Overcoming Initial Hurdles when Developing MSP Standards

Three and a half years ago I wrote a blog post on developing standards and their importance to your customers. A lot has changed since then and I thought it was time to update the post with recent content. Even today, developing standards takes time and energy, but an MSP can overcome initial challenges and gain a significant advantage over its competitors.

What’s A Standard?

Authoritative bodies define standards to help solve problems. Standards often meet the following criteria: introduce a recurring solution to an existing problem, receive mass adoption by the majority, and implemented by solutions providers. These qualities apply to standards across all industry types.  

Standards prevent fragmentation among clients by streamlining operations, support, and the decision-making process. After all, standards and alignment is a key component of Technology Success. Aligning clients to your best practices reduces reactive noise and allows the vCIO to concentrate on budgeting and strategy.

In a world changed by COVID-19, standards and alignment are more important now than ever. The increase in personnel working from home exposed serious security flaws giving threat actors a new approach to confiscating sensitive data. Cybersecurity and the practice of implementing security measures—internally and externally—is at an all-time high.

How Should MSPs Develop Standards?

Developing standards from scratch is a daunting task. You need to research the appropriate frameworks or compliance requirements, format them to be usable, then choose what to keep. Luckily, there are many sources available for inspiration. Standards often fall into three categories: statutory or regulatory law, frameworks, and industry best practices.

Doing something “because that’s how it was always done” is the worst method of creating standards. Information passed through various employees, known as tribal knowledge, becomes lost in translation as it moves through the ranks. Tribal knowledge is verbal and changes over time with no formal documentation. Standards and best practices have written requirements and documenting them are mandatory.

As part of standards and alignment, we include the myITemplates repository in our myITprocess software. It contains a collection of statutory and regulatory compliance templates, frameworks like NIST and CIS, and industry best practices. Whenever you need some or most of these templates, you can drag and drop them into your standards library. Also, myITprocess comes with a 150-question starter template out of the box to get you started.

There’s No One-Size-Fits-All Approach

Technical alignment is not a cookie-cutter process; It is different for every MSP and every customer. Many of your clients will align with core standards such as firewalls, networking equipment, and workstation requirements. But, other standards you choose to implement vary between customers due to industry, size, complexity, level of risk, and so on. Statutory, regulatory, and contractual compliance objectives prove all customers are not the same your approach to standards alignment should follow suit.

As mentioned earlier, creating standards is a difficult, time-consuming process. While we offer some help through the myITemplates repository and the starter template, you must put effort into researching your own best practices to align your client base. As time goes on, the process will get smoother and your understanding of those requirements will come more naturally.

Request My Demo

Unlocking the Power of Technology Standards in Your MSP

Now is the time to unlock the power of technology standards in your organization. Standards can be the key to increasing your perceived value with customers and fostering a more strategic business relationship.

First and foremost, what is the definition of an MSP Standard and why are they so powerful?

MSP standards are defined as a set of best practices and provide an objective view of a customer’s technology environment by aligning them against those standards. Standards are a powerful tool because they allow an MSP to set the bar on what and how technology should be used in a customer’s environment. Aligning a customer to those standards reduces reactive noise (tickets) and generates recommendations to advance the customer’s business goals.

Will your company’s standards look the same as others in the industry?

Standards come in many forms and are sourced from different providers, from statutory laws, private compliance, and industry best practices. It is common for standards and best practices to overlap in the industry, mainly due to compliance or government regulations enforcing the use of industry best practices. For instance, the National Institute of Standards and Technology (NIST) provides numerous standards, frameworks, and best practices for organizations in every industry. And, since federal and state objectives for security have recently become more strict, NIST frameworks are most commonly the backbone of these rules and regulations.

How will these standards help you to scale your business and become more profitable?

Implementing and aligning your customers to a set of standards will generate numerous benefits to your MSP. For one, technical alignment drives down reactive noise by assessing problem areas, resolving those gaps through recommendations, and decreasing the number of support tickets. When a Technical Alignment Manager (TAM) performs their onsite technical assessment, they pass their findings to the virtual Chief Information Officer (vCIO), your customer’s strategic partner, to make those recommendations a reality. As part of the technical alignment process, the vCIO performs business impact and strategy with each client, addressing how standards alignment affects their business goals and assists with developing a short- and long-term strategy. A strategic roadmap helps your clients plan for future expenses and to visualize their business goals, increasing the intrinsic value provided by your services.

Will customers be affected by these standards? Will they be valuable to them?

When a customer is aligned to your set of standards, they gain the competitive advantage by using technology as a strategic asset. Developing a strategic roadmap and budget months—or years—in advance allows them to concentrate on their business goals rather than maintaining their technology. Customers who can focus on their business rather than day to day support tickets will see the value in the standards and alignment process.

How can you get started with creating and eventually maintaining your Standards Library?

Getting started with standards is easy! As a myITprocess subscriber, you will have access to the myITemplates repository, filled with over 3000 questions from popular frameworks like NIST Cybersecurity Framework and CIS Controls, as well as numerous federal and state compliance and industry best practices.

Plus, myITprocess comes preloaded with the default template containing 150 questions to get you started out of the box. Want to implement your own standards? You can easily move, add, and change sections, categories, and questions directly through the web interface or upload them in bulk using our easy export/import feature. Additionally, you can tag sections and categories for easy sorting and filtering to designate specific uses like onboarding or quarterly assessments.

Request My Demo

Coming Soon: FormulaWon Training Portal Gets A Facelift

What prompted an upgrade to the FormulaWon Training Portal?

The last time our members portal saw an update was in 2015. We felt that in the last five years, the technology behind the portal and the needs of our members have changed and we need to keep up by updating the site from multiple angles. Also, with the increased onboarding of new members in our FormulaWon program, myITprocess, and TruPeer, the portal is destined to become a hub for user training, live and recorded events, and member forums.

Will there be upgrades to the Training content? How will the functionality be improved?

Our training section is receiving a complete overhaul. Users will notice drastic alterations in how Tracks are laid out on the page, color-coding by delivery area, and multiple filtering options. Details on what users should expect to see are:

  • Visual improvements to the layout of tracks and modules. All training content is displayed using a card system to give our members more information on the track like title, a brief description, number of lessons and hours, and their current progress.
  • Cards will have color-coding to differentiate between the different delivery areas. For instance, Tracks in the Owner category will have a purple border, vCIO and TAM a blue border, and so on.
  • Numerous filtering and sorting options allow members to focus on topics based on their preferences. Users can filter tracks by tag or by category, while also sorting by alphabet, newest, and most recent. (Playlist functionality is available in a near-future update).

Lesson Page

Another new feature we are excited to announce is Playlists. A member has the option to save training lessons, podcasts, and recorded webinars to their own customer playlist to watch later. Better yet, playlists can be shared to other members of your organization.

Training pages have received a complete overhaul thanks to LearnDash, our new Learning Manager System (LMS). View your training video while accessing individual lessons on the right panel. Download supplemental training material on the same page, and even ask a question for the TruMethods team using the Q&A panel (coming soon).

Will the portal look visually different?

The first upgrade our members will experience is the new look and feel of the portal. Every page is designed from the ground up with the user experience in mind, putting the information you are looking for all in one place. For instance, the homepage now includes:

  • Training module: see your current training progress and continue where you left off. You can even view the latest and most popular tracks.
  • Events module: access webinars and add them to your calendar, view past webinar recordings, and listen to podcasts.
  • Top Conversation: check out the most active conversations happening in the members forums with quick access to each thread.
  • Recent replies: view a list of recent replies in the member forums and join the conversation.

Homepage

We’ve updated the portal’s color scheme to match the TruMethods website.

The new Tune In section is home to our company webinars, podcasts, and events. Feel free to check out an upcoming webinar or watch one from the day before.

How will the Search option be enhanced?

A new search engine finds information in real-time and lists color-coded results, making it easier to find the topics that interest you.

Search will now find items across the site to match your search terms. For example, if you’re interested in learning about Technology Success, search results include webinars, podcasts, Tracks, or even articles.

New filtering options allow you to narrow your search using categories, tags, and dates.

When can users expect to see these updates?

We are currently looking for a production release to all members this summer. The homepage and training page redesign will be complete at launch with the other pages rolling out over the course of this year.

What is the main goal of these changes? Why should users be excited about these enhancements?

The new portal was designed with user experience in mind. We wanted members to log in and access the most amount of content possible from a single page. Improving the overall speed and responsiveness of the site was a goal to reduce the time between page views. We hope the new design is more visually appealing, more user friendly, and accessed more frequently.

New call-to-action

When Standards Collide: Choosing the Best for your Clients

Choosing the best standards for your clients is difficult. Many questions arise when deciding what standards are worthy: Are these the best? Can we do better? Are these proper for their industry? I sat down and thought about this conundrum and came to this conclusion: it depends.

I find myself responding with this answer very often in conversations. Cable or a streaming service? It depends. Ice cream or gelato? It depends. CIS Controls or NIST Cybersecurity Framework? It depends. My reply of “it depends” is not my inability to make a decision, but a stop-gap before answering with what is best from my personal experience.

Our myITprocess software has many templates available out of the box. One set provided to members is by default and, aptly named, the Default Template. Upon first login users are greeted by a standards library preloaded with six sections containing 150 questions. The purpose of these standards is to provide a starting point for your alignment process and use them moving forward as long as they align with customer technology goals. They may not be the best standards to use, but they provide you with a content baseline.

So how do you know if you’re using the best standards for your customers? Ask yourself these questions:

  • Am I skipping the same questions every time? – If you find yourself marking questions as N/A on multiple reviews, you probably do not need that question. If you cannot or will not answer it, or just “putting it off until later”, it is probably not that important.
  • Is this question relevant to my customer’s business? – Some questions—especially in the default template—may be too generic or too complex for your clients. If it does not seem to fix their business goals, replace it with something relevant.
  • Why am I married to this standard? – Whatever you do, get rid of that toxic relationship. If you have standards you are trying to make work no matter the outcome, cut it loose.
  • Should I ask for help? – Yes! If you seem stuck or unsure which direction to move in, ask for an outside opinion. If you are running a standards committee be sure to bring this up and ask for direction.

Finding the right standards will not occur overnight. There are many factors an MSP needs to consider before finding the sweet spot. The process of selecting, testing, modifying, and repeating will inarguably take some time, but how long? It depends.

Request My Demo

Want to Fill Your MSP Standards Library? Try These!

Aligning your customer’s to a set of standards seems easy. You create questions around privacy, security, and infrastructure and ensure they meet business goals. What if you have outdated, too broad, or non-existent standards? What if you need more and are unsure where to look?

If you are looking to begin or build on your standards library, there are good options included with myITprocess. These templates refer to popular industry best practices and frameworks. Even if you need generic, non-compliance standards, the default template is a great place to begin.

myITprocess Default Template

  • Consists of six sections containing 150 questions.
  • Covers core and server infrastructure, security, and backup and disaster recovery.
  • Generic questions that do not conform to a particular framework or regulatory authority.
  • Great for general technology, security, and disaster recovery.

Center for Internet Security Controls 7.1

  • Contains 171 questions within 20 “Controls”.
  • Covers incident response, account monitoring, malware defense, and more.
  • Plain English descriptions and guidance.

Cyber Essentials (UK)

  • Straightforward requirements for security and privacy.
  • Includes incident response, endpoint security, asset management, and more.
  • Sponsored by the UK government, but relevant to anyone.

NIST Privacy Framework 1.0

  • Minimize adverse consequences for individuals’ privacy and society as a whole.
  • Fulfill current compliance obligations and future-proof products and services to meet these obligations.
  • Facilitate communication about privacy practices with stakeholders.
 
Resources:
www.trumethods.com/myitprocess
https://www.cisecurity.org/controls/
https://www.ncsc.gov.uk/cyberessentials
https://oag.ca.gov/privacy/ccpa 

Request My Demo

How to Start Your Journey to Cybersecurity Implementation

MSP cybersecurity and the process of securing your own organization is the latest topic to pick up steam. Though, it seems many MSPs are falling short on their own security posture. The issue is a lack of time, money, or resources, and unfortunately, negligence. Starting a cybersecurity program is no easy task, so let us look at some common questions we hear on where to start.

“I’m overwhelmed with securing our MSP. Where can I start?”

Choosing a starting point is difficult: you have either too many information sources or not enough. An information overload causes you to seize up and prevent forward motion. If you are looking where and how to start:

  • Start small and avoid going from point A to Z in one step. Advance your way up the process instead of from the top down.
  • Choose a framework that best suits your business. Size, complexity, industries served, and level of risk are factors in the required effort to secure your environment.
  • Use all resources available to you. A cybersecurity program is not a solo project. Get stakeholders involved, use the right tools, and dedicate time to get the project up and running.

“Will the MSP Cybersecurity Jumpstart template in myITprocess help?”

The myITprocess Cybersecurity Jumpstart questions draw from CIS Controls 7.1.  Its intention is for businesses with little or no cybersecurity program and limited resources to secure their environments. The idea is to audit your organization, fill the gaps, and monitor and maintain your security risks.

“I’m too busy making money. Can I back burner my cybersecurity program?”

The short answer is no. The long answer is no, you should not delay securing your MSP from malicious threats. Neglecting your organization’s security poses a serious threat to every one of your customers. Malicious actors are no longer focused on SMBs, but on MSPs, by leveraging the value of data stored and accessible by a service provider.

“Every MSP is the same so can I do what everyone else is doing?”

It is incorrect to assume all MSPs—or even SMBs—have the same level of risk. Size, the complexity of operations, industry, and other factors attribute to the level of risk required for mitigation. There is no ‘one size fits all’ solution so many MSPs must customize their cybersecurity program to fit their specific needs. Although many frameworks and best practices are often used, the requirements are subject to interpretation.

“I am unsure how other employees should be involved in our cybersecurity program.”

A cybersecurity program has everyone buy into the idea that security is a top priority. Frequent cybersecurity awareness training keeps everyone informed and helps prevent internal security issues, especially since 90% of security breaches are due to human error. Developing and maintaining a cybersecurity program needs a dedicated resource. An MSP needs to treat themselves and their most important customer.

“I don’t think my customers and prospects are concerned about our internal operations.”

Think again. A survey showed 89% of SMBs would consider hiring a new MSP if they offered the right cybersecurity solution. This indicates SMBs are paying attention to their service provider’s security policies and procedures. It is no longer about getting the lowest priced support; those same SMBs surveyed are willing to pay up to 25% more for the right cybersecurity offering.

cybersecurity ebook

Why MSP Standards Are Important To You And Your Customers

Today we will discuss the topic of standards and why they are important not only to your customers but to you. It is easy to assume that everything you do as an MSP is to benefit your customers, however, you must take care of yourself in order to take care of others.

Standards—and the alignment of those standards—play an important role in both your company business model and your customer’s IT environment. Not only do they keep your clients consistent across services and products, but help align your business model to do the same. Let us see how this comes together.

Standards show preparedness

Standards have multiple functions, primarily as a method of keeping your customers in line with technology and compliance. Another important purpose is they reveal how prepared you are to handle issues and concerns. Along with the FormulaWon process of streamlining the Technology Alignment Manager (TAM), vCIO, and Centralized Services roles, standards persuade them you are prepared, well-organized, and have done your due diligence. Arriving at a technology steering meeting unprepared only sets you up for failure.

Keep you organized

Managing many customers in separate locations following various rules can get hectic. It is tough to create personalized support for each client, supporting them how they want to be supported, and having a completely different ruleset altogether. Standardizing your process will keep you organized and prevent reinventing the wheel every time you meet with your customers. Standardization grants you the flexibility to create a service and support baseline across your customers and plan around their individual needs.

Shows responsibility

Arriving at your TAM meeting with well-prepared and fully-researched solutions exemplifies superb responsibility; not only for the TAM but the MSP. The purpose of an MSP is to alleviate the burden of IT from businesses that neither have nor want to have in-house IT staff. Preparedness proves you are taking responsibility for your role and removes the doubt of being an effective Technology Solutions Provider.

Efficiency

There is no efficiency in reinventing the wheel from day-to-day. Efficiency provides positive advantages to your MSP and your customers.

  • Produces less waste and generates more time to concentrate on issues that need attention.
  • Less waste allows you to employ a lower number of highly-trained personnel rather than a high number of entry-level positions.
  • Higher efficiency is passed along directly to your customers because they will not feel the repercussions of disorganization.
  • Staying efficient conclusively increases your bottom line.

It may be difficult to find your starting point and find a flow that works best for your company and your customers. After a while, you will find your niche, discover Technology Success, and be successful.

Request My Demo

MSP Standards, Best Practices, and Frameworks. Oh My!

With myITemplates, instead of having to manually add standards, MSPs can select standards templates from the standards library in our myITprocess software. In one of our recent member meetings, we mentioned a large list of templates available in myITprocess by the end of 2020 through the myITemplates repository. The list helps fill gaps in several industries that lack or are under-represented. This list is below.

Statutory, Regulatory, Contractual, and Best Practices Frameworks

 

TruMethods Original Templates

  • Default Template May 2020
  • MSP Cybersecurity Fast-track
  • MSP Cybersecurity Overdrive

A majority of the new compliance templates use mappings from the Secure Controls Framework. This free tool supports mapping frameworks and regulations to each other to cut down repeated work. For instance, a customer that must follow the NY SHIELD Act may already be compliant if following other regulatory requirements (e.g., HIPAA, 23 NYCRR 500).

For anyone who missed the MSP Cybersecurity Jumpstart template, you can read more about it at this link. The Fast-track and Overdrive templates refer to the CIS Controls 7.1 Implementation Group 2 and 3, respectively. It is a continuation of securing and creating a cybersecurity program for your MSP. Default Template May 2020 is the latest update to the pre-packaged standards with myITprocess. Currently, new members receive these by default, but now anyone can access them from myITemplates.

Benefits of the latest Default Template:

  • Shortened to 150 questions to meet our recommended maximum of standards per client.
  • Reconfigures the sections to be more relevant in a current and post-COVID environment.
  • Concentrates less on the basics like hardware and software and more on security, data backup, and business continuity.
  • Merged multiple questions using the AND operator; some items are dependent on alignment.

You can find these additional templates in myITemplates by the end of the year!

Request My Demo

MSP Compliance and Resources

Creating templates from scratch is definitely hard work. First, you have to find the source material and ensure it is accurate. Next, you have to try and find a copy that is easy to transfer to myITprocess (TruMethods’ software framework built specifically for vCIOs). Finally, you have to perform the work of export/import or copy and paste it into a spreadsheet. The process is time-consuming—and in some cases—not worth the effort.

Over the course of my tenure at TruMethods, I have stumbled across tools and resources for creating templates or for research. Some I use more often than others, but they each give a sense of understanding for the topic you want to transition into myITprocess.

The compilation below is not an exhaustive list. However, the resources below have a higher frequency of use and worth their weight in gold.

Secure Controls Framework (www.securecontrolsframework.com)

From the website: The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance – we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally.

My take:  The SCF is a very invaluable tool for mapping statutory, regulatory, contractual, and industry-leading best practices to various frameworks. The site has a built-in tool that allows a user to select their requirements and map them to other requirements. These benefit organizations attempting to follow specific standards while helping to understand the process. 

