CompTIA’s Cybersecurity Advisory Council produced “A CEO’s guide to choosing an IT service provider: Cybersecurity questions for business leaders” (CompTIA’s Cybersecurity Advisory Council). This questionnaire helps potential partners assess their knowledge. A business should consider cybersecurity when choosing an IT service provider. MSPs should also ensure that customer data and networks are adequately protected. Sometimes, neither is the case. It is a questionnaire that allows users to assess the knowledge of potential partners in areas such as:
Background of the company
Frameworks/Compliance
Policies
Management of privilege access
System management
Incident response
Management of critical patches and vulnerabilities
Detection/Prevention
Service recovery
Security Assessments
Insurance

Clarity and responsibility increases around risk mitigation
The purpose of this document is to give more information about how MSPs treat themselves so customers can better understand where their data is stored, how access will occur and what happens in case of a cyber attack. This document is a complement to an earlier piece by the council that included cybersecurity questions business leaders and their security teams should ask.
“Many executives don’t have the right information, or all the information they need in order to assess their companies’ readiness for cybersecurity attacks and capabilities. We wanted to provide guidance to executives to ask the right questions, which are often not asked by CEOs,” stated Kevin Nikkhoo (CEO of XeneX) and vice chair of Cybersecurity Advisory Council.
Kevin McDonald, co-chair of Alvaka Networks’ COO and CISO, said that many CEOs don’t know where to begin when vetting new or existing IT service partners.
“The guide will allow even less technically skilled decision makers to find critical answers about the record. It will help leaders make better selections and retain their records. It makes both parties to a potential transaction more aware about the reality and risk of MSP’s security risks mitigation efforts or lack thereof,” McDonald’s said. “IT pros and service providers often need help in triggering the right questions. This compilation includes questions from many security-focused minds on the CompTIA Cyber Security Council. We hope you find it useful and helps you make more informed decisions.
MSP Benefits include Knowing Work Still to Do
This guide is not just for customers. MSPs can also benefit from the guide, as many of them may not be able to answer all the questions and may need to work on potential gaps in their security portfolio.
Nikkhoo stated that this should help MSPs to prepare for cybersecurity. This includes setting up their own environment, playbooks, and tools to address these questions internally. It helps customers engage by asking the right questions that lead to assessments and other revenue-generating projects.
McDonald’s suggested that MSPs verify their own risk mitigations, and that they have made security investments in a well-placed manner.
McDonald’s stated that the guide is not intended to be comprehensive but covers many of the essential basics that we see being overlooked, creating unreasonable risk for all parties. “Once the MSP’s leaders are comfortable that they can attest that they have followed the guide in a meaningful manner, they can post it on their website, share it with clients, or even present on how other MSPs should follow the guide. They can explain how the MSP can help the prospect or client improve their lives and lead their ongoing management programs.
A resource for more meaningful engagement
Nikkhoo said that the guide can be viewed as a conversation starter, which can help customers engage more with them.
“I suggest MSPs to read this document, select a few key areas that are relevant to a customer, have an initial conversation, and then propose to send the document. Then, have an in-depth conversation. Nikkhoo stated that this will help MSPs demonstrate knowledge, value-add and customer care.
Answering security questions is easy. It is quite another to have the skills and resources to support your answers, consistently.
“Some will argue that the bar we set in our document is too high. But these are actuarial standards.