Someone asked me recently how they should go about becoming more security aligned with their MSP offering. Beyond the obvious skills to acquire, either through learning, certification, or hiring, I thought more about the product offering and how to structure offerings so that they were more “defensible”. What do I mean by defensible? Basically, it means that the MSP can show that they created a service offering that aligns with an accepted cybersecurity framework, show how that offering meets or exceeds the framework controls, and show that it was followed through. Now I am the first to admit, I am not a security expert. My strength is in operations, efficiency, and marketing. So why did I write a blog about this? I am so glad you asked.
If you look at the statement above regarding the three ingredients to a defensible offering one of them requires security knowledge.The other two are basically operations.You can borrow the framework which works best for you and then apply it to your offering.After that, it is more about building and documenting processes for the actual service delivery.
Here is my recipe for building a defensible offering.
- Choose a Framework
- Include Compliances
- Build Offerings
- Define Delivery
- Choose Tools
- Document Processes
- Train ALL the People
Let’s break these down quickly.
1. Choosing your framework is important but which one you choose is subjective and could vary based on your geopolitical circumstance. The importance is to pick the one that is most relevant to you and your clients. The reason it’s important is so that when your client has an incident you can show that what you were delivering was based on a recognized standard.
2. You must also consider any compliance requirements from your clients. This could include things like HIPAA, PCI, GDPR, or even their cybersecurity insurance checklist. Start by getting a copy of the carrier’s checklist from every client.
3. Build your offerings based on what is required of the framework and compliances plus the IT deliverables you plan to offer. Don’t forget that even though we are trying to make things more secure for the client we still need to solve their business problems too.
4. Next, define your delivery. What do I mean by this? Define how you want to deliver those services and what success looks like. You might also want to consider what bad service delivery looks like so that you know what to stay away from.
5. Now you can choose your tools. Yes, I am a vendor, and I did not tell you to pick your tools first. Will wonders never cease. Anyway, now that you know what services and how you want to deliver them, you can pick the tools that align with that delivery.
6. A very important step is to document all the processes required to deliver those services and use those tools. Without documentation you can say you built offerings that align with a cybersecurity framework, but documentation shows how it should be executed. This is required so that everyone understands exactly how to execute on those offerings every single time.
7. That brings me to my last ingredient, TRAIN ALL THE PEOPLE. People are 99% likely to be the cause of an incident. You cannot defend what you did if you do not train your employees and your clients’ employees…regularly. The good news is that there are services for this, or you can do it yourself. Make sure whichever you choose that you are including it in your price/profit calculations.
Those ingredients should help you to build a defensible offering. I know I left out a lot of specifics, that was on purpose. I am not a security expert, get the details from one of them. I left it open for you to build it uniquely to your MSP and how you do business. But if you follow this model and then follow through with delivering and documenting that delivery, I believe that you will set yourself and your clients up for success.
My final tip: Always include an extra five to ten percent margin to accommodate mid-year additions of tools or services. You should always have the wiggle room to add the necessary protections without going back to the client to ask for more money.