Today, managed service providers (MSPs) face challenges around the clock from threat actors on a mission to infiltrate the data that MSP clients depend on for business survival. More often than not, these clients are unfamiliar with the risks that exist and assume their MSP provides cybersecurity as part of their service. While clients may assume that MSPs own the risk, there is an obligation to discuss risk ownership with clients and prospects.
In order to address this, cybersecurity education and culture should be the driving factor for organizations. These objectives should also include an alignment of policies, procedures, tools, pricing models, support mechanisms and incident response. Establishing and using a framework can address these tasks and take the guesswork out of planning, education and roadmaps for service providers.
What is a framework?
A framework allows for standardization of service delivery that improves efficiency and margin. Many organizations implement frameworks to establish a common language among themselves and clients. For example, frameworks allow you to align conversations with customers on what they want “good” to look like.
Why is having a cybersecurity framework so important?
When it comes to cybersecurity, a framework serves as a system of standards, guidelines, and best practices to manage risks that arise in a digital world. A cybersecurity framework prioritizes a flexible, repeatable and cost-effective approach to promote the protection and resilience of your business.
It’s important to realize that cybersecurity helps with the growth of your business. Using a framework to align controls like local, offline, and cloud backups will improve resilience from any attack or reliance on hardware. As an MSP, the extra work of building out a process will fall onto you, but will allow you to hold your clients accountable and vice versa.
How do I know which framework to start with?
In order to decide on a framework, you need to determine which one best aligns with your client’s needs or what the industry follows. While one framework might not fit your business specifically, cross-referencing competing frameworks can help you decide what you need to focus on.
4 Cybersecurity Frameworks to Know
Identifying risks and understanding the proper actions to take can be difficult, even for a larger service provider. Fortunately, both government agencies and private industry have established frameworks for cybersecurity professionals designed to identify and close security gaps.
The NIST CSF was developed by private industry experts and members of the National Institute of Standards and Technology (NIST), a federal agency within the U.S. Department of Commerce. Using existing guidelines, standards, and practices, the NIST CSF focuses on five core functions: Identify, Protect, Detect, Respond and Recover. These categories cover all aspects of cybersecurity, which makes this framework a complete, risk-based approach to securing almost any organization.
CIS, built in the late 2000s, was created by an international, grass-roots consortium to develop a framework that protects companies from cybersecurity threats. It is made up of 20 controls that are updated regularly by experts from many fields, including academia, government and industry. CIS is ideal for organizations who want to start with one step at a time. The CIS process is divided into three groups. You begin with the basics, then move into foundational, and finally, organizational. CIS is also a great option if you want an additional framework that is capable of coexisting with other, industry-specific compliance standards (such as HIPAA).
ISO 27001/27002, also known as ISO 27K, is an internationally recognized standard for cybersecurity published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The framework assumes that organizations adopting ISO 27001 have an Information Security Management System (ISMS) in place. With that in mind, ISO/IEC 27001 requires management to systematically manage the organization’s information security risks, including threats and vulnerabilities. The framework then requires organizations to create and implement information security (InfoSec) controls that are both clear and comprehensive. The goal of these controls is to mitigate identified risks. From there, the framework recommends that organizations adopt a continuous risk management process. In order to be certified as ISO 27001-compliant, an organization must demonstrate their use of the “PDCA Cycle” to the auditor.
The IT Nation Secure MSP+ Cybersecurity Framework provides the outline for a certification program for the MSP community. Based upon best practices and providing a journey of growth from baseline security elements to a repeatable and adaptive program, the MSP+ Cybersecurity Framework is designed as a resource to assess and enhance the cybersecurity posture and services provided by MSPs to their clients. The MSP+ Cybersecurity Framework is designed to serve as a verification and validation process to ensure that suitable levels of cybersecurity procedures and processes are in place along with the relevant cyber-hygiene to protect their own systems, services and data, as well as that of their clients.
Outside the U.S., notable frameworks include Cyber Essentials (U.K.) and Essential 8 (Australia).
Making the Decision
No one framework is better than the other, and each has its pros and cons. The important thing to note is that whichever framework you choose, it can help structure your offering. You should also acknowledge that this process cannot be done all at once or in one day. Focus on standardizing whichever framework aligns best for your business and your clients’ business and set a path to allow yourself to mature over time.