IT takes a Village…
In the past the Managed Service Provider could typically deliver a complete service without engaging with other partners. By deploying a fault-tolerant system, protected behind a good firewall, and managed by a good RMM, the MSP pretty much had their clients covered.
However, those days are over. The landscape has changed dramatically in the past ten years. Even the smallest clients require services that span beyond what most MSPs can deliver alone. Many of the services offered by MSPs today are hosted by major cloud service providers. Even basic cybersecurity services require technical skills beyond what many MSPs have on staff. And most MSPs are not adequately equipped to properly respond to a sophisticated cyber attack.
MSPs now must determine which services they can deliver with their own in-house talent and those they should use an external partner to provide.
The first step is to take an honest look at the capabilities of the current staff. Typically, the MSP has a team that is well versed at deploying infrastructure, monitoring performance, managing failures, and remediating network issues. They are also comfortable implementing and managing basic firewall protection, Antivirus, web-filtering, and perhaps an EDR solution. However, advanced security services such as managed SOC, SEIM, and forensics typically fall outside of the capabilities of the typical MSP. Likewise, auditing and compliance skills are generally not found within the average MSP
Clients, however, are looking for a one-stop-shop. They do not want to manage multiple relationships. It is up to the MSP to develop the partnerships necessary to deliver a seamless solution to the client.
The MSP should identify those organizations that complement their capabilities and can offer a tightly integrated service. These may be a local MSSP or a global SEIM/SOC vendor. They could include a small compliance and audit firm. It doesn't matter as long as the selected partners provides quality service and can work in tandem with the MSP.
The MSP must also develop relationships with others to provide a complete solution. The changing landscape of the managed services business demands that the legal and contractual relationship between the MSP and client keep pace. MSP can no longer rely on the brother-in-law that runs a legal practice to properly manage their contract stack. Managed Service Providers should be working with a law firm that specializes in the technology industry. The Master Services Agreement will likely change on a regular basis in order to address new requirements and services. New and existing clients need to be able to agree to those changes as they are introduced. The MSP must develop a system and process that ensures all clients are kept abreast and agree to changes as they occur.
The need for cyber insurance has never been greater. The MSP must be working with an insurance carrier that can provide a comprehensive Tech E&O/Cyber insurance policy. Likewise, the MSP should be requiring all of their clients carry first party cyber insurance as part of their MSA. This need has given rise to a new breed of insurance carriers that specifically work with MSPs to provide insurance to their clients. This is not to say that the MSP "sells" the insurance to the client but simply facilitates the transaction. The MSP implements security controls prescribed by the insurance carrier to support the policy.
The MSP should have a relationship with a professional forensics team that can investigate potential breaches on short notice. Be aware, however, that, in the event of a major security breach where an insurance claim is likely, the insurance carrier may have their own forensics and legal team for the MSP to work with. The MSP should work closely with their insurance carrier for guidance on the proper response to potential security breaches.
The old saying "It takes a village…" comes to mind when thinking about the delivery of managed services in today's world. Few organizations can truly offer a complete solution alone. It takes a series of partnerships and business relationships to provide the level of service demanded.
OTX Roundtable
The adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here.