The Power of Peer Pressure
When we were teenagers we were taught not to succumb to peer pressure. As our friends were pushing us to try cigarettes or drink alcohol, we were told to hold fast and resist the temptation. Peer pressure, back then, was generally a bad thing full of negative consequences.
In adulthood, however, peer pressure can be a force for good that can motivate us and hold us accountable to our goals. Within the MSP industry there are many peer groups where members share goals of growing their business and meeting certain metrics. These are usually financial benchmarks around maximizing profits and improving performance. Members report progress towards those goals at quarterly meetings. Members hold each other accountable to meeting those goals and contributing to the collective success of the group. You don’t want to be the member that is not hitting their goals or at least making progress. In fact, in some cases, members that consistently miss their goals risk being expelled from the group. This peer pressure keeps members on task and forces them to prioritize profits and performance ahead of the day-to-day distractions that we all face.
As the MSP industry becomes riskier each year, it is important we start prioritizing risk management, compliance, and cyber security ahead of other distractions as well. Regulatory requirements such as HIPAA, CMMC, GDPR, and others are forcing MSPs to formalize their approach to security and compliance. For years MSPs have signed Business Associate Agreements (BAA) with their healthcare clients stating that their practices as compliant with HIPAA guidelines. However if MSPs were audited for compliance with HIPAA, most would fail. For the past several years Managed Service Providers doing business Defense Industrial Base (DIB) contractors that handle Controlled Unclassified Information (CUI) have been required to comply with the NIST 800-171 standard. This was a self-assessment and self-attestation process. However in a 2019 report, not a single organization was 100% compliant. The average organization had only implemented 39% of the required controls. Thus, the government has created the Cybersecurity Maturity Model Certification (CMMC) program. Although it is still a bit of a moving target, all companies in the DIB, including MSPs servicing them, will have to complete a certification process to prove compliance with CMMC. This is likely the first of many requirements to prove compliance coming in the MSP industry.
Attaining compliance with any standard is difficult. It is a long and laborious process of assessing the current state and performing a gap analysis between the current state and full compliance. Policies and procedures need to be developed and documented. Then the organization must prove that due care is being taken. In other words, your policies and procedures are being followed by your employees. This requires a cultural shift within organizations whereby daily compliance with policies and procedures is engrained within the company.
Compliance cannot be outsourced. Managed Service Providers can hire consultants to craft policies and develop procedures to meet controls within a standard. However, it is unlikely a consultant can affect the culture of a company to make cybersecurity a top priority.
Keeping compliance goals on the front burner can be a challenge. The daily flow of distractions often takes our eye off the ball. Having a peer group of like-minded companies with common goals is of great benefit. Members hold each other accountable for implementing certain controls by certain dates. Members report on their progress quarterly and share challenges and successes. Policies and procedures are shared. Collectively the group amasses a library of practices and a common set of knowledge for the group. No matter the standard, the members progress through the process of attaining compliance together.
OTX Roundtable was created to provide a peer-based environment where MSPs can work together to achieve compliance and certification. If you are looking for a peer group focused on risk management and compliance please reach out