Who Owns the Risk?

by Sarah Harvey / June 11th, 2019

We find that managed service providers (MSPs) are often reluctant to take responsibility for the risks that they pose to clients. Their clients, though, may assume an MSP does take hold of a particular risk – and here lies the problem. When this type of miscommunication occurs, it leaves major gaps in organizations’ security posture. So…who owns the risk?

Shifting the Risk

When an organization engages with one or more MSPs, they must understand the concept of shared responsibility. MSPs and their customers must work together to meet security standards and expectations. Working with an MSP doesn’t remove the risk from the customer, it shifts it. Protecting systems like database servers, firewalls, switches, authentication services, and log servers means there is a distribution of risk between the MSP and the customer. As an MSP, you must clearly define what is within the scope of your responsibilities to your client. Customers do inherently accept some risk, but not all of it. You’re providing important, essential services – take that responsibility seriously. Your customers are putting their trust in your services. MSPs depend on trust. If a client can’t trust your services, why would they choose to use you?

Don’t fall into the trap of getting too comfortable with risk when you partner with an MSP.  As an organization engaging with one or more MSPs, you must remember that you cannot outsource your reputation. Your reputation will always be at risk – and your responsibility. It’s up to you to vet MSPs and hold them to a high standard.

Benefits of Owning Your Risk

Pursuing challenging compliance goals, especially before you’re required to, may seem like too much work, money, or time. We believe, though, that when an MSP proactively undergoes something like a SOC 2 audit, it demonstrates that they are invested in providing secure services and ensuring that their clients’ data remains protected. Achieving compliance objectives before your competitors or before you’re asked by a game-changing prospect prepares you to own your risk.

MSPs’ reputation, business continuity, competitive advantage, and branding all depend on the quality and security of their systems and can benefit from SOC 2 compliance.

Owning your risk…

  • Makes you aware of where your vulnerabilities are and how that impacts your clients
  • Gives you a direction for where to mitigate risk
  • Gives you a competitive edge, puts you above the rest
  • Protect your reputation
  • Eventually, makes you and your customers more secure

If you’re an MSP who is hesitant to undergo an information security audit, consider the implications of suffering a data breach or security incident. The negative implications are only to your reputation a ripple effect; once your customers’ information systems or data is exposed, you’re on a path full of obstacles and fragmented security. Your reputation will be permanently changed. Clients will stop trusting you, prospects will stop inquiring about your services, and lawsuits and fines will begin to surface. The continuity of your business depends on securing your systems and proving that you are, in fact, a secure MSP.

Have questions about how to achieve compliance goals or start the compliance journey? Contact us today.

More Resources for MSPs

About Risk Assessments & Management

How Can a SOC 2 Bring Value to MSPs?

How to Accurately Define the Scope of an Information Security Assessment

Auditing Basics: Carve-Out vs. Inclusive Vendors