Ask an MSP Expert

Q: Our MSP is known for its robust and affordable cybersecurity. I’ve heard, however, that MSPs should outsource their own cybersecurity. What are your thoughts?

MSPs have recently suffered a spate of cybersecurity glitches that have cast a spotlight on their own vulnerabilities.

For instance, in December, a major MSP headquartered in California suffered a ransomware attack and paid the ransom to get their business operations back online swiftly. This MSP was in charge of their own cybersecurity. Might the outcome have been if they had outsourced?

This is one of these questions that could be answered a few different ways. For some perspective, we consulted with Anne Jenner, who handles marketing for a couple of MSPs in the Pacific Northwest.

Be thoughtful when outsourcing cybersecurity

The answer to this question will depend on several factors, but the outcome can be favorable. Doing the right due diligence, Jenner suggested, MSPs may decide that farming out their security may make more sense.

The most compelling reason to manage your MSP business’ internal security in-house, would be to standardize your practices with those you put in place for your customers. After all, if you can’t offer strong cybersecurity for your organization, how could you possibly tout your cybersecurity credentials to others? You want to be able to stand by your skills and brand, and one of the best ways to do this is to promote how well it protects your network and servers.

If you are going to outsource your MSP’s cybersecurity, you may want to have someone on staff (whether your own or the vendor’s) doing basic monitoring, otherwise you can develop a false sense of security. Data sensitivity is another issue MSPs should consider.

When considering how to move forward with their cybersecurity offering, MSPs need to evaluate and figure out what is limiting them, Jenner points out. Is it manpower? Budget issues? Hours? By identifying whatever is keeping you from providing your cybersecurity, you enable yourself to fix it. There are several common obstacles that can be addressed by securing a strong external provider.

Outsourcing a cybersecurity offering removes the MSP’s need to train, schedule, and retain staff for those security service offerings, which creates significant savings in both budget and time. Ideally, the MSP will also remain informed of what is going on from a security standpoint, via comprehensive reporting from their vendor that will give them peace of mind knowing their security is following the best practices the MSP can advertise to their customers.

Too close?

“The most powerful argument I can find for outsourcing your own cybersecurity is simply to have a fresh set of eyes on your systems,” Jenner states.

And MSPs are not alone in this. Sometimes, for instance, an artist simply has too much of themselves invested in evaluating its qualities objectively. Another example is a chef who is too close to the stew to be tasting it. There’s a “closeness” that develops with any job, profession, or craft that requires the discipline and foresight to “step back” and see the big picture, Jenner says.

“I find this is especially true with smaller MSPs,” Jenner adds. “Larger MSPs have an opposite issue; they can sometimes get so caught up in ‘following the manual’ that they overlook simple fixes, and that can lead to institutional inertia,” Jenner points out.

“Still, if you are a smaller MSP and you feel like you are stretched too thin, and cannot objectively evaluate your own cybersecurity on yourself, then perhaps an outside entity is of value,” Jenner advises.

That doesn’t mean your MSP should use a cookie-cutter approach. Precisely as a good MSP will tailor their cybersecurity program to their customer’s requirements, MSPs should tailor their own cybersecurity to their unique footprint.

What to look for in potential vendors

When identifying a vendor to outsource your MSP’s cybersecurity offerings to, there are a few key characteristics and indicators you should be searching for. A vendor with an experienced history and a rich track record of success is one of the most obvious indicators for a successful security outsourcing partnership.

As mentioned before, your vendor should be generating comprehensive reports that you can showcase to your customers to give them the peace of mind that you are on top of all security concerns. These reports will also demonstrate the value of your MSP’s work to your customers in a way that they are better able to digest and understand.

Your MSP will want a vendor with a well-rounded security offering, with several solutions working together to stop all varieties of threats in the current threat landscape. A well-rounded offering will not just make life easier in the immediate short-term, but will also be best equipped to handle any new threats that emerge in the future. Of course, a vendor that offers training and other enablement resources related to cybersecurity, either to your MSP or its customers, would also make for a desirable partner to outsource security to.

MSPs who suffer a breach often can suffer irreparable harm to their reputations, not to mention exposing themselves and their clients to costly liability. MSP clients expect their data and networks to be kept safe. The first step in doing that is making sure yours are safe.

Photo: StunningArt / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *