Skip to main content

Stop Selling Hours, Start Selling a Standard: The Four-Step Security Loop for MSPs

Nick Ross4 min read

TL;DR

  • Standardizing services across all clients is the single biggest lever an MSP has for reducing reactive hours and increasing profitability.
  • Reactive Hours per Endpoint per Month (RHEM) is the metric that exposes vendor overload: the more tools in the stack, the more it climbs.
  • A repeatable four-step loop, audit and assess, plan and prioritize, implement and automate, monitor and improve, turns security from firefighting into a scalable service.
  • Prioritizing projects by impact versus effort surfaces quick wins like third-party app restrictions alongside bigger rollouts like MFA.
  • Implementation means building systems that prevent issues from recurring, not just fixing what the audit found.

Plenty of MSPs want to raise their security game and build a stronger offering for clients. The ones that stall almost always stall in the same place: no roadmap. Security work happens ticket by ticket, client by client, with no standard to measure against and no repeatable motion to scale.

This post lays out a framework built specifically for MSPs to scale their operations and raise the security of their downstream clients. Four steps, run as a loop, repeatable across every client. We will also show where CloudCapsule, our tool for automating Microsoft 365 security assessments against the CIS Controls, slots in.

Adopt the loop and four things follow:

  • Your MSP runs to a standard: consistent services across all clients.
  • Client profitability climbs: less operational overhead, new revenue streams.
  • Reactive hours drop: less firefighting, more strategic work.
  • Posture is monitored continuously: security progress tracked across the whole base.

Reactive MSPs do not scale

The biggest trap in this business is a habit inherited from the break-fix days: waiting for things to break, then being heroically good at fixing them. In a landscape where security is the product, that posture caps your growth.

Standardization is the way out. Organize your processes so every client gets the same services, configured the same way, measured against the same baseline. That consistency cuts reactive hours, raises profitability, simplifies how you manage client security policies, reduces alert fatigue, and frees your team for higher-value work. You can build your own standards model, but we recommend the CIS Controls or NIST CSF as a north star: both keep you organized and give you a strong message to deliver to clients.

More vendors, more reactive hours

A pattern we see constantly: MSPs "fill gaps" by adding another security vendor, then another, until the stack itself becomes the workload. Every added tool brings its own alerts, and the cycle ends in alert fatigue and shrinking margins.

Track one metric to expose this: Reactive Hours per Endpoint per Month (RHEM), the time technicians spend on reactive tasks for each endpoint. The more vendors in the stack, the higher RHEM climbs. Scaling requires simplifying the vendor stack and moving away from reactive security management, not accumulating more dashboards.

Diagram of an overloaded MSP security vendor stack

To be clear, this is not a knock on any vendor in that diagram. The point is that many MSPs layer in tools instead of thinking strategically about the standards they apply across customers.

The loop: four steps you repeat for every client

Step 1: Audit and assess against your baseline

Start by auditing the client's environment: a close look at their current security posture compared against your standardized security baseline. This is a gap analysis. It tells you where each client sits in security maturity and what it takes to bring them to your standard. Whether you are onboarding a new client or reviewing an existing one, the audit is the foundation for everything that follows.

CloudCapsule automates these audits for Microsoft 365 environments, mapping results directly to the CIS Controls, so you get a clear picture of where clients stand and where the gaps are without the manual evidence-gathering.

CloudCapsule assessment results mapped to the CIS Controls

Step 2: Prioritize by impact and effort

With the gaps identified, plan the work. Rank security projects by impact against effort. Rolling out MFA might be a higher-effort project that needs careful planning; enabling third-party app restrictions might be a quick win with high security impact. Sequence accordingly.

This phase is also where the commercial upside lives. Every gap is potential project work, and MSPs that present prioritized remediation projects both grow revenue and prove their value by improving client security proactively.

Step 3: Implement systems, not just fixes

We prefer "implement" over "remediate," because the goal is building proactive systems rather than patching findings one at a time.

Example: the audit turns up a pile of dormant user accounts. Disabling them closes the finding. Implementing means asking why they piled up, tightening the user offboarding process, and automating dormant-account cleanup with a tool like Power Automate or a third-party platform like Rewst so the finding never recurs.

The aim is standardized processes across all clients with as much of the manual effort automated away as possible. CloudCapsule helps here as the baseline reference, confirming every tenant is configured to your standards.

Step 4: Monitor for drift and report on it

The last step is what makes the loop a loop: watch for drift from the standard you just established. A user gets excluded from an MFA policy. A non-compliant device shows up. Without monitoring, those deviations sit invisible until the next annual review; with alerts in place, you detect and correct them as they happen.

Monitoring is also your reporting engine. Send clients regular updates on their security posture. It reinforces the value of the service and keeps them invested in their own security journey, and it is the difference between "we did security work" and "here is the proof."

What changes when you run the loop

The framework is repeatable, and that is the entire point. Run it across your client base and you scale operations while security improves everywhere at once: fewer reactive hours, better margins, and a position in the market as the proactive, security-first provider instead of the firefighting one.

Frequently asked questions

Which standard should an MSP baseline against?

You can build your own standards model, but we recommend the CIS Controls or NIST CSF as the north star. Both keep your team organized and give you a credible, recognizable message to deliver to clients.

What is the difference between remediating and implementing?

Remediation fixes the finding; implementation builds the system that stops it from coming back. Finding dormant accounts in a tenant and disabling them is remediation. Tightening the offboarding process and automating dormant-account cleanup with Power Automate or a tool like Rewst is implementation.

How does this framework create revenue rather than just cost?

The plan-and-prioritize step surfaces project work: every gap between a client's current posture and your baseline is a scoped, sellable project. MSPs that run this loop increase revenue while demonstrably improving client security, which also strengthens retention.

Run the assess step in 60 seconds, not a day

CloudCapsule automates Microsoft 365 security assessments against the CIS Controls: 250+ checks per tenant, evidence included, drift flagged before the next review. The audit that anchors this whole framework runs while you grab coffee.

Run a free assessment
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading