Every MSP owner has been in the position of recommending a security investment only to watch the client push back, delay, or ignore the advice entirely. The frustration is real — and the risk it creates is compounding quietly in the background. What makes this problem worse is a finding that most operators don't want to confront: the security tools you already have deployed may not be protecting anyone the way you think they are. Misconfigurations in firewalls, endpoint products, and vulnerability scanners represent one of the most common and preventable attack vectors in cybersecurity today — and most MSPs have no systematic way to catch them. For firms building a cybersecurity practice that protects clients and differentiates in the market, that gap is both a risk and an opportunity. The question isn't whether your stack has a misconfiguration — it's whether you'd know about it before an attacker does.
This episode forces a hard look at the assumptions MSPs make about their security posture. It covers the reality of cyber insurance applications that don't match what's actually deployed, the growing regulatory pressure from frameworks like CMMC, and why some MSPs are drawing a hard line with clients who refuse minimum security standards. For owners trying to navigate compliance challenges and position their firms as serious security partners, the lesson is clear: the work-factor advantage belongs to whoever validates their stack continuously — not whoever buys the most tools. Leaders who understand this will build defensible practices, stronger client relationships, and a revenue model that compounds with trust rather than eroding with every unchecked configuration.
MSPs invest heavily in security tooling — endpoint protection, firewalls, vulnerability scanners, SIEMs — and then assume the investment is working. The uncomfortable truth is that configuration drift, human error, and unchecked defaults silently erode the protection those tools are supposed to deliver. A single endpoint product with two unchecked boxes in its configuration can be the difference between stopping malware cold and a full-blown breach. The problem is not the technology itself. The problem is that no one is continuously validating whether the technology is doing what it was purchased to do. For MSP owners, this isn't a technical footnote — it's a leadership failure hiding in plain sight, and it's one that compounds every day it goes unaddressed.
Many SMB clients treat cyber insurance as the final layer of defense — the backstop that makes everything else acceptable. The reality is far less comforting. Insurance applications often ask questions that the applicant can't accurately answer, and in some cases, the answers are wrong because the security posture described on the application doesn't match what's actually deployed. When a claim is filed and the carrier discovers the gap, the payout doesn't come. For MSPs, this creates a dangerous chain of liability: the client thinks they're covered, the MSP may have assisted in the assessment, and neither party has verified the actual state of the environment. Owners who allow this dynamic to persist are building their practice on a fault line.
End users — especially in less-regulated industries like dental and small professional services — often resist cybersecurity investment with a stubbornness that borders on willful ignorance. They don't believe it will happen to them. They don't want to spend the money. And they're not going to listen to their MSP the third or fourth time the conversation comes up. The emerging reality is that regulation and insurance requirements may be the only forces strong enough to change this behavior at scale. For MSPs, the leadership move is not to wait for the mandate. It's to set a minimum security standard for your client base now — and to be willing to part ways with clients who refuse it. The firms that draw this line early will be the ones building defensible, profitable, high-trust practices on the other side of the compliance wave.
The entrepreneurial arc from employee to service provider to product builder is one of the most demanding transitions in business — and it mirrors a pattern that many MSP owners intuitively understand. Adam Bennett's journey through government security, running a services firm for over a decade, joining a startup, and then founding SureStack illustrates the compounding value of domain expertise when it's channeled into a scalable solution. For MSP owners watching the cybersecurity product landscape expand, the lesson isn't about building your own tool. It's about recognizing the structural problem SureStack addresses: no one is checking whether the stack works. The MSP that partners with solutions focused on validation rather than just detection will deliver a fundamentally different level of service — and earn a fundamentally different level of trust.
A security stack misconfiguration is any setting, rule, or configuration in a security tool — such as a firewall, endpoint product, or vulnerability scanner — that is incorrect, incomplete, or has drifted from its intended state. These misconfigurations are one of the most common and preventable attack vectors because they create gaps in protection that the MSP and client believe are covered. For MSPs, catching and remediating these issues is both a risk management imperative and a service differentiator.
SureStack connects to existing security tools via APIs and continuously monitors configurations against CIS benchmarks, vendor recommendations, government STIGs, and its own knowledge base. The platform identifies misconfigurations, ranks them by severity, and provides AI-assisted remediation guidance through its StackChat feature. MSPs can deploy it in minutes and use it to monitor all client environments from a single dashboard.
Yes. Running a security stack validation against a prospect's environment can surface misconfigurations and vulnerabilities that demonstrate the MSP's expertise and create urgency for the prospect to act. It serves as both a trust-building exercise and a concrete way to show value before the engagement begins — especially effective when displacing an incumbent MSP.
Many small business owners — particularly in less-regulated industries — do not believe a cybersecurity incident will happen to them. The investment feels abstract until a breach occurs. Regulation, insurance requirements, and third-party assessments are often the catalysts that finally move clients from resistance to action. MSPs that set and enforce minimum security standards reduce their own risk exposure while educating clients on the consequences of inaction.
If a client files a claim and the insurer discovers that the security controls described in the application were not actually in place — whether due to intentional misrepresentation or honest misconfiguration — the claim may be denied. This leaves the client fully exposed to the financial impact of the incident and can create liability for the MSP that assisted with the assessment or managed the environment.
SureStack primarily fits within the Identify and Protect functions of the NIST Cybersecurity Framework. It helps organizations understand what they have deployed, whether it's configured correctly, and whether it's current — before an incident occurs. The platform can also support the Detect function through continuous monitoring and alerting when configurations change or new vulnerabilities are discovered.
Adam Bennett is a cybersecurity veteran with more than 25 years of experience spanning penetration testing, incident response, V-CISO services, and security operations for the U.S. Department of Defense and intelligence agencies. He is the founder and CEO of Crosshair Cyber, a cybersecurity services firm, and the Co-Founder and CEO of SureStack, an AI-native platform that continuously validates and optimizes security stack configurations for MSPs, MSSPs, and mid-market organizations. Adam's career has taken him from early internet abuse investigations through building and selling a cybersecurity services company, and into product development at the intersection of AI and defensive security.
Connect with Adam on LinkedIn →
Josh Peterson is the CEO of Bering McKinley and host of The BMK Vision Podcast. Since 2004, Josh has worked with hundreds of MSP owners to build operationally sound, profitable businesses through consulting, peer teams, and direct coaching.
Connect with Josh Peterson on LinkedIn →
If this episode made you question whether your security stack is actually doing what you're paying it to do, you're asking the right question. The BMK Vision Operating System helps MSP owners build the operational discipline to make decisions like these with clarity — not assumptions.