Cyber Security Evaluation Tool (CSET®) (https://us-cert.cisa.gov/ics/Downloading-and-Installing-CSET)

From the website: The Cyber Security Evaluation Tool (CSET®) provides a systematic, disciplined, and repeatable approach for evaluating an organization’s security posture. CSET is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate industrial control system (ICS) and information technology (IT) network security practices. Users can evaluate their own cybersecurity stance using many recognized government and industry standards and recommendations.

My take:  The CSET tool is very useful when trying to see regulations in a format that is more readable than a document or spreadsheet provided by the regulatory authority. CSET is a stand-alone application and provides web-based access to the tool. The interface is quite like myITprocess, allowing a user to perform an assessment, flag, and comment on questions, and export the results to a spreadsheet. The downside is that the Cybersecurity & Infrastructure Security Agency (CISA) does not update it as frequently as I would like so some newer frameworks are not available yet. 

CIS Workbench (https://workbench.cisecurity.org)

From the website: Everything we do at CIS is community-driven. Bring your IT expertise to CIS WorkBench, where you can network and collaborate with cybersecurity professionals around the world. Register now to help draft configuration recommendations for the CIS Benchmarks, submit tickets, and discuss best practices for securing a wide range of technologies.

My take: CIS Workbench is a great tool for evaluating the web- and PDF-based CIS Benchmarks. CIS and, in some cases the manufacturer of the software or hardware, curate these benchmarks to provide best practices for configuring, monitoring, and maintaining these products. If you do not mind copy and paste, the Workbench web format makes it a bit easier to move into myITprocess. 

SANS Security Policy Templates (https://www.sans.org/information-security-policy/)

From the website: In collaboration with information security subject-matter experts and leaders who volunteered their security policy know-how and time, SANS has developed and posted here a set of security policy templates for your use. To contribute your expertise to this project, or to report any issues you find with these free templates, contact us at policies@sans.org.

My take: These SANS policy templates are great for MSPs that need to document policies in writing and are unsure where to start. The templates provide clear language that the customer would understand. A benefit of using these templates is your ability to create your own based on these layouts in the future. 

Request My Demo

What is the Cybersecurity Maturity Model Certification (CMMC)?

If you have not heard of the Cybersecurity Maturity Model Certification (CMMC) yet, it is not the end of the world. The latest certification requirements were finalized by the Department of Defense (DoD) on January 31st and at the moment they are in the process of approving auditors for the new certification. What does this mean for you as an MSP? Not a whole not unless you and your customers meet specific criteria.

The DoD website answers some of the basic questions needed to understand the CMMC, why it is important, and who qualifies for the certification.

What is the CMMC?

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. The intent is to incorporate CMMC into Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contract award.

Why is the CMMC being created?

DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

How will my organization become certified?

The CMMC Accreditation Body (AB), a non-profit, independent organization, will accredit CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. The CMMC AB will provide the requisite information and updates on its website (www.cmmcab.org).

The CMMC AB plans to establish a CMMC Marketplace that will include a list of approved C3PAOs as well as other information. After the CMMC Marketplace is established, DIB companies will be able to select one of the approved C3PAOs and schedule a CMMC assessment for a specific level.

My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?

If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.

Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

I am a subcontractor on a DoD contract. Does my organization need to be certified?

Yes, so long as your company does not solely produce Commercial-Off-The-Shelf COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor.

How does my company become a CMMC third-party assessor organization (C3PAO)?

The CMMC AB will provide information and set requirements for prospective C3PAOs and individual assessors. Prospective C3PAOs and assessors should reference the CMMC AB website (www.cmmcab.org).

In a nutshell, if you do not handle CUI or personally perform government contracts, there is no need to worry about the certification. If your customers are involved in DoD contracts or anything mentioned above or on the website, it is better to be safe than sorry and look into the next steps.

TruMethods does not offer advice on this type of content. It is wise to consult proper legal counsel on these matters. This blog post references information cited by the Department of Defense. Visit the official website for answers to additional questions on the Cybersecurity Maturity Model Certification.

cybersecurity ebook