers and accountants are, despite not having quite the long thousands of years of history. It's certainly possible, and there is a lesson to be seen in this pattern.

Each started with expertise, had a formation of guidelines, loose affiliations groups pushed for more formal recognition, and then that recognition became managed by an association and backed by legal precedent.

Up until now, this has been a bit of a nebulous discussion.

However, on June 9, the state of Louisiana signed into law registration for MSPs. The law creates a registration for managed services providers and managed security providers doing business in the state with a public body. The law is designed to "provide access for public bodies to obtain information on MSPs and MSSPs" and to require both to report cyberincidents and payment of cyber-ransom or ransomware.

The bill additionally defines both MSP and MSSP, the services around security, as well as those specific terms.

The law also sets requirements to notify the Louisiana Fusion Center of the incident within 24 hours, provide information on any payments, and that these requirements are to be included in future contracts.

This is not the last -- and as I have observed -- it happened to our community, not with our community. It happened because of the raft of security incidents that caused pain across the state, and those governing saw a chaotic space with little discipline and with no way to understand or evaluate the space, and that resulted in this pain.

I want you to hear the secretary again from his interview on this show.

Louisiana Secretary of State Kyle Ardoin: My goal is not to regulate at this point in time, I'm a free enterprise guy. I think if people understand what the level services an MSP brings and a MSSP brings, then they can make their own determinations. […] We've got, if we're not having frank conversations and we're, we're all hiding behind, um, the barricades, if you will, or firewalls, then we're not really doing what we have to do, which is protect the American people, um, and our businesses and our economy.

Two takeaways: "at this point in time" and "protect … our businesses and our economy."

The Secretary isn't just thinking about this one thing -- and that's indicative of the larger problem. The market didn't solve this for government, and government stepped in. How long do you think it will take before the business community, being ravaged by cyberincidents, looks for some kind of guidance? If I said this same thing about the medical community, you'd be horrified. That's what's happening here.

Looking for MSP leadership and guidance

So, who should lead us? Let's review some of the landscape -- and this is by no means a comprehensive look.

CompTIA was my first inclination. Supported by a group of vendors looking to standardize their hardware certifications, they have been the leader in individual certifications for ages. With their interest in advocacy, this would have seemed like a natural fit, particularly with their initial Trustmark efforts a number of years ago. So far, none of their company certification efforts feel like they have gotten traction, and their advocacy group's mandate is unclear.

MSPAlliance wants to be this voice. Established 20 years ago they established a certification called "MSP Verify" 16 years ago. MSPAlliance's biggest problem is they have gone it alone. MSPAlliance is an island -- it doesn't play well with others, so no surprise they haven't gotten anywhere. If you're not doing outreach, you're not going to get mindshare and traction. Also, for me, a fatal flaw -- MSPAlliance is against regulation. (Editor's note 7/13/20: You can read MSPAlliance's official stance on MSP regulation here.) 

I disagree -- because I look to the industries where it worked historically, and there was a partnership, with some level of regulation. And we see how standing against it didn't work -- the legislation happened anyway.

The ASCII Group has an opportunity here. A longstanding history dating back to 1984, they have a unique community, though I would argue is in need of a real differentiation, as events focused on selling speaking slots to vendors is really not differentiated. Here's an area where they could really pivot and make a difference -- you can see all the parallels to the historical examples.

Previously, I would have thought peer group organizations would be good for this. With those moving more and more to becoming part of vendor organizations, that just isn't happening. Why? Vendors aren't all that motivated to help. They aren't that interested in solving this problem because it's a limiting factor to who they can sell to.

The peer groups themselves will be a great rally point but are likely missing a lot of the infrastructure around this. They'd need a partner.

Distributors actually could have a pretty good place for this effort to happen. Being as they have communities and they have interest in qualifying those they sell to -- such as understanding credit worthiness -- their support here would be powerful, and I think have the interest and alignment to make this happen. I've been skeptical of distribution in the past -- and publicly eaten those words based on their pandemic response. I'm hoping to see leadership here.

Let me say that these groups are going to need to come together for something to work -- the first two that join together will get momentum. CompTIA with MSPAlliance? Or ASCII with a distributor or a peer group? You can see that any one plus one is going to equal three very quickly.

But ultimately, the answer to who will lead has to be those who deliver technology services in the first place. You had the option to ignore this possible trend before -- it was theoretical. Now it's not. The first law has been passed, and if you think it's the last, you're not paying attention. I've seen reactions already that are dismissive due to this being just Louisiana, or because it's limited to those working with government or that it exposes security data.

You're not getting the trend.

The reason this law even happened is that the government (i.e., the customer) was tired of cyber attacks and needed to know who is out there serving the space. Customers are going to demand the same thing. You see this in the historical context -- doctors, lawyers, accountants. Owners committed to improving their business know that they also have to have a healthy ecosystem around them, and that this helps them stand out.

These should be good for business -- those that demand this and push forward will be able to command higher rates, eliminate unqualified players in the market and solidify technology's place at the big table.

In answer of who will lead us? Those that identify they need to be a part of this. Solution providers. Owners. If you're not actively stepping up now, you're just waiting for it to happen to you. So, the answer, is you.

If you're concerned, I'm going to give you actions to take right now

First, look at the communities you participate in. Maybe it's one of the ones I discussed, maybe it's another. Ask the question. This has to be a priority, and the only way that starts is with awareness.

Second, do your homework. What elements of certification do you consider important? Is it the guidance? Ethics? Standards? You're going to be asked, so have at least your initial sense.

Finally, based on first and second, start demanding action. Only solution providers and services companies are going to feel this pain -- and it's solved by people, not software, so the vendors aren't the answer. The answer lies in the collective community.

Let's get to work.

About the author
Dave Sobel is the host of the podcast "The Business of Tech," co-host of the podcast "Killing IT" and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade, and has worked for vendors such as Level Platforms, GFI, LOGICnow and SolarWinds, leading community, event, marketing, and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro's 20/20 Visionaries and MSPmentor 250.

Dig Deeper on MSP business strategy