There is a version of managed services that clients actually need. Most MSPs are delivering something slightly different.

The gap is not in the technical work. Patching is handled. Backups are running. Endpoint protection is deployed. The firewall is managed. By most measures, the technical side of a managed services engagement is well executed. And yet, when something goes wrong — a phishing email succeeds, a supplier is breached, a staff member mishandles a client record — the organisation finds itself completely unprepared. No incident response plan. No process for notifying affected parties. No documented understanding of what data they hold or where it lives. No governance at all, just technology.

This is the half most MSPs are missing.

The Short Version — Cut to the Chase

If you read nothing else, read this.

  • Technical controls are necessary but not sufficient. Firewalls and endpoint protection do not substitute for incident response plans, documented data handling practices, or staff awareness. MSPs who only deliver the former are leaving clients exposed.
  • Your clients have regulatory obligations you are not helping them meet. The Australian Privacy Act 1988 now requires documented privacy governance, reasonable organisational measures (not just technical ones), and a tested breach response process. Most MSPs are not touching any of this.
  • The gap exposes you, not just your client. If a client is breached and their insurer or legal team asks what governance was in place, your managed services agreement will be scrutinised. Scope exclusions protect you — but only if they are explicit and the client understood what they were not getting.
  • The MSP that adds right-sized GRC wins the relationship. Clients who get governance and technology from one trusted partner are far harder to displace than clients who get technology from you and nothing from anyone.

What “Full Service” Actually Means

The framing of managed services has always been technology-first. That made sense when the primary client concern was uptime and hardware. It makes less sense in 2026, when the primary concern — particularly for businesses in healthcare, financial services, and professional services — is regulatory exposure, data handling obligations, and the question of what happens when something goes wrong.

An SME client in general practice, for example, is subject to the Privacy Act 1988 (including the reforms that took effect in December 2024), the Australian Privacy Principles, the Notifiable Data Breaches scheme, and potentially the My Health Records Act. They are likely also subject to their state’s health records legislation. Their MSP keeps their systems running. But does anyone in that engagement help them understand what data they are collecting, how long they should keep it, who can access it, and what to do when a laptop goes missing? Usually not.

This is not a criticism of technical competence. It is an observation about scope. The traditional MSP has built its service model around what it knows, and it knows technology. The result is clients who are technically defended but operationally exposed.

The Three Pieces MSPs Are Not Delivering

Governance — the documented house rules. Every client needs a small suite of foundational policies: an information security policy, a privacy policy that actually reflects how the business handles personal information (not a template downloaded from the internet), an acceptable use policy, and a data classification framework. These do not need to be 80-page documents. For an SME, a fit-for-purpose set runs to perhaps fifteen to twenty pages in total. Most MSPs have never had this conversation with their clients, because it falls outside the technical delivery scope.
Risk management — knowing what you are actually protecting. A risk assessment does not require a consultant and three months. For a small business, it requires a structured conversation about what assets matter, what threats are plausible, and what the organisation’s appetite is for different categories of loss. The output is a register — a living document, not a one-time exercise — that informs technical investment decisions. When a client asks whether they need MFA on their email accounts, the correct answer is not “yes, it’s best practice.” The correct answer is “yes, and here is why it sits at the top of your risk register.” Risk context turns technical recommendations from opinions into decisions.
Compliance — the obligations that already exist. Under APP 11.3, introduced in the December 2024 Privacy Act reforms, the requirement to take “reasonable steps” to protect personal information now explicitly includes both technical measures and organisational measures. Staff training, documented processes, and written policies are not optional extras — they are part of what the law requires. MSPs are well placed to deliver the technical side of this. Almost none are delivering the organisational side. When an organisation suffers a notifiable data breach and the OAIC asks what governance was in place, “our MSP managed the firewall” is not a sufficient answer.

The Risk to the MSP

Here is where this becomes commercially urgent rather than just philosophically interesting.

When a client is breached, the question of liability does not stop at the client. If an MSP has positioned itself as a trusted technology partner, has been managing the environment for several years, and has never once raised the topic of incident response planning or privacy obligations, there is an argument — and plaintiff lawyers are beginning to make it — that the MSP had a duty to at minimum flag the gap. Whether that argument succeeds in court is a separate question. The cost of defending it is not.

Managed services agreements that are silent on governance are agreements that leave scope open to interpretation. Explicit scope exclusions, clearly communicated, protect the MSP. But the cleanest protection is delivering the service the client actually needs, not just the service that was easiest to scope.

The Opportunity

None of this requires an MSP to hire a CISO or build a GRC practice from scratch. It requires a model where governance, risk, and compliance services are available to clients at a scale that matches the client’s size and risk exposure. For a ten-person professional services firm, right-sized GRC might be a policy review, a basic risk register, and an incident response runbook — perhaps fifteen hours of advisory work per year. For a fifty-person healthcare provider with three locations, it is more involved, but still a fraction of what an enterprise engagement would look like.

The modern MSP builds this capability — or partners with someone who has it — and becomes genuinely stickier. The traditional MSP that does not is, at some point, going to lose a client to one that does.

Technology is table stakes. Every traditional MSP can patch, back up, and manage endpoints. The modern MSP does that and shows up with governance.

If This Feels Like a Lot

Because it is.

Governance, risk management, compliance, privacy obligations, incident response, third-party risk, policy frameworks — this is a genuine body of work that touches procurement, HR, board reporting, and legal, not just IT.

If you are an MSP owner staring at this and wondering where to start, or if you are an SME client realising your current IT support has not touched any of this, that is exactly the conversation worth having with a GRC professional before you spend a quarter going in circles. A few hours of structured advice early saves weeks of internal debate and a considerable amount of heartache later.

Daniel Johns is a CRISC-certified virtual CISO and GRC advisor, Founder of Coastal Cyber, and a member of the ISACA Global Advisory Council and CompTIA Executive Council ANZ. He works with healthcare providers, financial services firms, and technology businesses across Southeast Queensland on privacy, cyber security, and governance.

If your privacy and cyber posture needs a clear-eyed assessment, book a 20-minute conversation.