Wednesday, May 26, 2021

Transformation of an Industry into a Profession - Part 1

Thoughts on Revamping our Industry 

The Nine Pillars - Part 1


The IT Consulting industry has come a long way in the last twenty years. We are more professional, as a group, than we've ever been. We certainly have better tools, better organization, and better channel-focused vendors. I am honored that I have played some small role in the evolution or our industry.

But we also face greater challenges than ever before. I don't want to blame all of our problems on ransomware, but the explosion of ransomware in the last few years has forced us to shine a light on some long-standing problems within our industry. It has also sped up the inevitable march of legislation and regulation. And all of that has led to sky-rocking insurance payouts and premiums.

Unfortunately, the natural response to all of this is to address each element in isolation. But that is not the answer. We need to begin thinking about the maturity of our industry in a more holistic manner. Our response to ransomware, for example, is clearly tied to our diligence in managing client systems. And to insurance rates. And to regulation.

I've been thinking about the big, big picture. So, in this series of posts, I present nine topic areas that I believe are all inter-connected, and related to the overall professionalism and maturity of our industry. Please comment, share, and join in a discussion of these elements at a higher level. I present these thoughts as a starting place. But I really want our industry to tackle these questions and begin working together on creating a united front to address our problems.

Some of these will seem obvious, but others may seem unrelated at first. But, remember, I'm looking at all of this from a holistic perspective. What does it take for our industry to take a big step up in professionalism and participate in a future where we can thrive while providing truly valuable services to our clients?

Warning: A lot of people will be angry at what I have to say. Please post comments, share this and comment, or email me directly. I want to start a conversation about raising the bar for SMB IT professionalism.

One requirement is very clear, but rarely discussed: We need to take responsibility for the bad things happening in SMB IT, and in our industry. I'm not saying we started it, or that we are perpetuating it. But the default position of pretty much everyone in the channel is to treat our problems as if they are happening to us - as if we play no role. Well, that's simply not true.

We've all met people whose life seems to consistent of a Series of Unfortunate Events (to paraphrase Lemony Snicket). You've met them. One tragedy after another. In each case, they are the victim. No one could have foreseen this or that. Bad luck is everywhere.

The older you get, the faster you recognize this pattern and learn to run away from these people. Every bad thing in their life was someone else's fault, and all the bad things happened TO them.

Let's look at our industry. We don't create ransomware. It happens to our clients. We just fix it. We're not responsible for higher interest rates. That happens because clients click on stuff, ignore training, and get ransomware. We're not responsible for government regulation and legislation. That happens to us because no one can do anything about viruses, malware, phishing, and ransomware.

In other words, the default is: We're not responsible for anything. Sh*t happens and we have to deal with it.

Except . . . 

Lots of people in our industry cut corners. We try to save clients money and end up selling incomplete services. Lots of people sell "managed" services and delivery break/fix. Lots and lots and lots of small businesses have no real protection. Some consciously refused to pay for good tech support. But many of them have IT service providers who don't force them to do things the right way, or simply don't deliver the kind of preventive maintenance that will protect them.

From one perspective, we are totally caught in the middle with no way out. But I encourage you to consider another perspective: Figure out what role we can/do play. And then figure out what we can do about it. Legislation doesn't have to happen TO you. You can choose to get involved and shape what the future looks like. High insurance rates don't have to happen TO you. You can engage and find out the specific things we need to do to lower those rates.

Let me be crystal clear: YOU might do everything right, have great processes and procedures, and have a perfect record of avoiding ransomware for your clients. But you are still affected by the fact that our industry as a whole is doing a very poor job on this front. 

If you want to sit back, collect auto-payments, and do nothing, that's fine. But you will then be choosing to let participants in the conversation decide the future of the industry, and your business.

Let's dig in.

Part 1: The first two building blocks - Profit and Maintenance

The First Pillar: Profit

Profit is not the only measure of success, but it is a necessary one.

Depending on who you talk to, about 20-25% of IT Service providers are not profitable. At a minimum, they're breaking even, which is to say, "scraping by." I recently talked to a friend who is a member of the Institute of Management Consultants. When I told him this statistic, I thought he would be surprised. Instead, he said he doubts the numbers are that low. He says that most industries have more like 25-30% who fall into the category of unprofitable.

I know it sounds very hard to believe, if you're struggling, but there's no reason for this. If you have an unprofitable business model, that's fixable. If you have trouble with sales, that's fixable. If you lack skills, that's fixable. Basically, unless you are simply unwilling to make changes, your problems are fixable.

To be honest, when I talk to people who are struggling in this business, they are working very hard to figure things out. Very likely, they are working ridiculous hours and not charging clients for their time. So that loops back to the business model - which is fixable.

I believe it's important to talk about profit first because unprofitable companies tend to make bad decisions. When people feel they have to take certain clients, or have to take every client, they spend their time focusing on money to the exclusion of service, security, and what's best for everyone involved.

Unprofitable companies have lots of problems not directly related to money. They cut corners. They give in to clients who want to make bad decisions. They leave themselves open to problems, and therefore leave their clients open to bigger problems. They don't invest in their employees or see them as valuable resources.

If you're having problems with profit, you obviously cannot snap your fingers and become profitable. After all, no one is unprofitable on purpose. It takes a lot of discipline and focus to turn things around. You have to make hard decisions - like cutting staff and reducing expenses. 

I address profit as the first pillar because it is truly the first building block to creating a solid base on which to build a successful, professional industry. Only a profitable industry can effectively tackle the rest of the elements addressed here. 

