Your Security Stack Is Lying to You

The Misconfiguration Problem Nobody Is Measuring

MSPs invest heavily in security tooling — endpoint protection, firewalls, vulnerability scanners, SIEMs — and then assume the investment is working. The uncomfortable truth is that configuration drift, human error, and unchecked defaults silently erode the protection those tools are supposed to deliver. A single endpoint product with two unchecked boxes in its configuration can be the difference between stopping malware cold and a full-blown breach. The problem is not the technology itself. The problem is that no one is continuously validating whether the technology is doing what it was purchased to do. For MSP owners, this isn't a technical footnote — it's a leadership failure hiding in plain sight, and it's one that compounds every day it goes unaddressed.

• Misconfigurations in security tools are among the most common — and most preventable — attack vectors facing MSP clients today.
• Configuration drift happens silently: a change made by a technician, a firmware update that resets a setting, a default credential that was never rotated.
• The MSP that validates its stack continuously has a structural advantage over one that only reacts after an incident.

Cyber Insurance Is Not a Security Strategy

Many SMB clients treat cyber insurance as the final layer of defense — the backstop that makes everything else acceptable. The reality is far less comforting. Insurance applications often ask questions that the applicant can't accurately answer, and in some cases, the answers are wrong because the security posture described on the application doesn't match what's actually deployed. When a claim is filed and the carrier discovers the gap, the payout doesn't come. For MSPs, this creates a dangerous chain of liability: the client thinks they're covered, the MSP may have assisted in the assessment, and neither party has verified the actual state of the environment. Owners who allow this dynamic to persist are building their practice on a fault line.

• A false sense of security from insurance coverage can lead to underinvestment in actual defensive measures.
• If the application doesn't match reality at the time of a claim, the policy may not pay — leaving both the client and the MSP exposed.
• The MSP's credibility depends on being the one who surfaces the gap before an insurer or an attacker does.

Regulation, Resistance, and the MSP's Leverage Point

End users — especially in less-regulated industries like dental and small professional services — often resist cybersecurity investment with a stubbornness that borders on willful ignorance. They don't believe it will happen to them. They don't want to spend the money. And they're not going to listen to their MSP the third or fourth time the conversation comes up. The emerging reality is that regulation and insurance requirements may be the only forces strong enough to change this behavior at scale. For MSPs, the leadership move is not to wait for the mandate. It's to set a minimum security standard for your client base now — and to be willing to part ways with clients who refuse it. The firms that draw this line early will be the ones building defensible, profitable, high-trust practices on the other side of the compliance wave.

• Regulation — whether CMMC, HIPAA enforcement, or state-level mandates — is beginning to create consequences for non-compliance that clients can no longer ignore.
• MSPs that enforce minimum security stacks protect themselves from downstream liability and attract better clients.
• Bringing in a third-party cybersecurity specialist to validate the message can break through client resistance in ways the MSP alone cannot.

From Services to Product: The Strategic Logic of Building SureStack

The entrepreneurial arc from employee to service provider to product builder is one of the most demanding transitions in business — and it mirrors a pattern that many MSP owners intuitively understand. Adam Bennett's journey through government security, running a services firm for over a decade, joining a startup, and then founding SureStack illustrates the compounding value of domain expertise when it's channeled into a scalable solution. For MSP owners watching the cybersecurity product landscape expand, the lesson isn't about building your own tool. It's about recognizing the structural problem SureStack addresses: no one is checking whether the stack works. The MSP that partners with solutions focused on validation rather than just detection will deliver a fundamentally different level of service — and earn a fundamentally different level of trust.

• Deep domain expertise in services creates the insight necessary to identify gaps that products can solve at scale.
• The security industry is saturated with tools — the differentiator is whether those tools are configured and functioning correctly.
• MSPs who adopt continuous stack validation position themselves as security-first operators, not just tool resellers.

Frequently Asked Questions

What is a security stack misconfiguration and why does it matter for MSPs?

A security stack misconfiguration is any setting, rule, or configuration in a security tool — such as a firewall, endpoint product, or vulnerability scanner — that is incorrect, incomplete, or has drifted from its intended state. These misconfigurations are one of the most common and preventable attack vectors because they create gaps in protection that the MSP and client believe are covered. For MSPs, catching and remediating these issues is both a risk management imperative and a service differentiator.

