The Argument for MSP Specific Cyber Standards
Ten years ago, I wrote an article in the Wall Street Journal arguing for a “universal standard” for cloud computing. While a lot has changed in the last decade, the need for standards has not. There are many standards related to Information Technology (IT), but each has its own focus and area of expertise. The same is true for cyber security standards.
MSPs operating today have a unique and complex array of business challenges with which to contend. I say business challenges because I view cybersecurity and compliance as largely business issues demanding business solutions (compared to purely technical decisions capable of being made at a purely technical level). MSPs must first have their own standards in place before they can turn their attention to the standards impacting their clients.
Looking back at the WSJ article there are several advanced concepts I raised. I say advanced because they were certainly ahead of their time. Today, just like 10 years ago, MSPs need to understand the argument behind a global cyber standard, and then be able to apply those internal standards to the work they perform for their clients.
MSP/Cloud Verify, the Global MSP Standard
No matter where you operate and regardless of whether you are a traditional MSP or a SaaS provider, the MSP/Cloud Verify is the standard for our global profession. It does not matter where you practice, you need a consistent framework. It is particularly important to understand and be able to separate the internal MSP or SaaS framework you use compared to the standards or compliance requirements of the clients you serve.
Client Specific Cyber Standards
Once you have implemented and confirmed your internal controls and framework, you can then get on with the work of securing your clients. Depending on who those clients are and the types of services you offer, you may want to modify your core controls and policies to satisfy those client specific requirements.
It is important to note that despite what may be a prevailing belief amongst MSPs, you should have a core set of controls, policies, and procedures, regardless of the compliance needs of your customers. The reason this is both important and true is because MSPs cannot rely solely on the compliance requirements of their clients to satisfy the internal needs of the MSP. If you are wondering why this is true, it is because none of the client facing cyber standards ever contemplated MSPs.
Understanding this critical point will go a long way in helping you separate your internal MSP facing controls, policies, and procedures from those which matter most to your clients.
MSPZone Reading Material: Senate passes cyber bills to address supply chain security, aid state and local governments (scmagazine.com)