Guest Column | February 12, 2019

So, You Want To Start An MSP

By John Watkins, Capital Business Systems, Inc.

MSP And VAR Branding

Over the last year or so I've noticed a sharp increase in the number of questions being posted to MSP forums that relate to starting an MSP or moving from a break-fix model to an MSP model. This is to be expected as the model becomes more well known and more entrepreneurs start MSPs, but some of the questions that are posted send a chill down my spine:

  • We want to offer Penetration Testing to our clients, what tool should we use?
  • What email services are HIPAA Compliant? Will free Gmail be okay?
  • What’s the best PSA/RMM/AV/UTM/etc. and do I really need one?
  • Can someone give me their client contract? And BAA? And Onboarding Checklist? And …

First off, to have any sort of successful career in any IT related field you should be able to use a search box on a forum to find the answer to a question that is posted weekly. More than that, you should be able to find multiple sources on the internet that will give you more than enough information to start an MSP, setup DNS, or resolve whatever issue it is you're working on. Asking questions is a great way to learn, but make sure to do your own research before going to others for help.

Additionally, don’t get ticked off when no one wants to share their onboarding documents, new site audit checklist, or client contract for free. I have spent countless hours reading forums and best practice documents from vendors, building revision after revision of our internal documentation to try and get it perfect — not to mention the cost of having lawyers and other professionals review the documents on a regular basis. Just because something works for one MSP doesn’t mean it will work for you, so it’s best to do your own research, put in the effort, and learn the hard way.

Do you know why there are so many MSP coaches and peer groups? Because starting, growing, and managing an MSP is an extremely difficult thing to do. Yet, because there are so many people willing to pay for a shortcut or easy path to success, you see new coaching programs pop up every week. When you realize the guy arguing on Reddit that “RAID is just as good as a backup” is the same guy your dentist/doctor/accountant trusts to secure your private information, the problem becomes clear.

It seems like something that shouldn't have to be said, but healthcare IT is not the vertical to cut your teeth as a new MSP. There isn't a magic, singular tool that will keep your clients secure. Layering multiple security measures (including end user training) and following established best practices is the way to go. It’s important that, before moving into supporting healthcare clients, you have solid experience in Network and Endpoint Security, Logging/SEIM, creating policies and procedures, end user training, and backup and disaster recovery technologies, not to mention HIPAA regulations that correspond to each item. Managing healthcare clients is not something to be taken lightly or started on a whim.

If you have to ask what HIPAA stands for you shouldn’t be offering HIPAA audits to your clients. If you have to ask if encryption is necessary on the doctor’s laptop, or if a UTM is really needed instead of using the ISP provided router, then you're not ready.

Most of us aren't, and that’s okay.

Focus on what you know, but always be mindful of what you dont know. At the end of the day, it’s the client who is going to suffer when they’re hit with ransomware because your MSP coach didn’t explicitly tell you to close 3389.

About The Author

John Watkins is a seasoned expert in SMB technologies, having spent over a decade helping businesses grow by leveraging new technology and IT processes. While his focus has been primarily in IT Management, he is also well-versed in Unified Communications/VoIP, Cloud Technologies and Cyber Security. Currently, John works for Capital Business Systems, providing vCIO services to clients across the Midwestern United States. For more information visit