20 Ways MSPs Can Be Security Heroes

The role of an MSP is an important one. MSPs want to help their clients create and maintain a strong security posture – that’s why, as an MSP, your clients come to you with information security problems that need to be fixed, ranging from disaster recovery to risk assessment services. Who finds those problems? Auditors and pen testers. Who determines if those problems are risky gaps in the client’s security posture? Auditors and penetration testers. When your clients go through information security audits for the first time, they should also go through a gap analysis – a process that identifies any operational, reporting, and compliance gaps. Once an organization knows their gaps, they can begin the remediation process. That’s where you come in.

As an MSP, when you’re able to interpret gap analysis results, you can typically find more opportunities to grow your business with that client. How? By fixing the issues found during the gap analysis. Your clients walk away from audits and pen tests with information security problems that need to be fixed. Additionally, by encouraging your clients to undergo security testing and having a recommended vendor, you are seen as their trusted information security advisor. If you can speak from experience and have gone through an information security audit before, that’s even more valuable for your clients. They can trust your experience and be assured that you won’t bring more risk into their environment.

Clients trust you to cover their IT and information security needs – are you not serving them well by not being able to understand a gap analysis report or remediation plan? KirkpatrickPrice is here to educate and empower you to better serve your clients. Let’s take a look at 20 gaps that could be mitigated by the average MSP.

Download Now

Have more questions after reading? Contact us today and we’ll connect you with an expert on MSP services and partnerships.

The Keys to a Successful Audit

Creating a culture of compliance within your organization promotes your commitment to security. An auditor can be seen as a nit-picky, negative, overly involved outsider coming into your environment, asking questions and looking for any control that’s insufficient. However, this mindset causes organizations to fear auditing and auditors, when in reality, an audit is a healthy habit and auditors are trained to help you better understand and protect your assets. In this short interview with Sara Lewis from JetPay, she explains the keys to a successful audit: honesty and documentation.

Your auditor is not your enemy, so don’t try to hide controls or processes that you know don’t meet the standard. Our advice is to be honest, up-front, and involved in your audit process. Never try to hide something from your assessor because your job is to protect your assets, and their job is to verify how you’re protecting them. If you’re declaring that you do something that you’re not actually doing, you’re setting your organization up for exploitation. If you know you have an insufficient control, be up-front with your assessor and let them know you have a plan to fix the control and when you expect the modifications to be implemented.

We say it over and over and over again: if it’s not written down, it’s not happening. Documentation is one of the keys to a successful audit. You must prove that you’re actually doing what you say you’re doing as part of your due diligence. The way to prove it? Policies and procedures. A policy is an executive-level order that defines that something must be done, but a procedure defines how you do it. A policy defines a rule, and the procedure says, “This is who is expected to do it, and this is how they are expected to do it.”  Standards are the tools, means, and methods that you will use to meet policy requirements.

Our audit process takes companies from a start-up to a full-fledged business, recover after natural disasters, assure clients of their commitment to security, and so much more. Our senior-level auditors have over 400 years of combined experience in information security by performing assessments, audits, and tests which strengthen information security and compliance controls. You’ll find that their certifications give them knowledge to help you understand the requirements and teach you how to become a stronger, more mature organization. Remember, your auditor is you partner. For more information on how to prepare for an information security audit, contact us today!

Video Transcript

One of the keys in completing a successful audit is honesty. Don’t try to hide things from your assessors because they’re going to find it, and they’re going to find it in the worst possible time and the worst possible way. If you know you’re in sufficient in something, be upfront about it. Let them know that you’re working, that you have a plan, and when you intend to be done.

Make sure you have everything documented – that bites a lot of people. You have to prove that you’re doing what you know you’re doing.

Work with your auditor. Your first answer might not be sufficient, but they’ll let you know what they’re looking for, so just follow up and stick with it until it’s done.