Michael Crean, senior vice president and general manager of managed security services at SonicWall SonicWall published its 2026 Cyber Protect Report in March with a deliberate reframe: rather than threat intelligence for its own sake, the report is built around actionable content for solution providers. The centrepiece is the seven deadly sins of SMB cybersecurity – seven predictable, preventable failure patterns drawn from real breach data. The headline numbers are sobering: 88 percent of SMB breaches involve ransomware, more than double the enterprise rate, average dwell time sits at 181 days, and 85 percent of actionable alerts trace back to identity and credential compromise. Michael Crean, senior vice president and general manager of managed security services at SonicWall, came to the company through the acquisition of Solutions Granted, the MSSP he built – one of the early pioneers of SOC-as-a-service for the MSP market. He’s direct about what the data means for partners: the seven sins aren’t just an SMB customer problem. They’re an MSP problem too. His core argument is that mastering fundamentals – MFA, patching, privilege management – is non-negotiable, and owning the right tools doesn’t change that. You can have the same toolbox as your mechanic; that doesn’t make you a mechanic. On the MSP-to-MSSP question, his answer channels Yoda: do or do not, there is no try. A month after the report’s release, Crean says partners have already been using the sins framework directly in customer conversations – which he describes as the whole point. One postscript: his personal favourite of the seven sins is number five, cost-driven security decisions. His test – ask a room of MSPs how many bought the cheapest car on the lot. Nobody raises their hand. But too many of their customers are doing exactly that with cybersecurity. Read Full Transcript Robert Dutt: Hello and welcome to In The Channel from ChannelBuzz.ca, bringing news and information to the Canadian IT channel community for the last sixteen years. I’m Robert Dutt, editor of ChannelBuzz.ca and your host for the show. SonicWall has published annual threat research for years, but this year they did something different. They stopped calling it a threat report. The 2026 Cyber Protect Report reframes the conversation away from data for its own sake towards something MSPs can actually use – a set of tools and talking points for strategic conversations with customers. The hook they chose? The seven deadly sins of SMB cybersecurity. Seven predictable, preventable failures that show up in breach after breach. My guest is Michael Crean, senior vice president and general manager of managed security services at SonicWall. Michael came to SonicWall through the acquisition of Solutions Granted, the MSSP he built and one of the early pioneers of SOC-as-a-service for the MSP market. Before that, nine years in the military. So when he talks about what MSPs are getting wrong on security, he’s speaking from a fairly unusual vantage point – inside the SOC, inside the vendor, inside the partner community itself. The report had been out about a month when we sat down and I was curious what the actual conversation had looked like since launch. We got into that, the sins themselves, the 181-day dwell time that should make many MSPs uncomfortable, and what it really means to be or partner with a true MSSP. Let’s get right into it. My chat with Michael Crean. Michael, thanks for taking the time. I appreciate it. Michael Crean: Absolutely, sir. Robert Dutt: You called this report the Cyber Protect Report, not the threat report that you guys have been publishing for years. That seems like a deliberate choice. What are you trying to signal with that shift and who are you really talking to with this report? Michael Crean: I think every other threat report just looks the same. It’s got some different colors, it’s got some different logos, but everybody talks about the same exact thing and it felt boring. It felt like, “Why do we have to fit into the same role as everyone else? Why can’t we do something different that’s purposeful and should be meaningful to people?” It actually gives them something to talk about – not just with themselves internally, but also to their customers. That was the reason we went down this path and decided to call it the Protect Report. Robert Dutt: I’m guessing that also sets up why you went with the framing of those seven deadly sins – the seven predictable, preventable failures. I thought that was a really neat hook for it. When you look at that list, which one do you think most MSPs would be surprised to see themselves in? Not so much their customers, but themselves as MSPs? Michael Crean: Number one – ignoring the fundamentals. I mean, it’s incredible the amount of times – because of the work that we do at the SonicWall Security