As individuals, we must do what needs to be done to build successful businesses. As an industry, we need to work together to help define profitable standards and procedures. And one important piece of that is to avoid competing on price. Making yourself and others unprofitable just to gain market share provides no positive results to anyone.

The Second Pillar: Maintenance-Focused Support

Backup and Maintenance are the foundation of all IT service.

One very bad trend we've seen over the last five years or so is the failure to focus on preventive maintenance. When I wrote the first edition of Managed Services in a Month, my assumption was that all IT service providers had a "maintenance first" or "backup first" approach. That assumption turned out to be very wrong.

I stand by my original belief: Managed services *should be* focused on maintenance first. For me, that includes a fundamental focus on testing backups. In the big-big picture, testing backups is the single most important thing we do. If you test backups every month, you know two things: 1) The backup is working; and 2) Your team knows how to restore data when the day comes that a restore is necessary. 

The second most important thing we do is apply all the patches, fixes, and updates. There's no secret here. No genius-level certification needed. Unpatched hardware has problems; unpatched software has issues; unpatched operating systems have troubles. Viruses and ransomware take advantage of unpatched holes, primarily in software. 

So, no matter what else you do, you need to apply patches, fixes, and updates on a regular basis. If you track the news about the latest big ransomware attack, it almost always turns out to be a new attack on an old vulnerability. In other words: A properly patched and maintained system would not have been compromised.

I've posted before, but I'll repeat it here: Most people who call themselves "managed service providers" are not providing managed services. Many of them love the flat-fee subscription model, but they are not providing the backup services or patching services that clients are paying for. Instead, they are providing reactive break/fix support and charging a flat fee.

This is very bad for all of us. You might be focused completely on preventive maintenance, but you are severely affected by the fact that many people in this industry are not taking preventive maintenance seriously.

Every single time there's a new story about ransomware taking down a city, a county, or a company of any size, I am stunned that this is still a problem. These stories only make the news because of one thing: Their IT support failed to provide effective patching AND their IT support failed to make sure they had a working backup. A BDR should be able to recover a system in 1-24 hours. Even an old, slow backup should be able to recover everything within a week. 

But paying a ransom due to failures in IT support should never happen. Ever. We have solved this problem. Yes, I know there are new kinds of extortion-ware, but even those attacks can be virtually eliminated by proper patching. 

Now think about this from a State- or Provincial-level government. What you'll find is that they see exactly what Kyle Ardoin, the Secretary of State of Louisiana saw: Government agencies (which are essentially small businesses) are paying for "managed services" and are still not protected from the most basic attacks. Patches are not being applied. No backup or BDR is in place. Or, the backup isn't working, but no one knows that because it's not being tested regularly.

Now consider this from the view of insurance companies. Businesses of all sizes are buying managed services, but they are still compromised. Ransomware continues to flourish. Patches have not been applied, so the attacks are successful. Backups are not working (or non-existent), so ransom has to be paid. Whether or not it's justified (we'll get to that), insurance companies want to hold the managed service providers liable for the damages.

Let me repeat myself: YOU might be doing everything right. But you are severely affected by the fact that so many IT service providers are not doing the most basic things necessary to protect their clients. You may have had a perfect, zero-incident year, but your insurance rates went up anyway. You need to care about the fact that our industry needs to take a step up.

-- -- -- 

Next up: Education, certification, and core values.

Please post comments. Engage in the discussion.

-- -- -- 

Here are links to the entire series:

Part One - Profit and Maintenance-Focused Support

Part Two - Education and Core Values 

Part Three - Ransomware and How We Handle It

Part Four - Legislation and Insurance

Part Five: Building a Path to the Future



  1. I agree with your core belief here and I like where this is going.

    My comment on the Preamble is simply that; IT service providers (any business really) needs to actively participate in the legislation being built in their state and if possible the country. As a side note, it's probably the only thing the IAMCP is still of any use for, but there are many other vehicles and paths.

    My comment on the Profit Pillar: There are also providers that are putting profit in front of purpose at the cost of true quality service and accountability. They sign the managed services agreement and then allow the client to sign a release of liability waiver (with no expiration date) for the clients deficient security or backups, etc. So the client continues along with a inadequate backup or ineffectual security system and no defined deadline of when they will be brought up to spec. The MSP keeps cashing the check and sitting under the umbrella of protection not concerned for their reputation or the damage to the client when (inevitably) something will happen.

    I suppose much what I just wrote applies to the second pillar as well.

    I look forward to the next installment.

  2. Thanks for the comments. The problems you mention about profit and liability will be addressed. It's obviously a huge topic to take on "everything" in the industry. At some point, if the client is not willing to pay to be secure, there should be a way to exclude the IT service provider from liability. But the way needs to be narrow and the path needs to be hard. Security needs to be the default. But if an MSP is honestly doing as much as the client will allow, there is a point where we need to be relieved of liability. More to come.

  3. A big part of the problem is also the uneducated network owner who doesn't understand the need for patching, intrusion awareness and BDR preparedness. They have a system that works 24/7, doesn't require a vacation and doesn't need health insurance. It just need to be maintained and monitored. Educated network owners understand they need to spend money to have a well functioning and resilient IT system. Can it be as simple as educating SMB to the value of network resilience.

  4. Ultimately, very few business owners will truly understand the technology or the risks. (Much like I don't really understand the insurance policies I buy.) We all have to rely on professionals to help us make the right decisions. In IT, those professionals are IT service providers. You absolutely have to educate. One thing this proposal does is to limit your liability if you educate and the client says no to protecting their own network.


Feedback Welcome

Please note, however, that spam will be deleted, as will abusive posts.

Disagreements welcome!