You must be careful when managing your cybersecurity portfolio. Otherwise, you could end up with a bloated solution stack or worse, margin squeeze for MSPs. A proven security framework can help you get on the right track. My company was founded in 2008 and the MSP market was focused on core solutions that included remote management (RMM), antimalware (remember spyware programmes?). Antispam. The newcomers to the block were business continuity and disaster recovery (BCDR), solutions that were vying for a place in our standard stacks. These were non-negotiables that became part of the services we provided to our managed clients.
Our stack evolved over time, especially in cybersecurity, because there was so much innovation in that area. Everybody who knows me well knows that I love the latest and greatest. I have been in corporate IT for a financial service firm, and also helped independent investment firms. I enjoy reviewing new solutions and introducing them my clients. This serves two purposes. Customers are better protected. They also become trusted business partners. Even though the solution was intended for enterprise companies, it was still possible to push the square peg into the round hole and make it a success.
This approach can lead to a bloated solutions platform and, for MSPs even worse, margin squeeze. We admittedly didn’t do a great job of monetizing portfolio changes. We needed to find a better method to determine which products were included in our standard stack and which could be added to our premium stack. We delved headfirst into security frameworks like NIST-CSF (Cyber Security Framework), Center for Information Security 20(CIS20), now the CIS18 and Mitre’s ATT&CK frameworks, the Australian Signals Directorate 8 and other. These frameworks are a guideline for security programs and help to determine the minimum viable security stack of an MSP. These frameworks are updated to identify a maturity model at different implementation levels.
Protect, Defend and Respond to the Crisis.
The five NIST-CSF functions are a great place to start. They serve as the basis of the CompTIA Security Trustmark+: Identification, Protect, Defend and Respond. This framework outlines the policies, procedures and operations required for each function. These functions require you to find solutions. These are products that you purchase; others are services that you contract or create; while others are processes and procedures your team sets in motion.
Some are proactive while others are reactive. The more reactive you are, the more resources you will need, whether your team is working with a third-party or on your own. To help you plan, your vendor partners should be able tell you how they fit into the framework. Some vendors might fit in one bucket while others may fall into multiple. It may be worth looking for a partner who can explain this level of detail to your vendor. Although the list is not comprehensive, it can be used to help you get started on updating your cyber stack to meet your current needs. Click on the image to open a PDF. While I will be focusing on products and services in this space, policies and procedures are just as important, if not more so.
You will find that fewer solutions will “check the box” if you look at your skills and requirements for each function. This means that you need to leverage people and documented processes to complete your stack. Tony Hsieh’s principle of “don’t outsource your core competency” is what I follow. However, that doesn’t mean you should not use other companies’ support for things outside of your expertise or if it is prohibitively expensive to implement (such a SOC). This doesn’t mean that you have to do this forever. Partnering can be a great way to test the market. It may be cheaper to use the services of a security provider to complement your team.
Focus on the process and identify the needs of your clients/verticals. Then, determine the controls you will need first, and then create the policy to implement that control. Sometimes a tool may not be necessary and it may be sufficient to create a policy and follow the procedures. It is worth investing in solutions and partners that save time.
Raffi Jamgotchian, founder and CTO at Triada Networks is vice-chair of CompTIA’s Cybersecurity Community and a member the CompTIA ISAO SME Champions Council.
For more information and to have a conversation about protecting your clients, join the CompTIA Cybersecurity Community.