In the dynamic world of cybersecurity, understanding the delicate dance between security and compliance is essential for Managed Service Providers (MSPs) striving to protect their clients’ interests. And what better way to gain insights than from industry veteran Shel Philips?
In a recent podcast episode, he didn’t just scratch the surface; he dove deep into the challenges of implementing security and compliance for a Managed Service Provider (MSP), best practices, and emerging solutions that MSPs face in today’s cybersecurity landscape.
Security and Compliance in the IT Industry: Partners in Crime
First, let’s talk about the dynamic duo: security and compliance. They’re like Batman and Robin—individually strong, but together, unbeatable. Security is all about protecting systems and data, while compliance ensures adherence to regulations. Now, diving deeper into this dynamic duo, Shel sheds light on the nuanced relationship between security and compliance, revealing that while often conflated, they serve distinct yet interrelated roles in safeguarding digital assets. Recognizing this alliance is vital for MSPs crafting tailored strategies to keep their clients safe from cyber threats.
Transitioning from this foundational understanding, let’s now shift our focus to Shel Philips’s real-world experiences and insights. Through his extensive experience in cybersecurity, Shel has encountered numerous challenges and questions that resonate with MSPs navigating the intricate landscape of security and compliance. Let’s explore some of these critical.
The following is the full interview from a podcast hosted by Bobby Guerra from Axiom Technology called Climbing Mount CMMC. In it, they discuss implementing several specific security frameworks, such as CIS 18 and CMMC (Cybersecurity Maturity Model Certification).
Bobby: Welcome back to Climbing Mount CMMC. Today, we’re exploring how businesses can use CIS to their advantage and progress further in their CMMC journey. We’re thrilled to explore this crucial topic with our listeners.
Bobby: Shel, it’s great to have you with us. Before we start today’s main discussion, could you share the origin of your unique nicknames?
Shel: Absolutely, happy to be here! A few years back, I was known as the “drip pan” at my company because I caught all the new projects our visionary owner would bring in and turned them into something tangible. Then, about three years ago, during a cybersecurity meeting, I was tasked with creating a spreadsheet and ended up being dubbed “Shel as a service”!
Bobby: How did you start working with CIS and CMMC?
Shel: My journey in compliance and security began when I realized the challenges of implementing CIS in a managed service company like ours. It was surprisingly tough to get started, and from there, I learned a lot about the intricacies of managing security and compliance.
Key Challenges for MSPs in Implementing Security Measures
Bobby: What are the major challenges MSPs face when implementing security measures?
Shel: The biggest hurdle is the sheer number of tools we use, each with different levels of security effectiveness, which can lead to vulnerabilities. For MSPs, especially when dealing with DoD contracts like CMMC, the scope of what needs to be secured is a significant challenge—there’s just so much to cover.
Bobby: As an owner of an MSP (Managed Service Provider) myself, I have observed that MSPs are skilled at providing services and ensuring security. They can easily preach about good practices and concepts. However, when it comes to compliance, I have noticed that many MSPs struggle with it. Having attended various conferences and seminars, I have seen that only a few MSPs use frameworks such as CIS, NIST CSF, NIST 80-171, or CMMC. If MSPs are asked to raise their hand to show which framework they use, only a small percentage would do so.
Shel: Yes, about 5%.
Bobby: You mentioned earlier that policies and procedures can be viewed differently in terms of compliance versus the overall health and security of the company. Can you expand on this further?
Shel: Many people mistake compliance and security as the same thing but are not. Let me give you an example of a password management policy. If the policy requires only six characters in a password, never change it, and do not use MFA. This is a weak policy; following it strictly does not guarantee security. Alternatively, a stringent policy requiring 16 characters or a passphrase, MFA, and changing the password periodically sounds good, but if not followed, it does not ensure security either. Therefore, compliance and security go hand in hand, and both must be distinguished. A person usually handles compliance, whereas security is managed by technology. The two pieces need to be integrated to ensure overall security.
