Stop Leading with Tools: Why CIS Controls for MSPs Are Your Real Strategy

Most MSPs are tool-rich and strategy-poor. 

We love to debate the merits of one EDR versus another or which RMM has the best scripting engine. We wear our tech stack like a badge of honor, convinced that the next purchase will finally solve our operational chaos. 

It won't. 

Tools create activity, not strategy. Leading with tools is exactly why so many MSPs feel like they are reinventing the wheel for every single client. 

To escape this trap, you need to stop looking at your stack and start looking at your standards. You need a framework. 

As Empath co-founder Wes Spencer put it in the premiere of his show, Above the Stack with Cloud Capsule’s Nick Ross, "The goal is to lift MSPs out of the weeds and focus on the strategy that actually drives value." 

That strategy starts with CIS Controls for MSPs.

No One Cares About Your Stack 

MSPs love their tech stack. We spend hours on Reddit debating the merits of one tool against another, convinced that finding the perfect one is the secret to success. 

But to your client, your stack is just overhead. 

They don't care which RMM you use. They don't care about your firewall vendor. They care about outcomes. They want to know they are secure, compliant, and productive. 

When you lead with tools, you're just building stack bloat. You end up with a dozen disconnected solutions that generate noise, alerts, and costs, but no cohesive narrative of safety. 

As Wes puts it, you have to lift "above the stack." You need to stop selling the ingredients and start selling the recipe. That recipe isn't a product, it's a framework. 

Why CIS Controls Are Your North Star 

The Center for Internet Security (CIS) Critical Security Controls might sound like just another compliance acronym, but for an MSP, they are the ultimate operational hack. 

As Nick explains, CIS serves as a "North Star" that solves three core operational problems: 

1. Clarity: It defines what good looks like. You stop guessing about which security task to prioritize next because the framework tells you. 

1. Consistency: It creates a standard you can deploy across every client. This standardization is the secret to scalable packaging and pricing. 

1. Communication: It turns geek speak into business risk. Instead of trying to explain a firewall setting, you can explain that you are aligning them with an international standard for data protection. 

Aligning with a framework like CIS is a natural progression that helps you attract larger customers because you are finally speaking their language. 

Like this? You'll love our newsletter.

Get our weekly emails packed with more expert insights, new courses, and community events you won't find anywhere else.

Overcoming Analysis Paralysis

If frameworks are so great, why do so many MSPs resist them? 

Fear. We look at the full list of controls and get analysis paralysis. It feels too heavy, too "enterprise," and too expensive to implement for a 20-person law firm. 

But Nick warns, "Perfection is the enemy of good." You don't have to be the Pentagon on Day 1. The goal isn't to implement Control 18 tomorrow, it's to start with Control 1 (Inventory) today. 

Wes uses an analogy to explain why winging it without a framework is so dangerous: 

"Imagine telling a security guard to guard a massive warehouse, but you don't know where the points of entry are. You don't know what doors are locked and unlocked. You don't know who has a key. What rational decision-maker would say, 'Yeah, that sounds like a good plan'?" 

Trying to secure a client without a framework (specifically inventory) is like guarding that warehouse blind. You can hire the best security guards (tools) in the world, but if you don't have an inventory of the doors (framework), you are guaranteed to fail. 

CIS as a Sales Multiplier 

Adopting CIS is a sales weapon. 

In a crowded market, every MSP claims to be secure. When you can show a prospect that your offering aligns with the CIS Controls, you instantly differentiate yourself from the commodity players who are just using hope as a strategy. 

It shifts the conversation from "Why is your price higher?" to "Oh, I see why you're worth it." 

It allows you to stand firm in your QBRs. You aren't selling an upgrade because you want more money, you're selling it to move them from "Implementation Group 1" to "Group 2" to reduce their business risk. That is a strategic advisor conversation, not a vendor pitch. 

Life After Firefighting 

What does your MSP look like after you adopt CIS? 

It looks boring. And boring is profitable. 

• Fewer Surprises: Because you have a standard for inventory and configuration, you stop getting blindsided by shadow IT or dormancy risks. 

• Predictable Processes: Onboarding and offboarding become repeatable checklists, not adventures. 

• Aligned Clients: Your clients understand why you say "no" to exceptions because they understand the framework you are both following. 

You stop waking up to dread the phone ringing. You stop reacting, and you start leading. 

Stop Reinventing the Wheel 

This is a practical survival guide for the modern MSP. 

If you're ready to stop firefighting and start building a strategy, join Wes Spencer and Nick Ross as they break down the CIS Controls into MSP-ready actions every month on Above the Stack. 

They cut through the noise, integrate real-world Microsoft guidance, and help you operationalize security without the bloat. 

How to Watch: You can catch past and future episodes wherever you learn best: 

• On YouTube: Watch the full replays on our channel. 

• On LinkedIn: Join the live conversation and Q&A through our events page. 

• In the App: If you have an Empath account, stream the show directly alongside our other content. 

And this is just the beginning. The Empath platform is home to a growing library of expert-led cybersecurity courses, from foundational training for your techs to strategic guides for your leadership team. 

Ready to operationalize these frameworks and stop the firefighting for good? 

Book a demo to see how Empath gives your team the tools to build a scalable, standardized security practice. 

Watch the premiere episode where they break down Control 1 (Inventory):