With data theft and extortion on the rise, and governments moving to increase regulatory requirements, Small and Medium Businesses (SMBs) are under increasing pressure to improve their cyber security posture. As SMBs rarely have in-house security capability, they must partner with an experienced cyber security firm to achieve this. For most, the obvious choice of security partner is their Managed Services Provider (MSP). In this article, I discuss why this is only part of the solution and how third-party governance can help you get the most from you MSP and your security spend.
Your MSP seems like a natural place to turn for cyber security advice because they understand the technology you use and provide most of your security controls, such as anti-virus software and firewalls. But there are several problems with this. Firstly, this a technology focused approach. MSPs are great with technology. And technical controls are a large part of an effective Information Security Management System (ISMS). But cyber security is about much more than technology. At its core, cyber security is risk management, which is a business function, not an IT function. Cyber security starts with understanding the business, its systems and assets, and what impact loss of those systems will have. It’s about understanding the risk environment and the risk appetite of the organisation. Only once we understand these things can we know what needs to be protected and where finite security budgets are best allocated.
Yes, your MSP may offer such services. Perhaps in the form of a virtual Chief Information Security Officer (vCISO) service. But there is something disconcerting about your technology provider telling you to implement security controls that they just happen to sell, isn’t there? Which brings us to my second point; when you don’t fully understand the technology or the proposal your MSP is putting forward, and they stand to make money from the outcome, it makes it very difficult to trust their recommendations. This lack of trust can erode the relationship between the business and the MSP, which is a big problem because a good relationship with your MSP is crucial to good cyber security.
Another problem, and perhaps the biggest problem, is accountability. If your MSP is providing the security advice, developing the security strategy, and selling and implementing the solutions, who is holding them accountable? Is this not a bit like them umpiring their own game or marking their own homework? Again, this will erode trust and damage the relationship leading to poor outcomes.
To achieve the best results, it may be prudent to engage an external consulting firm to provide governance and oversight. This third party should be an impartial observer who understands both your business and the technology. They should be technology agnostic with a sound understanding of both cyber security and Governance, Risk, and Compliance (GRC). This should be a third party that doesn’t stand to profit from the recommendations they give.
Such a partner provides multiple benefits. Firstly, by operating at the business level rather than the IT level, they can help you understand your business risks and align your cyber security strategy and tech spend to those risks, ensuring your cyber security strategy is driven from the top down, rather than the bottom up. That is, they can ensure your cyber security strategy is led by your business needs, not by the technology.
Secondly, they can help bridge the knowledge gap between you and your MSP. A good consultant will be able to translate business problems into technology solutions, providing the MSP with clear objectives and accurate requirements that are supported by sound business cases. They will also help the business understand technical problems and solutions put forward by the MSP. Through this fostering of mutual understanding, they help increase the efficacy of the relationship between the business and the MSP, driving better business outcomes.
Thirdly, an impartial observer will be able to hold the MSP accountable and provide assurance that your cyber security posture is at the desired level and meets relevant regulations. This is done through cyber security maturity assessment and auditing of security controls. After the event of a breach, having this type of third-party assurance and oversight will also help you, and your MSP, prove due diligence and due care.
The upshot of all of this is that you will have an improved security posture, assurance that your cyber security strategy is aligned to business requirements, and you will get the most out of your MSP. This last point should not be underestimated. A good relationship with your MSP is extremely important to effective cyber security. Afterall, they are likely to be the ones monitoring for and responding to security events. If you don’t fully understand the technology and cyber security yourself, or don’t have the internal capability to audit your cyber security controls, engaging an external consulting firm to provide governance and oversight may be a good investment.
Author - Michael Hodson, Senior Cyber Security Consultant