How to Choose a Security Partner: A Guide for Managed Service Providers
The reality of a world of always-connected customers and cloud platforms is that hackers are overwhelmingly targeting managed service providers. The main question posed in that article was how managed service providers could protect their clients with proper security measures. Here, we want to take this a step further to suggest that these managed service providers should look to a security partner who can not only support their own security but the security of their clients.
The main question posed in that article was how managed service providers could protect their clients with proper security measures. Here, we want to take this a step further to suggest that these managed service providers should look to a security partner who can not only support their own security but the security of their clients.
Picking a security partner isn’t as simple as working through a Google search, however. The right fit for a security partner will involve how mature and robust their security practices are, and whether or not their tools and expertise are geared to help their clients grow.
Defining Your Security Needs
Managed service providers have unique needs, and in having unique needs they need to be extra-specific in defining those needs. As an MSP, you’ll have to consider not only your own security requirements but those of your clients.
One of the biggest challenges for MSPs is remaining ahead of regulations and compliance requirements in whatever industry they, or their clients, function in. Regulations can change rapidly, and the technologies or processes needed to meet those regulations change faster.
Meeting compliance isn’t just about replacing equipment, however. Depending on the kind of compliance and reporting needed (HIPAA, SOC 2, FedRAMP, etc.), a company might need a significant audit of their network and compliance profiles. This calls for a different kind of expertise.
Different equipment will also call for different security needs. If you or your clients rely more on mobile devices or laptops, then a security profile might also include significant requirements for protecting and disposing of PII or PHI.
Finally, you may or may not have the people or experience in your organization to actually manage these security audits, and building this kind of department could prove too cost prohibitive.
What Should a Managed Service Provider Know About Security and Compliance Before Selecting a Partner
There are several kinds of security providers available, each focusing on one or more aspects of security and compliance. Some of the areas that these partners may focus on include:
- Testing (like penetration testing or assessment)
- Implementation and design for security systems
- Compliance assessment and documentation
- Regulation and standards certification
- Development and management
There are also companies that develop unified threat management solutions that encompass several of these areas rather than developing point solutions for one or more.
While that breakdown seems relatively simple, the reality is that extending those services to the complex work of any business requires a level of expertise that many companies, large or small, do not have. Databases, internal networks, mobile devices, all provide hackers with different ways to attack a system and gain access.
In terms of security and audits, there are three primary approaches:
- First-party audits are audits that you perform yourself.
- Second-party audits are usually performed by an outside partner with whom you have a contractual arrangement. Typically, you’ll only find yourself undergoing a second-party audit if one of your clients performs their own (probably industry-specific) audit on one or more of your processes or controls related to your service for them.
- Third-party audits are performed by an external partner who ensures compliance within your company.
What many managed service providers find is that maintaining a dedicated compliance and audit team can become costly and time-consuming. One of the benefits of having a third-party security partner is that they usually provide both the expertise and the tools that can make audits and compliance more effective and less expensive.
This isn’t about cutting corners. The cornerstone of any MSP business is long-term and meaningful client relationships, and a key part of cultivating that relationship is maintaining security over their data. Accordingly, keeping security as tight as it can revolves around committing the time, resources, and expertise necessary to the problem to meet the evolving security challenges in the wild today.
A third-party partner, therefore, can provide a business with a comprehensive plan for compliance, risk management, and security requirement implementation. These partners are experts in security more broadly, and within specific industries depending on their focus and the needs of their clients.
How to Assess Security Partner
Assessing a security partner means getting down into the specifics of how that partner addresses the needs and challenges of your and your clients’ industry.
First, start out by answering specific questions:
- What industry certifications does your partner have? Any partner you work with should have key certifications and be able to perform audits based on the requirements of specific industries.For example, if you or your clients work with federal governments providing cloud services, then more likely than not you’re looking at a need for FedRAMP certification. Likewise, additional governmental tech needs will probably call for NIST certification (800xxxxxx) to provide basic digital services.Healthcare businesses will almost certainly need a partner familiar with HIPAA certification.Retailers, or anyone taking payments, will look into PCI certification.The basic idea here is that any partner you work with should be certified in the standards and regulations of your industry.
- What is their emergency response plan? Do they have one? When a security emergency strikes, any partner should have a robust and mature emergency response plan to deal with it. How do they disclose security breaches, and in what timeframe?
- What are their threat management and intelligence programs? Mature security companies will have clear and ready evidence of the security of their internal controls and software platforms. Do they provide the results of audits? Do they have first, second, or third-party audits performed on a regular basis? Do they have stable and secure software development processes in place?
- What modern tools do they use to provide security and compliance? There are several platforms and tools that companies use to support compliance and security. Some of these, like encryption and data masking, firewalls, SIEM, etc., have been around for a while.But compliance and security are about more than immediate control measures. They are now about maintaining compliance across all infrastructure and systems. Modern tools like AI, machine learning, automation, and cloud computing platforms are transforming compliance from the ground up.Take account of how your partner might work through compliance reporting and data gathering. It’s not unknown for regulatory compliance audits to take weeks of work and tens or even hundreds of thousands of dollars to complete. With the right tools, a partner can ensure compliance and reporting with a fraction of the cost.
When assessing a third-party partner, focus on certification, tools, and processes. Certifications demonstrate expertise in your industry, and the industries of your clients, and an ability to actually perform a proper audit. Processes show you that the company can respond effectively to problems within the scope of industry regulations. Tools give them, and you, better and better ways to track compliance and risk across your MSP business.
Outside of these, it’s always a good idea to ensure that any third-party partner you work with has some understanding of wider-ranging security standards. An agency that can perform SOC 1 and SOC 2 audits can help with a variety of additional security concerns, and if that same agency can support GDPR compliance, you have a gateway to support clients in the European Union.
Continuum GRC is a security platform built by experts to support the highest standards in cybersecurity. Call 1-888-896-6207 to talk more with the experts about your governance, risk management, and compliance needs. We help you, and your clients, stay secure.