Partners
Security adoption begins in the boardroom, not at the helpdesk
The MSP industry has finally started talking about adoption. The talk is about Copilot licences, awareness scores and Teams structures, all of it about end users. The harder conversation, the one that matters most, has not yet started in earnest: do the people who are personally accountable for cyber risk actually understand the dashboards their MSP is showing them?
That question came up again in several recent client conversations, in various partner sessions, and once more during a recent episode of MSP Late Night, where adoption was, finally, the central topic. The voices around the table were sharp on Copilot, on awareness training and on the gap between selling a licence and changing behaviour. But the discussion stayed almost entirely on the end user. In information security and compliance, where NIS2 has now made directors personally accountable, the bigger blind spot sits one floor up.
Adoption is not just an end user problem
When MSPs talk about adoption, they tend to mean the same thing the productivity vendors mean. Are people using the tool? Are they prompting Copilot? Are they completing the awareness module? Are they clicking the right buttons in the right system?
Those questions matter. But in security and compliance, there is a second adoption question that almost never gets asked. Does the executive who signed off on the contract understand what the tool is telling them? Does the director who is personally accountable for the outcome read the dashboard? Does the management team that owns business risk steer the organisation on the back of the numbers it produces?
If they do not, the dashboard is not adopted. It is paid for. That is a different thing.
How does a director know whether their MSP is actually protecting them?
This is the question owners, directors and board members type into search bars and ask their trusted advisers. It is also the question MSPs are least well equipped to answer in board-friendly language.
The World Economic Forum’s Global Cybersecurity Outlook 2026, published in January 2026 with Accenture and built on responses from 804 senior leaders across 92 countries, captures the gap in two figures. Among the organisations the WEF classifies as highly resilient, ninety-nine per cent report board involvement in cybersecurity. Encouraging on its face. Read further down the same report and only fifty-two per cent of those same organisations say their board members actually receive regular cybersecurity updates. “Involvement without information is not the same as oversight.”
The same survey is blunt about a second point: what worries the CEO and what worries the CISO no longer line up. CEOs put cyber-enabled fraud and phishing at the top of their concerns; CISOs still rank ransomware first. They are looking at the same threat landscape and drawing different conclusions, because they are reading different dashboards in different vocabularies.
For a director, the question of “am I protected” cannot be answered by pointing at a Secure Score, a compliance percentage or a colour-coded heat map. It can only be answered by someone willing to translate the score into the consequences for the business: revenue at risk, contracts at risk, personal liability at risk.
A dashboard is not a strategy
Walk into the average mid-market organisation that uses an MSP for security and compliance, and you will find dashboards. Microsoft Secure Score. A vulnerability count from a scanner. An ISO 27001 readiness percentage. A NIS2 self-assessment. A Defender or EDR console. Sometimes a custom view from the MSP itself.
What you usually will not find is one short answer to the question: “What does any of this mean for our business this quarter?”
Trend Micro’s 2025 Defenders Survey, polling more than three thousand cybersecurity professionals, made the point cleanly. Only around thirty per cent of respondents said their organisation has “a structured, ongoing model for communicating about security events with stakeholders.” The report concluded that managing cyber risk at executive level “requires translation: expressing the risks in business terms instead of technical ones.”
The dashboards exist, the data exists, the tools work. The bottleneck is the translation layer. And the translation layer is, almost by definition, the role of whoever sits between the technology and the boardroom. For most mid-market organisations, that is the MSP.
Hans ten Hove, a regular at the MSP Late Night table, captured it bluntly in a Dutch LinkedIn post: “an unadopted solution, he wrote, is simply an expensive invoice with a dashboard attached.” That is the line worth keeping in mind every time a new compliance dashboard is rolled out.
What did NIS2 quietly change about board responsibility?
The discussion would be theoretical were it not for the legal shift that has now firmly arrived.
Under Article 20 of the NIS2 Directive, the management body of an essential or important entity must approve the cybersecurity risk-management measures of the organisation, oversee their implementation, and follow mandatory training to be able to assess cyber risks. As DLA Piper set out in a November 2025 analysis of the directive, this responsibility cannot be passed down to the IT department or outsourced to an external provider. Member states have been given the power to impose personal liability on individual directors, and in serious cases to suspend a CEO or legal representative from their duties.
Germany’s revised BSI-Gesetz, which entered into force on 6 December 2025, goes further still. It makes management bodies personally accountable for actually implementing the cyber risk measures, not merely approving them. The German regulator has confirmed that, with the registration deadline of 6 March 2026 now passed, it has moved into active enforcement.
For an MSP, the implication is sharper than it first appears. A director who is personally accountable for cyber risk and who cannot, in plain language, explain what their compliance dashboard means is exposed. Not because the MSP failed technically; because the adoption gap, between the tool and the person legally responsible for the outcome, was never closed.
NIS2 does not say that MSPs must become business interpreters. But it makes it impossible for any serious board member to remain a passive recipient of a Secure Score they do not read.
From IT vendor to business interpreter
This is where the role of the MSP needs to evolve, and where many MSPs honestly find it most uncomfortable. Implementation is well-trodden territory. Patch cycles, baselines, monitoring, incident response, ticket SLAs. The technical craft of running an IT estate is genuinely hard, and the people doing it well deserve more credit than they get.
What the technical craft does not automatically produce is a conversation in which a director understands, in five minutes, what they are protected against, what they are not protected against, what it would cost to close the gap, and what would happen to the business if the gap were exploited.
That conversation is a different skill. It needs someone who can sit between a Microsoft Defender console and a profit-and-loss statement, and explain why one affects the other. It needs someone comfortable saying: “Your compliance score is seventy-eight per cent, here are the three controls that are missing, and here is the contract you might lose if a customer audit catches them.” It needs the MSP to stop selling tools and start selling clarity.
A few MSPs in the Dutch, Belgian and German markets are quietly building this capability inside their own teams. Most are not, yet. The ones that do will find that their renewal conversations get shorter and their margins get better, because the value they deliver becomes visible to the person who signs the cheque. The ones that do not will be remembered as the supplier whose dashboards nobody read.
Where Guardian360 fits in
I run an ISV that makes one of those dashboards, so it would be dishonest to write this without addressing what we do and do not do.
The Lighthouse platform produces the usual technical outputs that any serious security tool produces: scan results across networks, IPs and web applications, Microsoft 365 security insights through the Graph API, vulnerability findings, and compliance recommendations against more than forty norms and laws. None of that is unique. What we have spent the last few years building, and what we believe matters most for the conversation in this blog, is a business risk score that sits alongside the technical risk scores. The aim is simple: give the board a number that connects to the business, not just to the asset.
A platform can support the translation conversation. It cannot have the conversation. That is the partner’s job, and it is where we depend, every day, on the MSPs, integrators and advisers who work with us. The tooling closes part of the adoption gap. The relationship closes the rest.
A different question to ask at your next MSP review
If you are a director, an owner or a board member, you do not need to read the NIS2 articles to act on what they imply. At your next review with your IT partner, do not ask what they have implemented this quarter. Ask whether you, your management team and ideally your board understand what those implementations mean for the business.
If the answer takes longer than the implementation summary did, you have your finding.
Security adoption begins in the boardroom, not at the helpdesk. The MSP industry, the broader IT sector and the regulators have all started, in their own way, to push in the same direction. The blogs and podcasts about end-user adoption are a healthy start. The next conversation, the harder one, is about the people whose names appear at the top of the org chart and whose signatures end up on the regulator’s letter.
If that conversation has not happened yet at your organisation, it is the most useful one to schedule.