It may sound contradictory, but one of the biggest mistakes we see in the security sector is people talking about security. This leads organizations to thinking they have to be secure, but without having a clear understanding of what “secure” actually means.
On top of this, being secure is something that indicates a binary position; either you are or you are not secure. While there are certain assets and systems you can make more secure, security itself is an impossible thing to achieve. However, a reduction in risk is absolutely achievable, and at the same time it is also measurable.
When I’ve worked with companies to help them create a good security program, the first thing I do is focus on risk—how much risk are they under, how much risk are they facing, how do they mitigate that risk, what is an appropriate level of risk for their business, and how risk much can they afford?
Ultimately, the conversation always comes down to striking a balance between how much the company wants to spend and how much risk the board is willing to assume. And there really isn’t a generic right answer here—it varies dependent of the company.
Planning for acceptable risk
By starting from the position of a risk-focused conversation, you can actually help people define and plan to cover what is acceptable for their particular organization and timeframe. You can then define a program that decreases risk and has them spending an appropriate amount to put them on a path to where they need to be, and allows them to measure their progress and ensure they are moving towards their risk goals.
So, what does this mean for managed service providers (MSPs)?
This isn’t as big a step for solution providers as they might think. They are already helping their customers to achieve their business goals and manage their risk through providing IT services, such as making sure their systems and networks are all up and running, so there is already a solid backup and disaster recovery plan in place, and there are no technology barriers for them to do business. These same concepts also go for security.
What MSPs do need to do though is have a thorough understanding of the business environment their customers operate in. So much of risk analysis will depend on the line of business they’re in, what data they have, and how attractive a target they are to hackers.
Risk analysis starts with high-impact things
When making this analysis, MSPs should start by looking at the high-impact things—ransomware, for example. What would happen if the customer was breached in this way? Is it just a minor inconvenience for them and they can simply return from a backup, or is it a major disaster that shuts down the company instantly and costs them thousands of dollars a day? Thinking about these types of disaster scenarios provides a powerful reference point.
In some cases—say a company manufacturing piping—having systems go down doesn’t stop them doing their jobs, and they can wait for a backup to restore them to where they were. For a company like this, employing 24/7 monitoring for intrusion attempts would be over the top, but having the ability to restore quickly from backup would be valuable. At the other extreme, if a hospital’s networks are compromised lives and valuable personal data are at stake. So the level of risk they can accept is much lower.
This is where MSPs need to start the conversation, by looking at the real business impact of having systems go down or data stolen—and even whether the business could be used as a conduit to get into other partners’ systems.
By shifting the conversation from security to risk, you are putting yourself in the position of being able to have a much more valuable and powerful conversation with your customers and prospects.
In the next part, we will look at how MSPs can help companies understand where their most important data is and how they can plan to protect these assets.
For more on Tim’ s top security tips, visit our Security Resources Centre here and download The Brown Report.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.