Cybersecurity prowess should be a critical component of a business’s decision to choose an IT service provider. Likewise, adequately protecting customer data and networks should be a key part of any MSP’s strategy too. Unfortunately, sometimes neither is the case.
To help MSPs better understand where their security gaps may lie, and to help business leaders feel good about the service provider they do business with, CompTIA's Cybersecurity Advisory Council has produced "A CEO's Guide to Choosing an IT Service Provider: Cybersecurity questions for business leaders to ask potential MSP partners." It's a questionnaire that allows end users to assess the knowledge of their potential partners in areas including:
- Company background
- Privilege access management
- Systems management
- Incident response
- Critical patch and vulnerability management
- Service recovery
- Security Assessments
Increased Clarity Around Risk Mitigation, Responsibilities
The goal is to provide more clarity about how MSPs treat their own systems so that customers might better understand where their information is stored, how access will occur, and what happens in the event of a cyber incident. The document complements an earlier piece the council created featuring cybersecurity questions that business leaders should ask themselves and their security teams.
“Many executives don’t have the right information or all the information they need to assess their companies’ capabilities and readiness for cybersecurity and potential attacks. Our goal was to give the executives a guide to ask the right questions—questions that typically are not asked by CEOs,” said Kevin Nikkhoo, CEO of XeneX and vice chair of the Cybersecurity Advisory Council.
Further, many CEOs don’t know where to even start in vetting a new or even current IT service partner, according to Kevin McDonald, COO and CISO of Alvaka Networks and co-chair of the council.
“The guide will help even less technically sophisticated decision makers to get some critical answers on the record. It will inform a leader’s selection and retention decisions. It makes both sides of the potential transaction more aware of the risk and reality of an MSP’s security risk mitigation efforts or lack thereof,” McDonald said. “IT pros and service providers often need some help in triggering the questions they should be asking. This is a compilation of questions from many different IT and security focused minds on the CompTIA Cyber Security Council. We hope it helps get a more complete perspective and leads to more confident decisions.”
MSP Benefits Include Knowing Work Still to Do
The guide isn’t just for customers, however. MSPs should also benefit from it, many of whom can’t answer all the included questions and may have some work to do to address potential gaps in their security portfolio.
“This should help MSPs with their own cybersecurity preparedness including setting up their own environment, workbooks, playbooks and tools to address these questions internally,” said Nikkhoo. “And it helps to engage customers by asking the right questions leading to assessments and other revenue generating projects.”
MSPs should verify their own risk mitigations and ensure their security investments have been well placed, added McDonald.
“While not meant to be comprehensive, the guide covers many of the critical basics that we see being left undone, creating unreasonable risk for everyone involved,” McDonald said. “Once the MSP’s leadership are comfortable that they can attest to following the guide in a meaningful way, they can list it on their site, share it with clients or even present on ways other MSPs and clients should follow the guide. They can break it down as to how they the MSP can facilitate the client’s or prospect’s improvements and lead their ongoing management programs.”
A Resource for More Meaningful Engagement
Think of the guide as a conversation starter that can set the stage for deeper engagement with customers, said Nikkhoo.
“I suggest MSPs read this document, pick a few key areas relevant to a particular customer, discuss them with an initial conversation and then propose sending the document, followed by and in-depth conversation. This will MSPs show knowledge, value-add, and customer care,” Nikkhoo said.
Of course, answering security questions is the easy part. Having the skills and resources to back up your responses, consistently, is quite another.
“Some will say the bar we set in this document is too high, but these are actually fundamentals that should be followed by all of us. We must fight harder to defend ourselves. While some will still be victimized, we can greatly reduce the risk and limit damage done, individually and collectively,” said McDonald. “An MSP that can say yes to the questions can put a great deal of pressure on any competition that is or wants to be the winner of that client’s or prospect’s business.”