Something I've noticed changing in conversations over the past year

Here's something nobody really talks about in MSP sales: the security evidence request is coming from more directions than it used to. A few years ago, you might have had the occasional insurance renewal questionnaire or an ISO 27001 audit for a client in a regulated sector. What I've seen over the past 12 to 18 months is that the requests are multiplying. Enterprise customers asking their suppliers to complete due diligence questionnaires. Lenders requiring security assurance before releasing finance. Boards asking for security metrics at quarterly reviews. New clients wanting to understand security posture before signing contracts.

And what strikes me about this is that the underlying evidence each of these requests is looking for is largely the same. They all want to know that the client has documented controls, that those controls are actively monitored, that incidents are detected and handled, and that there's a record of all of this. The format might be different, a supplier questionnaire versus a board report versus an insurance renewal form, but the data is the same data.

The reason I mention this is that it changes how I think about the value of a well-structured managed security service. If your monitoring produces good ongoing evidence, your client can answer most of these requests without much additional work. If it doesn't, every request becomes a fire drill. Does that make sense as a framing? Because I think it's one of the most practical ways to explain to a client why structured reporting matters beyond the security operations themselves.

What evidence requests are clients facing

Cyber insurance renewals

We've covered this in some detail elsewhere in this series, but it's worth naming here because it's the evidence request that most clients have a direct commercial stake in. A failed insurance renewal, or a renewal that comes back with significantly higher premiums or reduced coverage, has an immediate financial impact. What auditors look for in security evidence at this stage includes control documentation, incident history for the policy period, and evidence that monitoring was active and producing alerts throughout the year.

Customer and supplier due diligence

Enterprise customers are increasingly requiring suppliers to evidence their security posture before or during contract negotiations. This tends to arrive as a questionnaire, sometimes running to several dozen questions, covering security policies, access controls, incident response capability, data handling practices and third-party risk management. For mid-market suppliers who are trying to win or retain enterprise customers, the ability to produce this evidence efficiently is a genuine commercial differentiator.

What I've seen catch clients out here is the gap between having reasonable security practices and being able to articulate them clearly in writing on short notice. The practices exist. The documentation doesn't. And the enterprise procurement team reviewing the questionnaire doesn't have visibility into the practices, only the questionnaire responses.

Board and risk committee reporting

Boards and risk committees are asking for security information more often and in more detail than they were two or three years ago. Partly this reflects regulatory pressure, particularly in financial services and listed companies. Partly it reflects genuine increased awareness at board level of cyber risk as a business risk. The requests tend to come as a standing agenda item at quarterly board meetings, and they require a report that communicates security posture in non-technical language. For most MSPs, producing this reporting is not a default part of the managed service. For the ones who do produce it, it becomes a significant retention mechanism.

Lender and investor security reviews

This is an area that's grown more than I would have predicted a couple of years ago. Lenders providing financing to SMBs, and investors conducting pre-investment due diligence, are increasingly including security posture assessments as part of their review process. Augmenting compliance services to cover this kind of evidence production is something more MSPs are starting to offer, partly because the clients who go through these reviews tend to be higher-value accounts with more complex security requirements.

How continuous monitoring produces evidence

The practical point here is that the evidence most of these requests are looking for is already being produced by a well-run monitoring service. Every alert detected and resolved creates a record. Every MFA status report creates a snapshot of control coverage. Every backup test creates a result that can be retrieved. Every incident handled creates a timeline that can be presented to an insurer or auditor.

What tends to happen with MSPs who are not structuring their monitoring output as evidence is that all of this data exists somewhere but it's not retrievable in a useful format when the request arrives. The alert history is in the SIEM. The MFA coverage data is in the Entra ID reports. The backup test results are in an email somewhere. Pulling it all together under time pressure, which is usually when the request arrives, is genuinely difficult.

The shift worth making is to treat evidence production as a standing output of monitoring operations rather than a separate activity that gets triggered by an evidence request. A monthly security report that covers the key areas, detected incidents, control coverage, backup test outcomes and vulnerability management activity, gives the client a 12-month evidence trail at the end of the year that answers most of the questions they'll face from continuous monitoring and alert management to insurance and audit alike.

What good structured reporting looks like

Just to give you a bit of context on what I mean by structured reporting: the most useful format I've seen is a monthly summary that covers 4 areas in consistent language. First, security events: alerts detected in the period, their classification and how they were resolved. Second, control status: MFA coverage across accounts, patch status across managed devices, EDR deployment status. Third, risk items: any open vulnerabilities, misconfigurations or control gaps identified during the month. Fourth, actions taken: what was remediated, tested or reviewed.

The key thing is that it's consistent month to month. A report that covers different things each month is useful operationally but it's not useful as an evidence trail. A report that covers the same areas in the same structure for 12 months gives you something you can present to an insurer, a board, a due diligence reviewer or an auditor as a coherent picture of ongoing security operations.

The best SOC as a service implementations I've seen include a Fractional Security Director who takes the monitoring data and shapes it into the kind of client-facing reporting that works across all of these evidence contexts. The compliance frameworks your clients get asked about, across insurance, due diligence and regulatory audit, tend to map onto a consistent set of control areas, and a reporting structure designed around those areas serves all of them. The work Stability IT have done in building this kind of evidence infrastructure into their service delivery is a good example of what it looks like when it's working well.