Over the past 10 years, we've seen a progressive commoditization of the IT industry. Help desk services are now rolled into unlimited flat-rate agreements, hardware replacement is more streamlined, and automated management and monitoring tools have evolved to provide useful proactive remediation services.
The value MSP's (Managed Service Providers) have brought to the average business is undoubtedly beneficial. But at what cost? When considering value, you generally evaluate three critical metrics: cost, efficiency/time, and quality. I've often told customers that no matter the vendor, you only get two of the three. As a CEO or business owner, understanding what you're sacrificing is key to navigating your organization’s IT Strategy.
When evaluating your organization’s Cyber Security posture, business owners must also evaluate the limitations of their Managed Services Provider. Generally speaking, MSPs are keen on cost and efficiency, but have generally sacrificed quality. This isn't to say they are not qualified in the services they offer, but rather, lack the required depth to navigate today's evolving cyber threats. Automated tools, anti-virus software, and fast help desk response is no longer enough. Effective cyber risk management begins with an experienced and qualified cyber security partner.
There are four key variables that must be considered when selecting a cyber security vendor. While not a definitive checklist, these areas represent critical components to a successful and strategic partnership.
First, regulatory compliance. Does your vendor have the experience and applicable certification(s), to navigate your regulatory requirements? If you're regulated by HIPAA, PCI, etc., then your cyber security posture has definitive measures that must be adhered to. Non-compliance not only increases risk of breach, but can lead to substantial financial penalties.
Second, understanding of regulatory standards. Successful security programs and defensible networks leverage adopted standards. Resources available from ISO, NIST, CIS, etc., provide the framework to build, protect, and defend your network from cyber threats. Choosing a partner that not only utilizes these standards, but understands their implementation is critical.
Third, employee training. There is a legitimate argument to be made that this should be the number one priority when engaging a cyber security partner. Does the vendor have an established cyber awareness training program for your employees? Does the training meet regulatory requirements? How often is the training offered? When considering that nearly 70% of all corporate breaches begin with a compromised employee computer, training your staff is not only recommended, but is absolutely required.
Lastly, experience. I know this sounds obvious, but you would be surprised. Just because an IT company has years, or perhaps decades, of technical experience does not necessarily translate to cyber security expertise. The evolution of today's cyber threats has outpaced the generalist IT/MSP vendor. Much like medical care, a cyber security firm is your specialist, while your IT help desk / MSP is your primary care doctor.