Your MSP Is Not Your Security Strategy: The Governance Gap in SMB Security

Managed service providers operate infrastructure; someone still has to govern risk. Why the MSP-only model leaves a gap, and how fractional security leadership closes it.

Most small and medium businesses answer the security question with a name: we have an IT company. The IT company patches the servers, runs the antivirus, manages the firewall, and answers the tickets, and from the owner’s chair that looks like security, handled. Then a customer questionnaire arrives asking who is responsible for the information security program, or an examiner asks who reviewed the MSP’s own controls, or a CMMC assessor asks who approved the risk assessment, and the gap becomes visible: everyone is operating security, and no one is governing it.

Two different jobs

Operations and governance are complements, not substitutes. The MSP’s job is to run infrastructure well: patching, monitoring, backup, endpoints, tickets. Governance is the layer above: deciding what the organization’s risks actually are, what standard the controls must meet, whether the MSP is meeting it, what the framework obligations require, what gets budget, and what gets said to the board, the customer, and the regulator. Frameworks assume this layer exists. NIST CSF 2.0 elevated governance to a function of its own; GLBA expects a designated qualified individual; CMMC expects someone who owns the SSP and can answer for it. When the layer is absent, the MSP gets asked governance questions it is neither positioned nor incentivized to answer.

Why the gap persists

  • The incentive problem. An MSP grading its own work is a structural conflict, not a character flaw. Oversight of the operator cannot come from the operator.
  • The scope problem. The MSP’s contract covers the infrastructure it manages. Vendor risk, physical security, policy, training, insurance alignment, and regulatory strategy sit outside it, and outside everyone else’s job description too.
  • The economics problem. The obvious fix, hiring a CISO, costs well into six figures and is structurally underused at SMB scale. So the role stays unfilled, and the gap compounds quietly.

The fractional answer

A virtual CISO retainer puts the governance layer in place at a fraction of the hire: a named, credentialed security leader who owns the program, sets requirements for the MSP and verifies them, keeps the risk register and framework posture current, briefs leadership in business language, and faces outward to the customers, examiners, and assessors who increasingly want a person, not a vendor list. The healthiest version of the arrangement is explicitly triangular: leadership sets risk appetite, the vCISO translates it into requirements and oversight, the MSP executes and is measured. MSPs worth keeping tend to welcome it, because written requirements and a competent counterpart make their job easier, and the ones that resist oversight are answering a different question.

A quick self-test

Who in your organization can, this week, produce the current risk register, state which framework obligations bind you and your posture against them, explain what your MSP is contractually required to do about a breach, and answer a customer’s security questionnaire without a scramble? If the honest answer is nobody, the gap is not technical. It is governance, and it is the cheapest serious risk you can fix.

Daytol provides vCISO retainers that put certified, executive-level security leadership in your corner, working alongside the IT provider you already have. The first conversation maps the gap in an hour.

more insights

Your SPRS Score Is Probably Wrong, and That Matters More Than It Used To

How the NIST 800-171 self-assessment scoring methodology works, why most SPRS scores are inflated, and how to fix yours before a prime or assessor checks.

Every defense contractor handling Controlled Unclassified Information has, somewhere in the Supplier Performance Risk System, a number between negative 203 and positive 110. That number is the organization’s self-assessed posture against NIST SP 800-171, and for years it functioned as paperwork: submitted once, rarely revisited, almost never checked

Read more >