Managed Service Providers (MSPs) can be valuable partners, but their offerings might not align with your cybersecurity needs.
Common cyber challenges for IT MSPs.
I spent years at an IT MSP in roles including COO and CTO. While I would not give up the experience and knowledge gained, I’ve learned some things that can keep IT MSPs from being successful in managing cyber for their clients:
· Primary tech and tools focus – technology is only one-third of the puzzle. Processes and people make or break a cyber strategy.
· Rigidly standardized offerings focused on growth of tech sales or add-ins.
· Cyber expertise limited to vulnerability scanning or running SaaS solutions, add-ins, or security tools of their RMM offering.
· Frequent turnover due to burnout, fatigue, and poaching.
· Overly optimistic compliance offerings (i.e. SOC2, NIST 2.0, etc.). Compliance needs serious business alignment & limited experience can lead to over-investment and underachievement.
· Potential internal incentives to hide cyber risks. The IT MSP primarily keeps things running smoothly. When a good day means few complaints, it is tough to put cyber problems on the table – especially if the team is not ready and able to solve them.
But it is not all challenges and gaps! I’ve also worked with some great IT MSPs who are good partners. These firms know their strengths and offset their weaknesses through partnerships. They don’t oversell capabilities and are transparent with clients. Here are some opportunities that typically work well for IT MSPs in cybersecurity:
IT MSP Strength/Opportunities
· Have defined service agreements for patching vulnerabilities, whether they are running scans or not.
· Push business stakeholders for proper governance and reporting.
· Manage secure configurations and changes.
· Use of Information Technology Service Management (ITSM) systems that are expensive and difficult to maintain.
· Deep expertise in their tools can lead to optimizations based on business needs.
If you already have an IT MSP and are happy with their general performance, here are some ideas to ensure their support around cyber is as good as it can be.
· Set clear expectations and KPIs: Define success metrics for security beyond just uptime.
· Maintain oversight and governance: Don’t blindly outsource your cyber security posture.
· Demand transparency and regular reporting: Know what’s being done and the effectiveness of measures.
· Consider a neutral party in cybersecurity leadership augmentation: You can avoid the “fox watching the hen house” with some creative sourcing, which also plays to the strengths of both your IT MSP and a cybersecurity-experienced third party.
· Communicate openly and build trust: A collaborative approach brings the best out of both teams.
By following these tips, you can leverage your IT MSP for optimal security and avoid becoming dependent on their tools and processes.
At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at info@revealrisk.com.
317.759.4453
About the Author
Cody Rivers is a Consulting Director at Reveal Risk. Cody helps lead a consulting practice that specializes in creating and maturing cybersecurity programs that focus on risk reduction while aligning their work to client budget realities.
Prior to joining Reveal Risk, Cody served as Chief Technology Officer (CTO) for a successful Midwest-based IT Managed Services Provider (MSP) with clients that spanned the US and Western Europe. While there, he built the cloud security practice that assisted clients to overcome technical obstacles on their path to security maturity and regulatory compliance.
Cody’s experience spans 15+ years working with local professional sports teams to Fortune 1000 companies in nearly all major industries. He’s worked within such frameworks as SOC, NIST, and SOX. In 2021, Cody was recognized as a CTO of the Year by the Indianapolis Business Journal.