James Griffin, CEO of CyberSentriq outlines a new phase of MSP maturity that is reshaping how providers define both risk and responsibility.
For much of the past two decades, MSPs have operated on a model of flexibility, adapting to customer needs, working within varying budgets and often accommodating risk rather than challenging it.
As the market matures, that approach is becoming increasingly difficult to sustain, with leading providers becoming more selective about the customers they support and setting clearer expectations around security, including when to walk away.
This shift reflects a broader recognition that cyber risk is no longer isolated, as MSPs sit at the centre of interconnected environments where a single vulnerability can have far-reaching consequences. A weakly protected client is not just a risk to themselves, but a potential entry point into multiple organisations.
This one to many dynamic helps explain why MSPs have become increasingly attractive targets for attackers, while also drawing greater scrutiny from regulators. The UK’s National Cyber Security Centre has repeatedly highlighted the systemic risk posed by managed service providers, noting that their privileged access across multiple organisations makes them attractive targets and that a single compromise can have cascading impacts across clients.
Against that backdrop, leaving security decisions entirely to individual customer preference is becoming increasingly difficult to justify.
The rise of minimum security standards
In response, a growing number of MSPs are introducing minimum cybersecurity baselines across their customer base, including requirements around robust backup, enforced identity protection such as multi factor authentication, consistent patch management and measures to ensure operational resilience.
What is changing is not just the controls themselves, but the mindset behind them, with security no longer treated as an optional add on or a tiered service, but as a prerequisite for doing business.
This shift is forcing tougher commercial decisions, as not every customer is willing or able to meet these expectations. Where organisations refuse to adopt baseline protections, MSPs are reassessing those relationships, sometimes investing in education and alignment, but in other cases choosing to disengage, as what was once seen as commercially risky is now understood as operationally necessary.
Supporting insecure environments carries a disproportionate cost, increasing the likelihood of incidents, driving up remediation efforts and exposing both the MSP and its wider customer base to disruption. In an environment shaped by ransomware and supply chain attacks, that level of exposure is difficult to sustain at scale.
Professionalisation and rising regulatory expectations
At the same time, the sector is beginning to professionalise, with MSPs moving closer to the standards seen in industries such as finance and legal services, where risk management is embedded into service delivery and providers are expected to uphold defined standards regardless of client preference. In those sectors, it is not acceptable to defer to decisions that create unacceptable exposure and the same logic is now being applied within the channel.
This shift is being accelerated by regulation. The UK’s forthcoming Cyber Security and Resilience Bill is expected to expand the scope of cyber regulation and bring more organisations, including MSPs, under direct oversight, signalling a move towards greater accountability and stricter expectations.
More importantly, the direction of travel suggests that oversight will continue to broaden across the supply chain, placing greater emphasis on the resilience of the environments MSPs manage. In practical terms, providers will be judged not only on what they deliver, but on the level of risk they allow to persist within their customer base.
For many MSPs, minimum security baselines are therefore not simply good practice, but early alignment with where regulation is heading.
Redefining the customer relationship
This is also reshaping the customer relationship, as the long standing principle that the customer is always right gives way to a more balanced and responsible approach, with MSPs setting expectations upfront and making it clear that security is a shared responsibility rather than a negotiable extra.
While some customers may resist tighter controls or increased investment, the broader direction is becoming difficult to ignore, particularly as cyber threats intensify and regulatory scrutiny increases. Organisations are becoming more aware of the risks associated with underinvestment in security and in many cases the MSP is evolving from service provider to trusted advisor, guiding decisions that have both operational and strategic implications.
A more disciplined market
For the channel as a whole, this represents a positive development, as a more disciplined market reduces risk, improves consistency and strengthens trust with customers and regulators, while creating clearer differentiation between providers who uphold robust standards and those who prioritise short term flexibility.
There will inevitably be challenges, as some providers struggle to move away from legacy models and others hesitate to have difficult conversations with long standing clients, but the cost of inaction is increasingly clear.
The role of the MSP is changing, moving beyond uptime and support towards managing and mitigating risk across complex environments, bringing greater responsibility and the need for firmer boundaries.
In a maturing market, those boundaries are essential. Setting and enforcing standards and walking away when necessary, are no longer signs of rigidity, but indicators of a sector preparing for a future where accountability is not optional.
MSPs are preparing for a regulatory environment with little tolerance for avoidable risk and the question is no longer whether tougher decisions are required, but whether MSPs are prepared to make them.
