This content is part of the Essential Guide: MSP security essentials for every IT service provider

How to create a cybersecurity program for your own MSP

MSPs hoping to roll out an IT security practice would be well advised to first cultivate their own culture of security, writes Jason McNew in this Ask the Expert segment.

The acceleration of ransomware, DDoS and other cyberattacks has compelled customer organizations -- large and small -- to focus more on data protection.

Against this backdrop, channel partners have been inspired to think about launching IT security practices to better support their clients. But channel partners should take a look within their own companies first, before billing themselves as security specialists. In this Ask the Expert, Jason McNew, CEO and founder of Stronghold Cyber Security, discusses how managed service providers (MSPs) can create a comprehensive cybersecurity program within their own organizations. McNew has been an ASCII Group member since 2017.

Walk into any business today, and you will see bright red exit signs, wet floor signs, and safety posters in the break room. We all do fire drills and receive regular safety training. Every business, whether large or small, has a culture of safety.

In addition to a culture of safety, the Department of Defense (DoD) and big enterprises also have a culture of security. Next to each of the safety signs are security awareness signs, and all employees receive regular, freshly updated security training which reflects current threats. For very high security environments, cybersecurity drills are carried out regularly.

To become a cybersecurity practice, MSPs can begin now by creating a comprehensive cybersecurity program for their own companies.

To become a cybersecurity practice, MSPs can begin now by creating a comprehensive cybersecurity program for their own companies, with the overall goal of creating a culture of security. An excellent, little known framework for modeling such a program is Chapter 8 of the DoD 5220.22-M, also known as the National Industrial Security Program Operating Manual (NISPOM). Once fully implemented, this NISPOM-based security program can then be rolled out to your clients. The MSP security program must be CEO backed and driven, and should include policies, procedures, administrative controls, and technical controls (it cannot be overstated that technology alone cannot secure a business). The cybersecurity program must also dictate how many employees should be trained and certified to a standard. MSPs do not have to develop their own cybersecurity manuals; they can adopt whole or in part existing manuals which are readily available from organizations like the National Institute of Standards and Technology, ISO and the DoD.

When discussing cybersecurity with clients, MSPs should be able to explain that they have their own cybersecurity program, what it is based on, and that they employ properly trained employees. Because well qualified cybersecurity professionals are both expensive and hard to find, it is recommended that MSPs start by getting their existing employees certified. A good start is the CompTIA Security+ certification, with the eventual goal of having an ISC2 Certified Information Systems Security Professional (CISSP), or a CISSP equivalent, on staff.

Next Steps

Learn about the pros and cons of best-of-breed and integrated security approaches

Read how IT security vendors are targeting channel partners

Discover the top channel partner trends for 2017

Dig Deeper on Best practices for cybersecurity management