Every MSP has lived this moment. A client calls and says they want a “custom” security program. They want their policies to sound like them. They want controls that are “unique to their workflow.” They want you to bend your stack into whatever shape fits their idea of security. They tell you it will only take a few minutes. They tell you it is an easy change. They tell you that their industry is special and their business is even more special.
And because you want to keep the client happy, you say yes.
It feels like the right move in the moment. You want to show value. You want to prove you are flexible. You want to win their trust. But that yes is the seed of a very painful, very predictable future. It is the moment you take on a burden that grows heavier every single day you support that account.
Let me tell you why.
Hospitals Do This Problem at Scale and It Still Fails
A while back I worked with a hospital that had a long list of compliance requirements. Every policy was carefully written. Every procedure was mapped. Every control had a clear owner. On paper it looked beautiful. It looked like a perfect specimen of a security program.
But every time we asked operations to follow one of those policies, they pushed back. Not because they did not care about compliance. They cared deeply. The problem was that their world did not match the policies written for them. The policies were written in a boardroom. They were not built around how real people work.
We would show operations what the policy said and they would respond with some version of “that is not how we do things here.” Then they would do it their way. And the whole compliance program would drift further and further away from reality.
That is the danger of a security program that is built to be customized. It sounds good in theory. It looks good on paper. But the moment it hits real workflows, it breaks apart. When you give clients custom security programs, you lock yourself into supporting something fragile that you did not design for scale. Something that does not live in your wheelhouse. Something that becomes your problem every time it falls out of alignment.
Everyone Says They Want Custom Security. What They Actually Want Is Safety.
Most business owners are not asking for custom because they love customization. They ask for it because they believe custom equals safer. They assume that the more it sounds like their business, the more secure it must be.
You know that is not true. A secure program is a program that is followed. A secure program is a program that can be validated. A secure program is a program that you can enforce and support every day. A custom program might sound nice, but nice does not keep bad actors out. Nice does not pass an audit. Nice does not help you figure out why something failed during an incident.
When a client asks for custom, what they are really asking for is confidence. They want to feel like their specific risks are covered. They want to feel seen. That is a good thing. But you can give them confidence without giving them custom. You can give them a strong program that protects them and is still manageable for your team.
And if you do not, you are setting yourself up to be blamed later.
You Will Carry The Bag When Something Goes Wrong
Picture this. You built a custom policy for a client. It was simple enough. They wanted a few things changed. They wanted the MFA section rewritten to match their workflow. They wanted their password rules written in their internal language. You adjusted the program. Everyone felt good.
Fast forward a year. They get breached. A regulator or carrier comes knocking. The first question they ask is whether the client followed their policies. They pull up the custom policy you wrote. The one you modified to keep everybody happy. The one that is different from what you give your other clients. The one that you now have to defend.
Suddenly you need to remember every decision you made. You need to prove the program was aligned with best practices. You need to explain why this client’s controls are different from your standard stack. You need to show evidence that these custom pieces were maintained, validated and monitored the same way your standard stack would have been.
This is where MSPs get crushed.
The more custom the environment, the more responsibility you end up owning. And not the good kind of responsibility where you feel proud of the impact you make. I mean the heavy responsibility of trying to explain why you built a control that you could not maintain. Or why a policy says one thing and operations did another. Or why the custom workflow created gaps that you never saw coming.
Clients love custom until something goes wrong. Then the target shifts to you.
And you will be who they blame.
You Need a Standard Security Program Because You Need Protectable Boundaries
A standard security program creates strong lines around what you support. It gives your team a stable reference point. It gives you a consistent way to audit. It gives you a predictable set of controls that you can train on, monitor and defend. It cuts down the variables so you can focus on making the program work instead of figuring out how to reinvent it every time a client asks for something new.
When your security program is standardized, every client benefits from the same improvements. When you learn a better way to run MFA, it goes everywhere. When a new threat emerges, you can update one standard and roll it out. When you tighten your documentation, every client rises with you.
But when you customize, you lose that leverage. Suddenly you have twenty different versions of MFA, five different patching policies, and a dozen ways to track access reviews. You now run a security department built out of spare parts. And the moment something goes sideways, you cannot trace what happened because everything is different.
A standardized program gives you the ability to protect clients and protect yourself at the same time. It lets you scale. It lets your team stay sane. It lets you maintain and validate controls with confidence instead of guesswork.
Your Clients Want Outcomes. Standardization Delivers Them.
At the end of the day, your clients do not care about a custom policy. They care about whether they stay out of the headlines. They care about whether their cyber insurance pays out. They care about whether they stay out of court. They care about whether they pass the next security review with a vendor or investor.
You deliver those outcomes by running a tight, predictable, defensible security program. Not one that is stitched together differently for every client. Not one you have to babysit or decode every time you walk into a meeting.
Help your clients understand that custom is costly, risky and brittle. Show them that standardization is not cutting corners. It is the only way to keep them safe. And the only way to keep your team from drowning in complexity.
If you are going to take a lesson from the hospital world, let it be this. A beautiful program on paper is useless if nobody can follow it. And the more custom it is, the faster it falls apart.
Do not learn this the hard way.
Standardize your security program. Protect your clients. Protect your team. And protect yourself.
YOU ARE INVITED
Join me for the Advanced Security Stacking Building Workshop where you will learn how to standardize your security program and finally get out from under custom one offs that slow your team down.
Date: Friday, December 5, 2025
Time: 11am ET - 3pm ET
Register Here
