Networking, MSP, Content, Security Staff Acquisition & Development

MSP Ecosystem Embraces Physical and Virtual CISOs

Credit: Getty Images

Full-time chief information security officers, virtual CISOs and associated technology startups are popping up across the MSP software industry -- leading a multi-year journey that is starting to deliver improved MSP industry security and enhanced risk mitigation.

The backdrop: As ChannelE2E warned in 2019, the MSP industry was facing a Judgment Day amid supply chain cyberattacks against software companies and their MSP partners. Things got worse before they got better -- as exemplified by the SolarWinds Orion and Kaseya VSA ransomware attack disclosures of December 2020 and July 2021, respectively.

Still, we're seeing real progress in the MSP cyber market. The evidence:

  1. On the technology front: Two-factor authentication (2FA) is increasingly the norm for MSP-oriented software platforms. Also, cyber resilience platforms increasingly blend security and data protection. And endpoint security has evolved from traditional anti-virus toward Endpoint Detection and Response (EDR). Next up, MSPs are embracing Managed Detection and Response (MDR) and perhaps even eXtended Detection and Response (XDR) -- though partners should be careful of the XDR hype wave, which continues to build.
  2. On the people and process front - CISO Impact Expands: Meanwhile, MSP software companies are hiring and/or naming CISOs to oversee overall cyber-protection and risk mitigation. The effort extends from infrastructure, data and employee security all the way to software development best practices.

MSP Software Gets Serious About Chief Information Security Officers

  • ConnectWise this week named Patrick Beggs as CISO amid a larger company reorg. The real ConnectWise inflection point arrived around March 2020, when the company changed its security tone and commitment for the better.
  • Datto CISO Ryan Weeks has been in place since January 2017. Basically, the MSP-focused technology company ramped up its security team and associated best practices long before the Datto IPO of October 2020.
  • Kaseya 2021 hired FBI veteran Jason Manar as CISO. The hire came after Kaseya suffered a ransomware attack in July 2021. Manar previously was Assistant Special Agent in Charge for the FBI, overseeing all cyber, counterintelligence, intelligence and the language service programs for the San Diego office. Side note: Manar is scheduled to speak during this SC Media virtual event that runs Feb. 22-23.
  • N-able named Dave MacKinnon as chief security officer just ahead of the company's spin-out from SolarWinds in 2021. Also ahead of that spin-out, N-able carefully audited its code base and development practices to confirm the company was not hit by the SolarWinds Orion breach.
  • NinjaOne in February 2022 announced Mike Arrowsmith as its new chief trust officer to "take the lead on all security and IT initiatives for NinjaOne, with early priorities focused on scaling and aligning the company’s internal teams and resources."
  • Whom did we miss? Drop me an email ([email protected]) and we'll keep the executive in mind for future ChannelE2E and MSSP Alert content.

Virtual CISOs: MSPs, MSSPs and Software Companies

Meanwhile, the virtual CISO trend is also taking hold across the MSP market. Interestingly, the trend involves people as well as technology.

On the people side, it's safe to say vCISOs are close cousins to the long-established vCIO trend in the MSP sector. Experts like Gary Pica of TruMethods have long evangelized the need for MSPs to offer virtual CIO services to end-customers -- essentially, a trusted advisor to help SMB customers align their business and technology strategies for growth.

Yes, MSPs and MSSPs increasingly have vCISOs. For instance, Trusted Internet — a Top 250 MSSP for 2021 —aligns its project managers with vCISOs to scale its own business.

Meanwhile software startups are jumping on the vCISO trend. For instance, Cynomi has launched a Virtual CISO Platform for service providers and SMBs and $3.5 million in seed funding. The company plans to engage MSPs and MSSPs that want to safeguard SMB customer systems.

Where do we go from here? We'll be seeking the next round of MSP security questions and answers at the Right of Boom 2022 conference in Tampa, which runs February 9-11.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.