Exploring the Dichotomy between Compliance and Company Security in Policies and Procedures
Bobby: Despite cybersecurity’s critical importance, few MSPs seem to have developed a comprehensive framework, including policies, procedures, and a system security plan for their operations. Given the relatively low number of MSPs with such frameworks, what are the main challenges holding them back?
Shel: That’s a great question, Bobby. When you consider the nature of the technology sector, it’s clear that competitive pressures and thin margins play a significant role. Many MSPs get caught up in a race to keep costs down and maintain profitability, which can lead them to look for shortcuts or quick fixes. They might adopt a new tool and believe it’s sufficient for their security needs. However, a truly effective security strategy requires a robust collection of tools and a proactive approach.
In reality, developing and maintaining a comprehensive security plan requires a commitment to investment in tools and ongoing education and adaptation. Many MSPs have good intentions, but the implementation often falls short due to resource constraints or lack of deep understanding. If you ask how many “have a formal incident response plan,” you’ll find that it is an alarmingly low percentage — perhaps only 2 to 5%. It’s a classic case of “the cobbler’s children have no shoes.” While MSPs can rally strongly for their clients in an emergency, they often neglect to apply the same rigorous standards to protect themselves preemptively.
The challenge is not only in establishing these protections but in fully understanding and operationalizing them both internally and for clients. This gap is where the true breakdown occurs, underscoring the need to shift how MSPs prioritize and implement their cybersecurity strategies.
Primary Obstacles in Developing Comprehensive Policy and Procedure Frameworks for MSPs
Bobby: And you’ve, I think you nailed it perfectly, Shel, from the perspective of you having an agreement, right? Does providing full IT services to a client with 25 employees necessarily include complete compliance within an internal framework?
Shel: Providing full IT services doesn’t automatically ensure full compliance within an internal framework. It’s crucial to clarify the objectives from the outset. I typically start by developing a shared responsibility matrix to clearly define who is responsible for what. This matrix includes three main categories: the client, my MSP team, and any hosted applications involved, such as those in cloud environments like Microsoft Azure or AWS. There is a shared responsibility for security. Sometimes, the client has their own staff that we guide and direct; other times, we handle everything, or we might just be brought in to manage a specific project. Once the roles and responsibilities are clearly established, we can build a successful security program.
Shel: However, effective security isn’t about deploying technology. It requires continuous review and often needs human intervention. For instance, managing awareness training or conducting risk assessments are tasks that require human oversight, not just a set configuration. Security consulting within this framework can be highly profitable and lucrative. It offers higher margins than traditional MSP services, mainly because few have a deep understanding or are fully equipped to implement comprehensive compliance and security strategies. Often, organizations might not have staff trained specifically for compliance, leading them to rely on partial solutions like antivirus software or off-site backups. But these measures alone don’t constitute a complete security plan.
Assessing the Necessity of Full Compliance in IT Services for Small Clients
Bobby: What should MSPs do to move from merely using tools to having a robust security framework?
Shel: MSPs must adopt a strategic approach, starting with setting a clear framework that aligns with their business strategy. Implementing something like CIS effectively involves understanding and managing many moving parts, not just setting up tools. It’s about building a security-minded culture that spans the entire organization, not just the IT department.
Final Thoughts
Bobby: Any final thoughts for MSPs trying to enhance their security and compliance strategies?
Shel: Start with a solid framework like CIS, understand it deeply, and apply it consistently across your operations. Having the right tools is not enough; it requires creating a culture that values and understands security. And remember, securing your operations is not only good practice but also a necessity for doing business, especially when dealing with government contracts.
Bobby: Thank you for sharing your valuable insights, Shel. In our upcoming episode, we will continue to explore key strategies for scaling the peaks of compliance and security.
To stay current on the latest trends in CMMC and Cybersecurity, be sure to follow us on LinkedIn, YouTube and our monthly newsletter. We’ll share our latest news with you and encourage you to engage with us in community discussions.
To schedule a consultation with Shel regarding the maturity of your company’s compliance and cybersecurity health, you can book a time with him here: https://connect.covenant.global/shelphilips