How does SureStack help MSPs validate their security stack?

SureStack connects to existing security tools via APIs and continuously monitors configurations against CIS benchmarks, vendor recommendations, government STIGs, and its own knowledge base. The platform identifies misconfigurations, ranks them by severity, and provides AI-assisted remediation guidance through its StackChat feature. MSPs can deploy it in minutes and use it to monitor all client environments from a single dashboard.

Can MSPs use security posture assessments as a sales tool?

Yes. Running a security stack validation against a prospect's environment can surface misconfigurations and vulnerabilities that demonstrate the MSP's expertise and create urgency for the prospect to act. It serves as both a trust-building exercise and a concrete way to show value before the engagement begins — especially effective when displacing an incumbent MSP.

Why do SMB clients resist investing in cybersecurity?

Many small business owners — particularly in less-regulated industries — do not believe a cybersecurity incident will happen to them. The investment feels abstract until a breach occurs. Regulation, insurance requirements, and third-party assessments are often the catalysts that finally move clients from resistance to action. MSPs that set and enforce minimum security standards reduce their own risk exposure while educating clients on the consequences of inaction.

What happens if a cyber insurance application doesn't match the actual security posture?

If a client files a claim and the insurer discovers that the security controls described in the application were not actually in place — whether due to intentional misrepresentation or honest misconfiguration — the claim may be denied. This leaves the client fully exposed to the financial impact of the incident and can create liability for the MSP that assisted with the assessment or managed the environment.

Where does SureStack fit in the NIST Cybersecurity Framework?

SureStack primarily fits within the Identify and Protect functions of the NIST Cybersecurity Framework. It helps organizations understand what they have deployed, whether it's configured correctly, and whether it's current — before an incident occurs. The platform can also support the Detect function through continuous monitoring and alerting when configurations change or new vulnerabilities are discovered.

Episode Highlights

• 00:21 — How a career that began with internet abuse investigations at an ISP evolved into 25 years of cybersecurity leadership across government and private sector
• 05:05 — Why uncoordinated incident response can destroy evidence and why every breach has lessons that make the next one survivable
• 07:55 — The Blitzkrieg analogy: attackers using AI to find the path of least resistance — and why raising your work factor is the real defensive strategy
• 15:43 — Real findings from the field: default admin credentials, unsupported firmware, and tamper protection left unchecked in production environments
• 16:50 — The debate over regulation vs. self-policing and why some MSPs are drawing a hard line on minimum security stacks
• 20:49 — Why the MSPs willing to fire clients who refuse security minimums will build the most defensible businesses
• 23:52 — The cyber insurance trap: what happens when the application says one thing and the environment says another
• 27:44 — The two-checkbox story: how a single misconfigured endpoint product let malware bypass every defense
• 31:00 — Why security posture validation is one of the most powerful pre-sales tools an MSP can deploy

About the Guest: Adam Bennett

Adam Bennett is a cybersecurity veteran with more than 25 years of experience spanning penetration testing, incident response, V-CISO services, and security operations for the U.S. Department of Defense and intelligence agencies. He is the founder and CEO of Crosshair Cyber, a cybersecurity services firm, and the Co-Founder and CEO of SureStack, an AI-native platform that continuously validates and optimizes security stack configurations for MSPs, MSSPs, and mid-market organizations. Adam's career has taken him from early internet abuse investigations through building and selling a cybersecurity services company, and into product development at the intersection of AI and defensive security.

Connect with Adam on LinkedIn →

About the Host: Josh Peterson

Josh Peterson is the CEO of Bering McKinley and host of The BMK Vision Podcast. Since 2004, Josh has worked with hundreds of MSP owners to build operationally sound, profitable businesses through consulting, peer teams, and direct coaching.

Connect with Josh Peterson on LinkedIn →

Related Resources from Bering McKinley

• Key Best Practices for MSP Cybersecurity: Protecting Clients
• From the Trenches: AI, Boards, Cyber Risk & the MSP Security Squeeze

Want to Continue the Conversation?

If this episode made you question whether your security stack is actually doing what you're paying it to do, you're asking the right question. The BMK Vision Operating System helps MSP owners build the operational discipline to make decisions like these with clarity — not assumptions.