Managed Security Services Providers (MSSP) protect businesses by focusing on cybersecurity, compliance, and risk. IT Managed Services Providers (IT MSP) keep technology running by providing end-user support and back-end operations. Many organizations falsely believe that accountability for the security program shifts to their IT MSP. As a result, businesses are putting themselves at increased risk of interrupted operations and financial loss. Instead of looking to IT MSPs for security, businesses should engage MSSPs to manage the spectrum of security, risk, and compliance.
A Word on Accountability
At the end of the day, each organization bears the responsibility of acting diligently to protect itself, its employees, and customers from the consequences of cyber threats. Where legal and compliance is concerned, whether it’s a regulation, contractual obligation, or a key customer, every business needs to be doing reasonable things and be able to prove it.
What is causing the problem?
Secureside works with clients who rely on IT MSPs. A common observation is that clients expect cybersecurity services to be performed in addition to the in-scope IT services. When a client discovers that cybersecurity are not being performed, it creates consternation for the client. It also puts the IT MSP in an awkward position. Importantly, such confusion negatively impacts the security posture of the client, which can lead to severe consequences.
The root cause boils down to two things:
- Cybersecurity Ownership: Businesses do not realize the importance of cybersecurity and the effect that it has on the business as whole. Moreover, many do not understand the immense breadth of modern cybersecurity. Consequently, when a third-party security audit occurs, the business is caught off guard. Looking for a way out, the IT MSP becomes a perfect scapegoat for diverting attention away from the business’s failure to secure itself.
- Lack of Documentation for Customers: With so much focus on cybersecurity, IT MSPs are behind the ball when it comes to formally documenting all security elements provided to the customer. Historically, there was little need for audit-ready material to be produced. Nowadays, IT MSPs can deliver a value-add simply by showing which controls are in place using a friendly format.
What does an IT MSP offer?
Let’s consider the role of a good IT MSP. First and foremost IT MSPs should provide top-tier End User IT experiences. When users have an IT-related need, they contact the help desk. Laptops and tablets become managed by the IT MSP. On/off-boarding processes improve.
Behind the scenes, IT Operations is handled. This includes things like network and server management, monitoring for uptime / downtime, and responding to outages. Offerings may include support for email, cloud, or SaaS technologies.
Do IT MSPs offer any security?
Yes. IT MSPs typically provide baseline security in key areas, such as anti-virus for endpoints, and business-grade firewalls with enhanced protection. Encrypting laptops, making sure local firewalls are turned on, and setting up a guest Wi-Fi network are all examples of foundational security practices that IT MSPs should do.
Where is the line is between IT services and security services?
Friction between client and IT MSP manifests immediately when these activities are brought up:
- Client questionnaires
- Vulnerability/penetration testing
- Compliance (e.g. audits, reviews, reporting, corrective action)
- Security policies
- Vendor risk assessments
IT MSPs are not responsible for any of these areas. The list is actually much bigger, but consider these the frequent offenders. As you might guess, this is where MSSPs come into play.
What is Managed Security?
To simplify, managed security services usually come in two flavors: Virtual CISO and Cyber Defense. The following distinguishes the two at a very high-level as a conceptual illustration. In practice, these are mixed and matched.
What are Virtual CISO services?
- Formal Cybersecurity Program, Policies, and Standards
- A CISO and/or Cybersecurity Team
- Assistance with External Audits, Client Questionnaires, and Remediation
- Executive-level Advisory including Strategic Roadmap & Risk Management
What are Cyber Defense services?
- Vulnerability Management and Penetration Testing
- Security Monitoring and Incident Response
- Advanced Cyber Defense Technologies
Both may include:
- Program Reporting with Metrics and KPIs
- Regular meetings with Management and Annual Reviews
- Security Architecture and Design
By shifting perspective, an organization should see that MSSPs exist to help with security in ways that IT MSPs cannot. Upon this realization, businesses can reverse course to avoid problematic role confusion. Because it could be damaging, resulting in a loss of business revenue from a key client or financial penalties due to compliance failures.
Conclusion
Explained properly, it becomes clear where the lines should be drawn. We reach the conclusion that IT MSPs do not cover many security areas. Businesses cannot expect IT MSPs to provide cybersecurity services. It is not their job to do so. Similarly, businesses cannot redirect security questionnaires and third-party audits to IT MSPs. As such, business should engage MSSPs for their security, risk, and compliance needs.
We’re here to help!
When it comes to cybersecurity most businesses need expert advice to navigate the waters. By engaging with a company like Secureside, you get it exactly that.
Please reach out to us directly or visit our website:
