Table of contents
Episode Summary
Richard Dean welcomes Matt Lee, Senior Director of Security and Compliance at Pax8, to discuss the shifting cybersecurity priorities for MSPs and their clients. As a former MSP owner himself, Matt brings practical insight to the conversation, particularly around his work with the Center for Internet Security (CIS) on improving their control frameworks.
The discussion traces Matt’s journey helping to refine CIS controls version 8.1 through detailed taxonomical analysis, revealing how every security safeguard requires both technical implementation and governance components. This work highlighted the need for clearer guidance and better alignment with NIST standards, leading to the addition of governance concepts that make the controls more practical for real-world use.
A significant portion of the conversation explores how security has fundamentally shifted from device protection to identity management as businesses adopt cloud services and SaaS platforms. Matt explains why this transition is reshaping MSP business models, even sharing a personal anecdote about clients who no longer saw value in traditional support services after moving to cloud-based solutions.
The episode concludes with a forward-looking discussion on why SMBs might eventually surpass enterprises in security capabilities and how AI tools could transform security practices, provided organizations first understand their data environments. Throughout, Matt emphasizes the critical role of governance in effective security implementation.
Guest-at-a-Glance
💡 Guest: Matt Lee
💡 What he does: Senior Director of Security and Compliance
💡 Company: Pax8
💡 Noteworthy: Former MSP professional educating vendors on practical security controls
💡 Where to find Matt: LinkedIn
Key Insights
Identity Has Replaced Endpoints as the Security Battleground
The cybersecurity field has fundamentally shifted from infrastructure protection to identity protection. Five years ago, security concentrated on strengthening networks and endpoints because that’s where valuable data resided. Today, with widespread adoption of SaaS platforms and cloud services, attackers target user identities instead. This shift makes economic sense for attackers—it’s cheaper and easier to compromise an account through phishing than to exploit technical vulnerabilities. As Matt explains, confidentiality in the CIA security triad (confidentiality, integrity, availability) is now primarily about identity: determining who should access what data. For MSPs, this represents both a challenge and an opportunity, as clients increasingly operate in environments where identity management becomes the primary security control rather than device management.
Small Business Security May Surpass Enterprise Capabilities
SMBs are positioned to potentially overtake enterprises in security posture within the next decade. This counterintuitive development stems from their ability to adopt modern cloud-native security approaches without the burden of legacy systems. As Matt notes, enterprises often can’t escape their “brownfield” environments—they lack sufficient resources to rewrite custom applications built around legacy infrastructure like Active Directory. Meanwhile, MSPs serving small businesses have rapidly moved clients to identity-centric, cloud-based models with standardized security controls. This standardization creates economies of scale and allows for programmatic security implementation through APIs and automation. The result is a more nimble security posture where improvements can be deployed systemically rather than piecemeal, giving SMBs the potential to implement more consistent and effective security than their enterprise counterparts.
Governance Must Complement Technical Controls
Security frameworks require both technical implementation and governance components to be effective. Matt’s work with CIS controls revealed that every safeguard has both technical and administrative sides that must work together. Version 8.1 of the CIS controls notably added the concept of governance, acknowledging that technical controls alone aren’t sufficient. This reflects a growing recognition that security isn’t just about deploying tools but also about measuring effectiveness, ensuring compliance, and establishing processes for when things break. As organizations shift toward identity-centric models and cloud services, governance becomes even more critical because the technical landscape changes rapidly. MSPs that ignore this governance aspect and focus solely on adding features to traditional endpoint management tools risk becoming irrelevant as the industry evolves toward API-driven, identity-centric security models that require strong governance frameworks to be effective.
Viewer Takeaways
CIS Controls Evolution
Matt discusses his work with the Center for Internet Security (CIS) critical controls, explaining how he helped refine the practical application of these controls. His efforts focused on breaking down safeguards into taxonomical elements to make them more implementable. This detailed work revealed inconsistencies and clarity issues in the controls that needed addressing. Matt’s influence resulted in the addition of governance concepts in version 8.1, bringing the framework more in line with NIST standards while making it more applicable for practitioners.
The Shift from Endpoint to Identity Security
The conversation pivots to how security has fundamentally shifted from device-centric to identity-centric approaches. Matt explains that this transition has been driven by the move toward SaaS platforms and cloud services, where traditional infrastructure security becomes less relevant. This shift puts the focus on user identity as the primary security control rather than network or device security, requiring MSPs to adapt their service models accordingly.
MSPs and the Commoditization Challenge
Matt shares a revealing anecdote about clients firing his MSP after he modernized their IT infrastructure because “everything just worked.” Once clients moved to identity-centric, cloud-based models with minimal on-premises equipment, they questioned the value of paying for managed services when they experienced fewer technical problems. This commoditization pressure forced MSPs to develop new value propositions around security and risk management rather than traditional break-fix support.
AI’s Place in Security and MSP Operations
The discussion concludes with thoughts on artificial intelligence’s impact on security and managed services. Matt points out that while AI tools like large language models offer tremendous value for creative tasks and automation, organizations need to understand their data landscape before implementation. He suggests that MSPs may adopt AI technologies faster than enterprises due to their ability to address commoditization challenges through automation, while noting the transition toward more “agentic” AI that can perform tasks independently.
Share
Related Resources