Operations Centers and the amount of compromises that we’re brought in to participate in, investigate, help people with – that you just find it’s this overwhelming amount of: you had the right tools, you had the right tech, and you didn’t know what to do with it. Or you did and you just didn’t take the time to really learn how to ride the bike well. We had a compromise today where a customer of ours got hit with Akira [verify], a ransomware, and we thought we probably knew that the penetration point was the firewall, but we had to do some more investigation. And when we did the investigation, the amount of misconfiguration was staggering [verify]. You pay for all these security services, and they weren’t even enabled – IPS, IDS disabled – and they paid for them. So it’s just unfortunate. These are just, again, what we call ignoring the fundamentals. Robert Dutt: Do you have any thoughts on what’s driving that? Is it a matter of, this is up and running, moving on to the next shiny thing, moving on to the next opportunity? What’s behind that? Michael Crean: I think some of it is that MSPs have found themselves in this place of challenge where they have so much responsibility and customers are looking at them. And I heard this a long time ago when I was a child – the smart person is the person that says what they don’t know. I think a lot of people are fearful to show that side of, “I don’t know something.” But saying “I don’t know” doesn’t mean you don’t know and you’ll never know. It just means, “Hey, I don’t know that, but I’m going to go here and ask this person, or I’m going to go to this vendor and get more information, or I’m going to do some more research and come back to you with a really solid answer.” Instead, there’s this constant – I hate to use the word – but it feels like there’s this constant necessity of yes that we have to keep giving our customers. I prefer somebody to tell me, “Nope, I don’t know how to do that, but I’m going to give you a great contact so that you can get it done right.” So I think that’s part of it. And then we, as manufacturers, we keep telling people all along the way, “Hey, buy my stuff, it fixes your problems. Just buy my stuff.” Well, I can go buy the same box of tools that my mechanic has, but that doesn’t mean I’m a mechanic and it obviously does not mean that my car is going to get fixed just because I’ve got the tools. Robert Dutt: Can attest to that. Fortunately, not with great experience, but there’s a reason I do take my car to someone else to get looked at. Michael Crean: Oh my goodness, you and me both. I want it done right. And as hard as I tend to drive my cars – because I have a thing for speed and adrenaline – I would actually like them to be as proper as they can be. Robert Dutt: Well, especially given that it’s important, when you’re testing the limits shall we say, that the thing stays together while you’re doing so. Michael Crean: Absolutely. Robert Dutt: And back to that point, I think there’s also the factor of when you are presenting yourself – and most MSPs do – as the trusted advisor, the expert on this, who’s going to take care of all this, that creates an even greater disincentive to admitting, “You know what? I need to check on that. Let me find out more,” rather than saying, “Yeah, I got this.” Michael Crean: I think it’s human nature, just in general. Because the moment you admit you don’t know something or you’re not certain, at that very moment in time, we just assume that to be a point of weakness. I believe through the military – I served for nine years – and being a CEO and founder for 22 years, what I really realized, and even when it came to my kids, sometimes when you just don’t know, it’s okay to say you don’t know, but I’m going to find out, or I’m going to figure it out, or we’re going to do it together and we’re both going to be better for it than we were when we started with the question. Robert Dutt: Funny, that came up early in my journalism career too. My editor at the time would say, “Your job is not to know. Your job is to find the person who does.” Along the same lines, a little bit of a different lens. You said something that I quoted in the news piece we did on the release of the report: that the danger isn’t that AI isn’t working – it’s that we’re using it as an excuse not to do the things we already know we should. That’s a remarkably direct thing for a security vendor to say, and it touches on that eating-your-vegetables kind of advice. What are you seeing that made you include that line? Michael Crean: It’s not what I’m seeing today. It’s what I’ve seen for the last 20 years in this industry. I mean, we went from deep packet inspection firewalls to next-generation firewalls. We got all of these extra added capabilities in the firewall, but then we got lazy on doing proper firewalling – con
