Skip to Content
DocsBlogThe "I Thought You Covered That" Problem: Why MSPs Are Giving Away Cybersecurity for Free

There’s a conversation almost every MSP has had, usually right after a breach.

A client gets hit with a business email compromise. They call you, upset. And somewhere in that call, they say the sentence that should make every MSP owner uncomfortable:

“I thought you were already handling that.”

They’re not lying. From their seat, IT and cybersecurity look like the same service. You’ve been managing their environment for years. Why wouldn’t threat protection, compliance, and posture management just be… included?

That gray area isn’t a client problem. It’s a positioning problem — and it’s one of the most common reasons MSPs do real security work for free.

Why the Gray Area Exists (and Who Pays for It)

Most MSPs didn’t create this confusion on purpose. It happened gradually.

You started as an IT provider — backups, patching, uptime monitoring. Somewhere along the way, cyber risk grew faster than the conversation did. New threats. New compliance drivers. New tools. You picked up pieces of it because it needed to get done, not because it was ever scoped, priced, or sold.

The result: your clients assume “IT” already covers cyber. It doesn’t. And when nothing is explicitly scoped, nothing generates margin.

This is the moment discussed in a recent PowerGRYD workshop hosted by Jesse Miller, where he and Shay Cohen, Optimize365 co-founder and CEO, broke down exactly how MSPs can close this gap — without it feeling like an upsell pitch to the client.

A Simple Way to Draw the Line: IT vs. Cyber

To make things simpler to understand, you can use a comparison every client will get: a race car.

  • IT is the engine. It keeps operations running — backups, patching, uptime.
  • Cyber is the steering and the brakes. It’s what protects against threats and lets the business move fast without wrecking.

Both matter. Neither replaces the other. And most importantly, this framing isn’t adversarial — it’s clarifying. You’re not telling clients you’ve been negligent. You’re telling them the sport changed, and there’s a second discipline that needs its own budget line.

This split gives you a repeatable way to walk a client through what’s already included versus what’s genuinely new scope: backups and patching reduce risk, but they don’t cover threat detection, compliance, or M365 posture management. That’s a different job.

How to Reset the Conversation Without It Feeling Like an Upsell

The framing matters as much as the facts. A few approaches that work, depending on the client relationship:

  • The “things changed” approach. Be direct: “We haven’t been as clear as we should be about what’s IT versus what’s cyber — and honestly, the risk you’re facing today looks nothing like it did five years ago. We want to fix that.”
  • The strategic review approach. If you already run QBRs or a vCIO program, this isn’t a new conversation — it’s an extension of one you’re already having.
  • The assessment-led approach. Instead of leading with a sales pitch, lead with data. Run the assessment first, then talk.

That last one is where most of these conversations actually land — because nobody wants to debate hypothetical risk. They want to see their own environment.

Where M365 Posture Data Makes the Case for You

This is the part that turns a positioning conversation into a business decision: show the client their own gaps, mapped to real risk.

A fast M365 security assessment — run against frameworks like CIS, NIST CSF, and MITRE — gives you a clear, client-facing view of:

  • What’s already being addressed (and by what)
  • What’s exposed, and how significant the impact is if it’s left unresolved
  • What can be fixed with the client’s current license, and what requires an upgrade

That last point matters more than it sounds. A lot of clients aren’t underinvesting because they don’t care — they’re underinvesting because nobody ever showed them, in plain terms, what they’re missing and what it would take to close it.

Once the data is on the table, the conversation stops being “trust me, you need this” and starts being “here’s exactly what’s covered and what isn’t — your call.” That’s a much easier sale, and a much easier client relationship going forward.

The Real Fix Isn’t a Sales Tactic — It’s a Definition

Typically, MSPs lose this conversation because the line between IT and cyber was never drawn clearly. Now you have an opportunity to draw it and start the conversation before an incident would trigger it.

Draw the line once, back it with real posture data, and the upsell conversation disappears — because it’s not an upsell anymore. It’s just an accurate description of the work.


Want the full breakdown?

This post covers the framework at a high level. Shay Cohen and Jesse Miller go much deeper in the full session — including the client segmentation model, objection handling scripts, and a live walkthrough of running an M365 assessment in under a minute.

Watch the full PowerGRYD webinar on-demand →


FAQ: IT vs. Cybersecurity for MSP Clients

Do MSP clients think IT services already include cybersecurity? Yes, in most cases. Clients see their MSP managing the entire environment and assume threat protection, compliance, and posture management are already part of that — even when they were never scoped or priced separately.

What’s the difference between IT services and cybersecurity services? IT services keep operations running — backups, patching, uptime monitoring. Cybersecurity services protect against threats — things like threat detection, compliance, and Microsoft 365 posture management. Both reduce risk, but they’re different disciplines with different scopes.

How can MSPs bring up cybersecurity gaps without it sounding like an upsell? Lead with data. Running an M365 security assessment first gives clients a clear, factual view of what’s covered and what isn’t, so the conversation becomes “here’s exactly what’s included” rather than “you need to buy more.”

How long does it take to run an M365 security assessment? With current tools like Optimize365, an M365 security assessment can take less than 2 minutes to run, with no admin credentials required.

What should an M365 security assessment show an MSP’s client? A useful assessment maps findings to a recognized framework (CIS, NIST CSF, MITRE) and separates what’s already addressed from what’s exposed — including what can be fixed with the client’s current license versus what requires an upgrade.

Why does defining IT vs. cyber help MSPs grow revenue? Once the split is clear, security stops being an assumed freebie and becomes its own line item. Clients aren’t paying more because they’re being sold — they’re paying for a service that was always real, just never priced.

Last updated on