Most MSPs are tool-rich and strategy-poor.
We love to debate the merits of one EDR versus another or which RMM has the best scripting engine. We wear our tech stack like a badge of honor, convinced that the next purchase will finally solve our operational chaos.
It won't.
Tools create activity, not strategy. Leading with tools is exactly why so many MSPs feel like they are reinventing the wheel for every single client.
To escape this trap, you need to stop looking at your stack and start looking at your standards. You need a framework.
As Empath co-founder Wes Spencer put it in the premiere of his show, Above the Stack with Cloud Capsuleās Nick Ross, "The goal is to lift MSPs out of the weeds and focus on the strategy that actually drives value."
That strategy starts with CIS Controls for MSPs.
MSPs love their tech stack. We spend hours on Reddit debating the merits of one tool against another, convinced that finding the perfect one is the secret to success.
But to your client, your stack is just overhead.
They don't care which RMM you use. They don't care about your firewall vendor. They care about outcomes. They want to know they are secure, compliant, and productive.
When you lead with tools, you're just building stack bloat. You end up with a dozen disconnected solutions that generate noise, alerts, and costs, but no cohesive narrative of safety.
As Wes puts it, you have to lift "above the stack." You need to stop selling the ingredients and start selling the recipe. That recipe isn't a product, it's a framework.
Why CIS Controls Are Your North Star
The Center for Internet Security (CIS) Critical Security Controls might sound like just another compliance acronym, but for an MSP, they are the ultimate operational hack.
As Nick explains, CIS serves as a "North Star" that solves three core operational problems:
Aligning with a framework like CIS is a natural progression that helps you attract larger customers because you are finally speaking their language.
If frameworks are so great, why do so many MSPs resist them?
Fear. We look at the full list of controls and get analysis paralysis. It feels too heavy, too "enterprise," and too expensive to implement for a 20-person law firm.
But Nick warns, "Perfection is the enemy of good." You don't have to be the Pentagon on Day 1. The goal isn't to implement Control 18 tomorrow, it's to start with Control 1 (Inventory) today.
Wes uses an analogy to explain why winging it without a framework is so dangerous:
"Imagine telling a security guard to guard a massive warehouse, but you don't know where the points of entry are. You don't know what doors are locked and unlocked. You don't know who has a key. What rational decision-maker would say, 'Yeah, that sounds like a good plan'?"
Trying to secure a client without a framework (specifically inventory) is like guarding that warehouse blind. You can hire the best security guards (tools) in the world, but if you don't have an inventory of the doors (framework), you are guaranteed to fail.
Adopting CIS is a sales weapon.
In a crowded market, every MSP claims to be secure. When you can show a prospect that your offering aligns with the CIS Controls, you instantly differentiate yourself from the commodity players who are just using hope as a strategy.
It shifts the conversation from "Why is your price higher?" to "Oh, I see why you're worth it."
It allows you to stand firm in your QBRs. You aren't selling an upgrade because you want more money, you're selling it to move them from "Implementation Group 1" to "Group 2" to reduce their business risk. That is a strategic advisor conversation, not a vendor pitch.
What does your MSP look like after you adopt CIS?
It looks boring. And boring is profitable.
You stop waking up to dread the phone ringing. You stop reacting, and you start leading.
This is a practical survival guide for the modern MSP.
If you're ready to stop firefighting and start building a strategy, join Wes Spencer and Nick Ross as they break down the CIS Controls into MSP-ready actions every month on Above the Stack.
They cut through the noise, integrate real-world Microsoft guidance, and help you operationalize security without the bloat.
How to Watch: You can catch past and future episodes wherever you learn best:
And this is just the beginning. The Empath platform is home to a growing library of expert-led cybersecurity courses, from foundational training for your techs to strategic guides for your leadership team.
Ready to operationalize these frameworks and stop the firefighting for good?
Book a demo to see how Empath gives your team the tools to build a scalable, standardized security practice.
Watch the premiere episode where they break down Control 1 (Inventory):