As the consultative value of MSPs and MSSPs becomes more critical to differentiation, helping clients avoid unnecessary security spending is as important as ever.

Aldrin Brown, Editor-in-Chief

April 20, 2016

2 Min Read
10 Questions for Devising a Goldilocks Approach to Cybersecurity
Logicalis offered up a list of 10 security questions every CIO should answer in committing to a cyber-defense plan.

“Eventually, every business will experience some sort of breach.”

That was among the assertions in a recent communication from IT solutions provider Logicalis US, mirroring conventional wisdom about the growing volume and sophistication of cyber-attacks.

But amid the well-founded cacophony of advice about the importance of ensuring the security of your and your clients’ networks, a new somewhat-countervailing message is slowly gaining favor: That not all digital assets need protecting, or at least, not the same level of protection.

“No one should buy a $1,000 safe to protect a $100 bill,” Logicalis IT security expert Jason Malacko said.

That sentiment is in line with comments made recently by Mike Baker, owner of Phoenix, Ariz.,-based managed security service provider (MSSP) Mosaic 451, who cautioned that cybersecurity strategies of many organizations were either inadequate or go too far.

“Security fetishists will tell you that everything needs to be secure,” Baker told MSPmentor. “I don’t believe that.”

Increasingly, voices of reason are emerging that caution against superfluous security products and services that end up costing more than the potential damage of a breach.

As a managed service provider (MSP) or MSSP seeking deeper relationships with customers, truly acting in the capacity of a virtual CIO or valued partner means advising your clients when not to spend money on unnecessary measures.

Like the storybook, an efficacious cybersecurity strategy should avoid being too much or too little.

To that end, Logicalis recently offered up a list of 10 security questions every CIO should be able to answer in committing to a cyber-defense plan that Goldilocks would love:

  1. If you knew that your company was going to be breached tomorrow, what would you do differently today?

  2. Has your company ever been breached? How do you know?

  3. What assets am I protecting, what am I protecting them from (i.e., theft, destruction, compromise), and who am I protecting them from (i.e. cybercriminals or even insiders)?

  4. What damage will we sustain if we are breached (i.e., financial loss, reputation, regulatory fines, loss of competitive advantage)?

  5. Have you moved beyond an “inside vs. outside” perimeter-based approach to information security?

  6. Does your IT security implementation match your business-centric security policies? Does it rely on written policies, technical controls or both?

  7. What is your security strategy for IoT (also known as “the Internet of threat”)?

  8. What is your security strategy for “anywhere, anytime, any device” mobility?

  9. Do you have an incident response plan in place?

  10. What is your remediation process? Can you recover lost data and prevent a similar attack from happening again?

For many SMBs and other organizations, contracted service providers will often be in the best position to frame and devise answers to these questions in a way that ensures the protection of critical assets.

And as the consultative value of MSPs and MSSPs becomes a more critical point of differentiation among offerings, helping clients control costs by advising them to forego products and services they don’t necessarily need is as important as ever.


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like