TL;DR: MSPs risk becoming replaceable tool installers when they describe features, tickets, and uptime instead of measurable business outcomes, according to JumpCloud. The expectations gap forces providers to translate security work into risk reduction, productivity, and cost control if they want to defend value and avoid price-only competition.
NHIMG editorial — based on content published by JumpCloud: the MSP expectations gap and the shift to value-driven growth
By the numbers:
Questions worth separating out
Q: How should MSPs explain security work without sounding like tool installers?
A: They should translate each control into a business outcome the buyer can defend.
Q: Why do clients push back when MSPs report lots of activity?
A: Clients do not buy activity.
Q: What should identity teams include in a business-facing QBR?
A: They should include the security or operational outcome achieved, the change in exposure or workload, and the next decision the client needs to make.
Practitioner guidance
- Rewrite recurring reports around business outcomes Replace activity-only metrics with statements that connect controls to risk reduction, productivity, and cost control.
- Change discovery from stack review to business risk review Start conversations with the client’s growth plans, service dependencies, and top operational risks before discussing tools or vendors.
- Convert QBRs into forward-looking governance reviews Show what changed in the last period, then name the next decision the client must make about access, lifecycle, or service scope.
What's in the full article
JumpCloud's full article covers the operational detail this post intentionally leaves for the source:
- The exact four-question quiz used to assess whether an MSP is stuck in the tool installer model.
- The value-driven sales language examples that translate features into outcomes for client conversations.
- The step-by-step discovery changes that shift conversations from stack review to business vision.
- The QBR structure the article recommends for presenting delivered outcomes and next-quarter plans.
👉 Read JumpCloud's analysis of the MSP expectations gap and value-driven growth →
MSP value gap: what it means for security and service teams?
Explore further
The expectations gap is a governance problem before it is a sales problem. When technical teams describe security work in their own vocabulary, stakeholders lose the ability to evaluate whether the programme is reducing risk or just producing activity. That failure is visible in MSPs, but it also affects identity programmes that report deployment volume instead of control effectiveness. Practitioners should treat value translation as part of governance, not as presentation polish.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- A separate finding shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which keeps identity risk hidden from standard reviews.
A question worth separating out:
Q: How can service providers prove value when security work is invisible?
A: They should use outcome-based reporting that makes invisible controls legible. For identity and access work, that means showing reduced compromise risk, shorter onboarding time, fewer exceptions, or fewer access-related tickets. When the result is measurable, the service becomes easier to defend and harder to replace on price alone.
👉 Read our full editorial: MSPs need a business-outcome model, not a tool-installing habit