Against a backdrop of constantly evolving cybersecurity threats, it’s essential that MSPs understand how to own the risk conversation if they are to really help their customers effectively manage their security posture.
In this blog, I want to look at what we mean by “owning the risk conversation”, and how MSPs can achieve this.
For me, I look at it from the perspective of my own job. When most people think about their security team, they view them as the team that effectively says yes or no to projects or requests. However, in reality, our job is far more complex than simply saying yes or no to something; it starts with assessing and quantifying the risk of that request.
When faced with a proposed project, we need to look at what the risk is to the business, our partners, and our partners’ customers. Ultimately, any business decisions need to be made based on what our company’s risk tolerance is as it relates to the risk itself.
I'm in the fortunate position of working for a mature organization that understands these business risks. We understand what the potential impact a cybersecurity incident could have on our business, and I'm working across the organization with folks who have insight into how our end-to-end operations work.
For the majority of MSPs, things are often a little bit different. MSPs are supporting those end-to-end operations for their customers and have a clear and concise understanding of a large number of the technologies and controls that support those businesses. This means they also understand the threat cyber-attacks pose to their effective operation. On the other hand, the business owners themselves often may not actually have that understanding. So, a critical part of the MSP’s role is to not only identify risk for their customers, but also to effectively communicate that risk to them.
Moving the focus from how to why
Communicating that risk to your MSP customers ultimately helps you shift the conversation away from talking about ‘how’ a specific technology will protect their business to ‘why’ they need that specific technology at all. One of the toughest challenges with security evolution is that there is no clear finish line. Companies may feel like they’re able to invest and get to a point where they're done, but the reality is that's not how security works: the risks are ever evolving, and so their investments into mitigation and protection needs to evolve with it.
This can make the constant evolution of the security stack an awkward conversation to have if the customer doesn’t understand how their risk has changed. However, when you need to ask for more budget to upgrade hardware, to invest in different software, to add on EDR, or whatever the case may be, if the customer can see that you’re doing this to mitigate a commensurate level of risk for them, then it will make the conversation much easier.
It's not just telling them what they need, but explaining why they need it that makes the difference here:
- Why are we going down this path?
- What are we trying to protect you against?
- What risks are we trying to mitigate?
- And, how much could those potential risks cost the business both immediately and in the long term?
Where do you start with shifting to discussing risk as an MSP?
Performing a Business Impact Assessment (BIA) should form the foundation for your risk discussion. This will help you establish core security baselines, such as what parts of the business are most integral to its survival and therefore present the most risk and need the most protection; right the way through to how long critical systems and services can afford to be offline in the event of an outage? It’s important to remember that outage could the result of a number of things. It could be a piece of failed hardware, a SaaS service that’s unavailable, or a security event. So, an effective BIA should not only leverage a security lens during the assessment.
If a small doctor's office that does a lot of X-rays; how long can they afford for that X-ray machine to be offline? If they’re a small retailer, how long can they afford for their credit card machine to be offline? If they’re an accountant, how long can they afford for their email to be down and their website offline? Beyond these basic scenarios, each of those systems will have key supporting technologies—what are those and how long can the business afford for those to be offline?
From there the risk conversation becomes about what you can put in place to ensure the business can effectively recover in the defined time frame. Also, possibly more importantly, it becomes about what you can put in place to help prevent an event from taking systems down in the first place. This is where being able to explain things from a risk management perspective can really help you frame cybersecurity as a big value proposition for the business owner.
If you explain the ‘why’ not just the ‘what’, and how you’re trying to reduce any risk, it becomes a much more organic conversation. You’re not butting heads over costs now, instead, you're working together to keep their business successful and sustainable, and effectively enabling them to continue operating a profitable business.
A secondary benefit of performing a BIA is that it can provide you with a cybersecurity playbook in the event of a major security incident. It will help you to assign a real business value to different applications and systems, and determine an acceptable Recovery Time Objective (RTO) for each. From our example above, not all things may be as critical as getting that credit card machine back online. If your printer is offline you may be fine without it for several days; even a week. So not everything needs to be back online immediately when you have a critical issue—the BIA will help you figure out what order you need to bring those things back online to get your customer’s business back to full productivity.
Implementing a Business Impact Assessment
If you’re looking to get started with a BIA, there are plenty of templates available online, but my go-to one is the NIST framework, below:
- NIST: Using Business Impact Analysis to Inform Risk Prioritization and Response (a working guide to using the NIST BIA template)
- NIST BIA Template (A simplified and easy to follow template)
This gives you everything you need to start to transition to really helping your customer get to grips with their risk profile, and putting yourself in the best position to effectively manage that for them.
Dave MacKinnon (DMac) is Chief Security Officer at N-able. Follow Dave on LinkedIn. Read more N-able guest blogs here. Regularly contributed guest blogs are part of ChannelE2E’s sponsorship program.
