By Angel R. Rojas, Jr., DataCorps Technology Solutions, Inc.
The world has changed in just a few short years. A lot. Our clients are under the constant threat of cyber-attacks with so many vectors it seems like an insurmountable task to keep them safe.
I’ve had the blessing to speak at ASCII Group Success Summits throughout the country this year which has afforded me an opportunity to have good, meaningful, face-to-face conversations with many peers. Cyber protection has been at the top of most of these conversations and, sadly, the state of affairs in our industry is weak. Many of the conversations reveal the focus is misaligned and is not even consistent with what we know will provide effective overall protection to our businesses and clients.
Time for a heart to heart ... maybe an intervention?
We preach the gospel of cyber, but we don’t practice it. We are the choir, but we think the preacher’s words do not apply to us. We have committed deadly sins and remain unrepentant. Here are the top three:
- We are not doing annual risk assessments on ourselves. Why not? The answer is simple, the same reason our clients give after they discover it isn’t optional: We just don’t make the time for it.
Since this isn’t optional we need to schedule a time, at least annually, to complete our risk assessment. There are even vendors out there who will help an MSP complete a risk assessment for around $300! There simply isn’t a valid excuse to not do this. Also, don’t forget to remediate the risk assessment!
- We are not writing, following, and updating a security plan, the bedrock of how protected we are and how well we protect our clients. Again, the tyranny of the urgent keeps us from completing one but we must fight and advocate to get it done.
A security plan addresses the who, what, when, where, and how about our security practices. Without it we are just flying blind and, while this may have served us well up until now, it is a false sense of security and demonstrates we are just lucky, at best. As the old adage goes, “Those who fail to plan, plan to fail.”
- We are still looking for toys to fix the problem instead of focusing on what counts. And, just like with marketing, sales, HR, and anything else, there are no silver bullets. We just have to buckle down and do the work.
There are no tools you can buy that just complete your risk assessment or security plan. Worse yet, many think it is perfectly fine to buy a prepackaged or “canned” security plan and call it a day. All this does is set you up to fail and to create unreasonable expectations for you and your team. Do the work and you’ll learn a ton, plus you will have experience to help you address common misconceptions and objections clients have surrounding the process.
So how do we turn this around? How do we stop being frauds?
Confess your sins, repent, then stop committing them! The first step is to perform the risk assessment and follow the same process we are preaching to our clients. “But they’re not buying our cyber services, Angel.” Would you take advice from a hypocrite?
It’s time to turn this around and start minding our house. Don’t be an MSP fraud!
About The Author
Angel R. Rojas, Jr. is president & CEO of DataCorps Technology Solutions, Inc.