MSP Security: Threat Intelligence, Information Sharing Association Needed?
As hacker attacks against MSPs continue, vendors and service providers have been mulling numerous steps to raise the MSP industry’s overall cybersecurity defenses.
Among the key questions: Do managed IT services providers (MSPs) need some sort of third-party association or standards body to help define best practices or guidelines for risk mitigation?
No doubt, plenty of groups work in and around the MSP sector. Names to know include CompTIA, IoTSSA and MSP Alliance. Our own MSSP Alert website offers cybersecurity news, analysis, research and best practices for service providers. And thousands of MSPs, I suspect, have embraced the NIST Cybersecurity Framework to mitigate internal risk and customer risk.
Still, the MSP industry lacks an official, de facto Information Sharing and Analysis Organization (ISAO) and/or association. In stark contrast, more than 40 vertical markets and groups — everything from Aviation to Retail and Hospitality — have ISAOs to drive cybersecurity information sharing within highly focused markets.
The First ISAO for Technology Service Providers?
The MSP sector doesn’t have such a group. But help could be on the way. ConnectWise in August announced plans for a Technology Solution Provider ISAO. CEO Jason Magee has personally reached out to numerous industry peers and rivals — requesting their participation in the group. More details about the effort are expected at IT Nation Connect 2019, a ConnectWise conference that starts in late October.
Publicly and privately, numerous technology companies are taking a “wait and see” approach to the ConnectWise effort.
In private conversations with ChannelE2E, numerous technology executives applauded the commitment to driving MSP industry security forward. But some sources also expressed concern that the ConnectWise TSP-ISAO group will be vendor-led, rather than association-led.
MSP Security: Signs of Progress
Nevertheless, MSP technology vendors are seeking ways to cooperate even as they compete in the market.
Datto CISO Ryan Weeks and ConnectWise CISO John Ford, for instance, speak regularly about strengthening overall industry defenses — even as their employers counter one another on the sales and product fronts. Datto has also been working on multi-vendor cybersecurity strategies to educate the broader market, Weeks notes.
Meanwhile, Continuum, which offers numerous security services to MSPs, also is striving to move the overall industry forward in a cooperative way.
“I think it is smart to have the top platform providers “leave their guns at the door” and get united around these issues,” Continuum CEO Michael George told ChannelE2E. “[ConnectWise’s] Jason [Magee] asked me if we would be interested and my short answer was “yes.” Still, we want to learn more about what it means and how we will interoperate with one another. But it is smart and to the benefit of the entire MSP community.”
Continuum’s own cybersecurity efforts will be on display at the company’s Navigate conferences — which are set for October in Pittsburgh and Las Vegas. Also, ConnectWise is set to host a main-stage cybersecurity panel at IT Nation Connect 2019.
We’ll be watching and listening for more signs of progress, industry cooperation, and potential chatter about shared best practices for cybersecurity.