Research Project: This is a free AI research project. No warranties, SLAs, or company associations. Learn more

B
Brainstorm
LoginGet Started
Back to Blog
Research

The State of MSP Security: 2024 Benchmarking Report

Key findings from our analysis of 1,000+ MSPs: control implementation rates, common gaps, and what top performers do differently.

November 20, 202412 min readBy BrainstormMSP Team

About This Report

This report analyzes security control implementation across 1,000+ MSPs managing over 50,000 client environments. Our goal: understand the current state of MSP-delivered security and identify patterns that distinguish top performers.

Executive Summary

- Average CIS Controls implementation: 62%

- Top quartile implementation: 84%

- Bottom quartile implementation: 41%

- Most common gap: Audit logging and monitoring

Key Findings

Finding 1: Implementation Varies Dramatically

The gap between top and bottom performers is 43 percentage points. This isn't about tools—it's about operational discipline.

Finding 2: Backup Controls Are Strong

98% of MSPs have backup systems in place. But only 67% regularly test restores, and just 52% verify immutability.

Finding 3: Identity Is the Weak Point

While 89% require MFA for Microsoft 365, only 45% enforce it for all remote access. Conditional access policies are configured at just 34% of client environments.

Finding 4: Monitoring Lags Behind

Just 38% of MSPs have centralized log collection. Security event monitoring is active at only 29% of client environments. This is the biggest gap between intent and implementation.

Finding 5: Documentation Predicts Success

MSPs with documented security standards score 27% higher on control implementation. The act of documenting forces clarity and enables consistency.

What Top Performers Do Differently

They Automate Verification

Top quartile MSPs don't trust that controls are in place—they verify continuously. Automated monitoring catches drift before it becomes a gap.

They Standardize Aggressively

Rather than customizing for each client, top performers define standards and apply them consistently. Exceptions are rare and documented.

They Measure Constantly

Top performers track security metrics weekly, not quarterly. They know their implementation rates in real-time.

They Connect Security to Business

Top quartile MSPs present security in business terms: risk reduction, compliance achievement, insurance optimization. This creates client engagement.

Recommendations

1. **Assess your baseline** - You can't improve what you don't measure

2. **Prioritize monitoring** - It's the biggest gap and highest-impact improvement

3. **Standardize controls** - Consistency enables scale

4. **Automate verification** - Trust but verify, continuously

Conclusion

The MSP security landscape shows significant variation in maturity. The gap between top and bottom performers represents both a challenge and an opportunity. MSPs who close this gap will differentiate themselves in an increasingly competitive market.

Share this article

Related Articles

Best Practices

How MSPs Can Automate Security Compliance Without Adding Headcount

Learn how leading MSPs are using AI-powered compliance automation to scale their security practice profitably while reducing operational overhead by 80%.

Industry Insights

The ROI of Automated Security Controls: A Data-Driven Analysis

We analyzed 500+ MSPs to quantify the financial impact of automated security control evaluation. The results are compelling.