In the last 20 years, there has been a slow change in how the business approaches the management of the ICT component.
As business and technology changes there have been significant changes in the management process of these systems. The more complex and costly the systems the more dedicated the support has to be. We have gone from onsite support from staff (I know computers) to off-site support from a service provider.
SME’s no longer have the resources available to manage their ICT and a new breed of company has been slowly taking more and more control over these parts of your business.
Managed Service Provider (MSP)
Originally these organisations were known as ICT or IT companies. They were usually run out of hardware and software stores and were more focused on those areas.
It was eventually realized that just managing the hardware and software of small and medium business and not for profit organisations was not enough. When technology broke, the most organisation still could not afford a technician to come to the site and an IT company need to make their resources go further.
The managed service provider did a number of additional things:
- They had systems that remotely monitored and managed (RMM) the technology within the organisation. This allowed them to give feedback to the clients in the way of comprehensive reports on their network
- They had helpdesk capability to fix issues as they arose from the RMM systems or issues that arose from the users.
- They started to become proactive, not reactive.
- In a number of ways they even became vendor managers. They looked after their clients from the internet down to the user.
Managed Security Service Provider (MSSP)
The business has changed and the requirements for ICT support have changed, the MSP needed to do more.
To be competitive and to be more productive they started adding on services. These services included if not delivered by the MSP:
- off site backup,
- managed firewall,
- web application firewalls,
- web site management,
- managed Anti Virus and many more.
In most cases, they were a bolt-on action to the MSP requirements and were supplied to maximize profit and reduce cost. In a large number of situations, the customer was not getting value for money because the MSP was tied to a specific vendor.
In the last 5 – 10 years, the bigger the perceived problem with security was the more clients were going to purchase systems from their trusted advised – their MSP. Once again increasing profits by reducing costs.
Any MSSP that does this is actually exposing their clients to huge problems. Most of the service level agreements (SLA) reduce this down to “all care no responsibility”
Managed Business security service provider (MBSSP)
SME’s and NFP organisations needed to approach business security in today’s business world from a new direction.
Business security has to be approached from the top down. Management and board members HAVE to get involved. Your MSP or MSSP who is not recommending risk management and cybersecurity frameworks is in fact doing a huge disservice to your organisation.
Risk management and a risk management process looks at all of the risks to the organisations and allows you to think and work through the process and deliver strategies to protect the organisation. It includes the ICT and technology area but there is so much more that has to be incorporated into a risk management plan.
The second part is a cybersecurity framework. A framework does a number of things:
- It focuses management on the required tasks to secure the organisation.
- It removes knee jerk reactions to perceived threats.
- The more you implement the framework the more secure your organisation.
- It has to be done with the involvement of all areas of the organisation from management down and from coal face up.
- It can be managed with reduced costs, expertise and time constraints
Most frameworks have a baseline requirement. When you start to implement the framework you have to know how secure you are before you can start to improve. The baseline also allows you to look at priorities within the organisation.
If your organisation is still using an MSP or an MSSP to manage your security without looking at the risk components or without implementing a cybersecurity framework (we recommend the National Institute of Standards and Technology (NIST) cybersecurity framework) then you need to rethink your business security requirements.
Talk to an organisation that is focused on MBSSP capability.
Secure your business!
Do the scorecard!
Read your report!
Link to scorecard https://caremit.scoreapp.com
#ceo #ExecutivesAndManagement #ProfessionalWomen #CareMIT #cybersecurity #infosec