inSOC CFO Dave Watts, former CEO of Netfusion and with 24-plus years’ experience in the Channel, explains why these questions are so important.
I have many conversations with MSPs who have ambitions to become MSSPs, but they’re not too sure how to start. In fact, some are not even clear where they are starting from.
So, I always start by asking them two questions:
- What is your current security offering?
- What set of standards/controls have you adopted?
The first thing I say is, tell me about your security offering. All too often, answers reveal that many MSPs don’t have a clearly defined security offering; and those who do, tend to have a tool-centric approach rather than a holistic strategy, offering, for example, managed firewall services, endpoint security or a proprietary security tool.
This is not taking a holistic approach – and it’s not the way infosec professionals do things.
I then ask, if you’re going to manage your clients’ security – to what set of standards/controls will you align? That’s a key question, but some MSPs don’t really understand what I mean – or why it’s so important.
It’s important because if you want to be serious about security and compete with MSSPs, you shouldn’t be ‘inventing’ your own controls. Your clients are scrutinized by external auditors – and many will also need to comply with strict regulatory regimes designed to safeguard data and personal information, such as HIPAA, DFARS, PCI/DSS, ITAR and Cyber Essentials.
As there are organizations that have spent billions of dollars defining controls that are already globally accepted as standards – why reinvent the wheel?
I always recommend that MSPs educate themselves on the standards available and decide which set of security controls they will adopt, focusing on the following two organizations.
NIST cybersecurity framework
In 2017, the US Government was so concerned by the spiralling number of cyberattacks that it spent $2bn. developing the NIST Cybersecurity Framework, a collection of standards, guidelines and best practices to manage cybersecurity-related risk.
The NIST Framework is excellent, but it has more than 500 controls. That’s a lot to manage if you are trying to align with them all.
CIS: Top 20 Controls
This concern drove the Center of Internet Security (CIS) to develop the 20 CIS Controls. The CIS took all the NIST controls, analyzed the data and worked out which controls, if implemented correctly, would have prevented specific breach instances. The findings were mapped back, and the top 20 items ranked in order of effectiveness (i.e. value delivered).
I strongly urge MSPs and MSSPs to align with the CIS top 20. Trying to align with 500+ controls would be a huge task. Where do you even start? So, make it simple. Cut the task down. Focus on the CIS top 20. The evidence for this is compelling.
Studies have shown that if all 20 CIS Controls were implemented properly, up to 94% of all recent breaches in large US and Australian companies could have been avoided; while the implementation of just the ‘Basic’ six CIS Controls would have mitigated around 85% of the most common cyberattacks.