5 min
How can being proactive take your cybersecurity to new heights? It’s a tough question, but if you’re smart, you won’t try to answer it alone, you’ll talk to a veteran.
JB Fowler, Domotz Vice President of Integrator Solutions, did just that, chatting with Matt Lee, Pax8 Senior Director of Security and Compliance, as part of our Safe Tech webinar series.
Here are the highlights, although you should check out the full video if you have time.
The State of the Security Measures Today
JB opened the floor by asking Matt a pertinent question: how did he feel about modern security? Matt likened it to the gradual development of automobile safety standards in the U.S.
Cars existed long before seatbelts. It took decades for someone, Ralph Nader, to say: “Hey this isn’t quite safe.” Only then did regulators step in with seatbelt laws. The IT sector is similar – modern networking predates modern cybersecurity legislation by a long shot.
Matt also pointed out the prevalence of the theorized Dunnings-Kruger effect. To clarify, people often overestimate their skills despite having limited competency. That is to say, the industry knows security is a massive issue. However, there are vast gaps between implementations and where we ought to be.
In the face of such widespread misalignment, it’s wise to be careful. There’s an increasing amount of pressure to get security right. Clients, regulators, insurers, and stakeholders all want more secure solutions. It’s up to MSPs to satisfy.
Unfortunately, there’s no universal standard. You can’t always trust that security solutions do what they say on the label. Even worse, vendors may upsell their products to highlight their security strengths. This is where frameworks come into play.
The Importance of Security Frameworks
Security frameworks establish standards that act as guideposts. They define the bounds you need to work within to improve your security stance reliably.
This structural clarity is vital precisely because security isn’t a concrete, one-time deal. It’s a dynamic, evolving journey across a continually changing landscape.
Frameworks grant your perspective and defensibility.
Frameworks help you answer the question: how would a reasonable person solve a given security problem? In addition, frameworks help you determine whether your security measures investments are more about hype or about meeting actual security objectives.
Frameworks explain the rules and scope of play.
Frameworks define what security encompasses to help you avoid oversights. For instance, a framework might define which hardware elements constitute assets, how they relate to security, and how to protect them. NIST, NIS, ACSC, NCSC, and other frameworks also adapt to regional regulations, making them great guidebooks for compliance.
Frameworks focus on data security.
Security is all about information. Wherever it lives or whatever you do with it, data is the main topic of concern. According to Matt, the data-centric CIA Triad model is good to keep in mind as you develop and refine security systems:
- Confidentiality: What efforts do you take to keep data secret or private? This includes access controls, privileges, and secure sharing standards.
- Integrity: How do you ensure your data remains tamper-free and trustworthy? Measures like hashing, encryption, signing, and verification all fall under this category.
- Availability: How do you make data available to those authorized to access it? Common solutions include redundancy, upgrade management, and disaster recovery planning.
Many MSPs fail to fulfill this model in a balanced way. They’re great at availability, but their confidentiality and integrity could use work. Frameworks like the Center for Internet Security Critical Controls (CIS) incorporate practices geared toward solid data security by default. Check out our blog post about implementing a network security architecture and CIS controls.
The Implementation Challenge
One big challenge many security teams face is that people just ask for safe products – not products that satisfy specific framework controls. Finding the resources to implement controls can also be a hurdle.
Vendors don’t always help either: some can’t even articulate which safeguards their products solve. As of now, it’s up to the practitioner to choose the right solution. Solutions like Domotz network monitoring and Pax8 one cloud marketplace are improving in this domain, but MSPs must stay proactive about understanding frameworks and their unique security needs.
The Rise of the Shared Responsibility Matrix
Shared responsibility matrices (SRMs) are gaining relevance because security is a team effort. This is especially true in the modern cloud-enabled world, where greater exposure means increased risk.
Vendors, service providers, and end customers need to get on board with the SRM idea. Why? The reason is simple, different security measures work best at different points in the supply chain.
For instance, a cloud infrastructure provider might be the ideal stakeholder to apply server OS patches. An MSP would probably be a better candidate to implement network security scanning than an end user would.
The SRM concept can also inspire more promising relationships. As JB pointed out, vendors are responsible for educating clients, many of whom don’t know anything about security.
What Does It Mean To Be Compliant?
Compliance boils down to whether you did something because the rules said to. Unfortunately, best practices aren’t always sufficient. You can follow all the rules to comply with a given security system and mitigate threats, but that doesn’t mean you’ll never have a breach.
So why should compliance be a focus?
Frameworks like NIST exemplify why – they include more than just preventional safeguards. They also feature rules tailored to damage control and impact reduction. In other words, it pays to prepare a response if you know incidents are likely to slip by your defenses.
Many people overlook incident response in favor of prevention and compliance. Of course, it takes maturity to refine how you react to incidents, but this just reinforces the idea that security is a journey. You need a roadmap, and frameworks provide just that.
What Do Practitioners Need To Do Better?
One common flaw shared by vendors, MSPs, and clients is that few are willing to point the finger at themselves. It’s easy to wish your partners would get better at security. But there’s a lot to gain by asking what you can do internally.
In some cases, vendors need to take a hard stance and be prescriptive. You shouldn’t necessarily pitch security features as add-ons your customers can buy. If you know a specific control deserves implementing, try being honest and truthful. Let the customer know they’re paying for a security feature, like email backups, and ask them to reach out for clarification. This isn’t just about safeguarding your user; as JB pointed out, it’s also a way to protect yourself.
When educating clients, it may be helpful to focus on how your strategy impacts profitability instead of how it minimizes cybersecurity risk. Clients know they’re taking on risk, so they may be more accepting of IT hazards. Or they simply fail to understand the technical nature of cybersecurity. Translating your security measures into profitability terms might help you make a stronger argument.
Conclusion
No matter whether you’re a vendor or MSP, improving security should stay at the forefront of your consciousness. You’ll never achieve total perfection, but you’ll minimize harm to yourself and others by proactively striving for it.
Did you enjoy this webinar? We did, and we’d love to see you at the next one.
Further reading: