I recently sat down with Matt Lee, and his “What, How, Tool, Proof” framework totally changed how I plan to tackle security moving forward.
If you’ve ever struggled to prove your security measures to clients or insurers, I think you’ll find Matt’s approach a game-changer.
[ Downloadable worksheet towards the bottom ]
My 3 Biggest Takeaways
1. The BIG Idea
• Instead of jumping on a fancy new tool right away, Matt suggests pinning down your exact outcome first (the “WHAT”), then mapping every scenario (the “WHAT’S”) and clarifying your method (the “HOW”) before you choose a solution.
This small shift—from “tool-first” to “outcome-first”—has already reshaped my own thinking.
2. The ‘What About?’ Approach
• One of Matt’s special tricks is asking “What about…?” to uncover hidden edge cases (local admin accounts, vendor logins, SaaS tools, etc.).
It’s easy to overlook these smaller details, and they’re often where breaches actually happen. This step made me realize just how many blind spots we might still have.
3. Reality Check
• Matt shared a cautionary tale about an MSP that folded because it couldn’t provide documentation when disaster struck. As he puts it:
“If you can’t prove it, it didn’t happen.”
That line alone drove home how critical it is to collect real-time evidence, not just rely on a fancy process in theory.
How To Talk To Clients About It
Throughout our conversation, Matt also mentioned how MSPs sometimes need to sell these security changes to clients who see them as optional or too costly. A few key points:
• Insurance Clawbacks: Carriers may deny or rescind payouts if no proof of security controls exists. Emphasize the potential financial impact.
• Regulatory & Legal Risks: Without proper evidence, clients could face legal liability or fines, which far exceed the cost of preventative measures.
• Conversation Tip:
“Here’s how we document each layer so that if an insurer or auditor ever questions it, we have airtight proof. Without it, your claims could be denied.”
Positioning these steps as a legal and financial safeguard (instead of just extra expenses) helps clients see the bigger picture.
How To Get Your Team Onboard
It’s one thing to grasp “What, How, Tool, Proof” at a leadership level; it’s another to get everyone else on board. Here’s how to turn Matt’s framework into a collaborative effort that also generates new proof:
1. Kickoff Session
• Host a short meeting where you walk through a simple example of “What, How, Tool, Proof” with your team—pick a control like MFA for admin accounts.
• Encourage questions and real-time brainstorming (especially the “What about…?” step). Your staff often have front-line insights about hidden vulnerabilities or service accounts.
2. Recorded Videos = Ongoing Proof
• Any time someone installs a new security control or updates an existing one, have them record a 1–2 minute Loom/Teams video.
• Show exactly what was configured, why it matters, and where supporting evidence will be stored (logs, screenshots, monthly exports, etc.).
• Save these videos in a shared knowledge base (like SharePoint or a documentation platform). Each video becomes living “proof” of who did what, when, and how.
3. Small Rewards for “What About…?” Finds
• Offer a small incentive (a Starbucks gift card) for the team member who identifies the biggest hidden gap each month—like a rarely used vendor login or an old admin account.
• This gamifies the discovery process and keeps everyone motivated to spot potential risks.
Why It Works:
• Instant Adoption: Team members see firsthand how the framework applies to their daily tasks, instead of viewing it as extra work from “management.”
• Real-Time Documentation: Those short videos (or screenshots) double as both training material for future hires and unassailable “proof” you can present to insurers or auditors.
• Continuous Improvement: By formalizing the habit of “What about…?” and rewarding discoveries, you ensure this framework stays alive, not just a one-time exercise.
Your Next Move: Grab the Worksheet
We turned Matt’s advice into a short, actionable PDF—covering each step, highlighting pitfalls, and offering time-saving tips.
Dive Deeper with Video
• Whiteboard Breakdown: If you’re a visual learner, watch me map each step and show how this all comes together in real scenarios. [Watch Here]
• Full Matt Lee Interview: Hear Matt’s firsthand stories (and tough lessons) that led him to develop this framework. [Watch Here]
If you have any questions or stories while trying out the framework, hit “reply” and let me know—I’d love to hear how it’s going for you.
Talk soon,
Jeffrey Newton
MSP INSIDER