Guest Column | October 22, 2019

3 Tips On Building Your Security Plan

By Angel R. Rojas, Jr., DataCorps Technology Solutions, Inc.


Have you read Part One of my series on how to avoid being an MSP Cybersecurity fraud? If not, stop what you’re doing and read that first because we can’t proceed until those items are out of the way.

Several months ago I wrote an article entitled, Is Your MSP A Fraud. In the article, we discussed how many MSPs are advocating cybersecurity but not practicing what they preach. We covered three deadly sins I commonly encounter when talking to fellow MSPs and now we’re discussing what to do about them.

Caught up? Great! Let’s get started with how to fix the second sin: We are not building or executing on a security plan.

Once a risk assessment is done, we have a pretty large to-do list of things that need remediation. Not the least of which is our security plan, which will outline our protections, policies & procedures, how we will conduct ourselves during an incident or breach, and who is on our response team. Part of a security plan also can include steps needing to be remediated.

This sounds daunting, and it is, but it’s absolutely critical to be thorough with the plan even if we’re not going to remediate or execute on 100 percent of it. Why? Many regulations have addressable items, meaning they’re not required or can be implemented within reason. This makes room for organizations of all shapes and sizes to adopt security at a pace that will not break their business. What we don’t want is to be willfully negligent, meaning that we didn’t do anything or follow our plan. That will not bode well with anyone…

So how do we take on this gigantic monster? Here are three tips on working through your remediation and building your Security Plan:

  1. Plan and prioritize. Rate your list in different ways: use easiest to hardest, biggest impact to lowest impact, lowest to highest cost. Then, find correlation between the ratings and prioritize that way: items that are easy, cheap, and impactful should be first, etc. This approach does a few things: first, it gives you the opportunity to score a bunch of wins early on. These wins will give you motivation to press on and tackle the bigger stuff. Some of the larger items can be drawn out and the frustration of never finishing them can often lead to progress being stalled. As a part of the plan, you may also choose to work in parallel, where you team up a large item and several small, easy items along the way to keep momentum. You know your style and your team, play to your strengths rather than your weaknesses when you attack your security plan.
  2. Engage an attorney. Some of the documents you’ll need to draw entail essentially writing law for yourself. Be careful not to write law that you can’t reasonably comply with. And how do you decide what is reasonable or not? Be sure to engage an attorney who is a practitioner of privacy law, not a general business attorney as they’ll likely have to research (which costs you money). An incredibly powerful and helpful strategy is to team up with an attorney – they are required to do this in their firm in order to provide competent and ethical legal representation to their clients. Executing this in tandem will provide them with the technical advice they need to complete their plan and, in turn, you can get the legal advice you’ll need to complete yours. Remember, the first time you do this will be the hardest, each subsequent risk assessment and plan adjustment will be easier and quicker. You both have to complete this, why not make it a win/win for both businesses?
  3. Stay organized: Use a whiteboard, checklist system, or the tool that works best for you but stay organized so you can follow the plan. If you’re collaborating with an attorney, hammer out how you’re going to manage the workflow and communications up front so there’s no confusion. The idea here is that you’ll need some kind of feedback loop to tell you how far along you are in the process, what you’ve accomplished (celebrate this!), and what’s left to be done.

As I’ve shared before, there is no silver bullet – this is real work and we have to just get it done. You can see that we’re not the only ones that have to do it and developing a network of allies can be extremely powerful to get much-needed, valuable help that would otherwise cost us a fortune. Approach with a win-win mindset and you could have a powerful testimonial to share with others, a new key relationship and referral source, and an excellent Security Plan!

About The Author

Angel R. Rojas, Jr. is president & CEO of DataCorps Technology Solutions, Inc. and has been a member of The ASCII Group since 2017.