Bridging the Gap Between Security and Compliance for MSP Customers

MSP clients have started to pay much more attention to a full range of services when choosing a provider, and enhanced security components become the best way for MSPs to add value to their offerings and build trusting and long-term relationships with their clients.

May 14, 2015

3 Min Read
Bridge the gap

By Netwrix Guest Blog 1

The recent statistics about data breaches show that the chasm between compliance regulations and real-world security risks has become more critical than ever before. Successfully passing compliance validation is no longer a guarantee against security breaches. No company can completely eliminate the risk of security violation, including those that outsource management of their IT services to managed service providers. MSP clients have started to pay much more attention to a full range of services when choosing a provider, and enhanced security components become the best way for MSPs to add value to their offerings and build trusting and long-term relationships with their clients. 

Even though a fully passed compliance checklist no longer prevents companies from experiencing security incidents, neglecting those industry requirements will make the situation even worse. According to the 2015 Verizon PCI Compliance Report, no company was fully compliant at the time of a breach, and only 28 percent of companies were able to sustain compliance for at least a year after the audit had passed. This indicates the predominance of a wrong attitude toward compliance requirements: Companies consider them to be annual headaches, and fix vulnerabilities only in the run-up to validation tests. Such a “checkbox mentality” leads companies to mistakenly assume that passing compliance audits is enough to prove that their security policies are effective, making them easy targets for cyber criminals.

Mismatch Between Compliance Regulations and Business Needs

Another reason compliance and security have become so remote is the mismatch between existing compliance regulations and companies’ business needs. Compliance requirements are basically a set of controls with common high-level strategic recommendations that should ideally suit all the companies within an industry, from SMBs to large enterprises. In reality, all organizations have different business needs, internal processes and threat profiles, and should be treated individually, only using compliance requirements as a guideline.

The individual approach also comes first when security violations need to be investigated. Without proper understanding of all the relevant variables–like business culture, turnover or budgeting–it is very hard to identify a true root cause of the security issue. As the 2015 Verizon Data Breach Investigation Report states, in terms of security, the “one size fits all” approach doesn’t work, and a simple “5 why question technique” can provide a more profound understanding of a problem than external auditing procedures. This leads to the conclusion that internal security policies must be strong enough to back up areas that are initially inaccessible for basic regulatory controls, and that internal auditing mechanisms are more likely to deliver a comprehensive picture that proves those security policies are working.

Visibility Across Entire IT Infrastructure

One of the best ways to strengthen security is to ensure visibility across the entire IT infrastructure. This can be achieved through auditing of business-critical systems and monitoring of privileged user accounts. Customers who entrust their data to MSPs need to be confident that providers will keep their data safe. Therefore, those MSPs that offer deeper insight and greater transparency into what is going on with clients’ critical data automatically take managed services to a whole new level. The ability to deliver proof about who did what, when and where, across all customer data and IT systems, will reassure clients that their business-critical data is under permanent control, is safe and complies with all industry regulations.

Learn more about Netwrix Platform for Managed Service Providers.

John Ross has more than 20 years’ experience in IT. He focuses on technology partnerships that drive customer adoption and lead to long-term benefits for all involved. At Netwrix, he develops channel programs and relations with VARs and MSPs. Guest blogs such as this one are published monthly and are part of MSPmentor’s annual platinum sponsorship.

 

Read more about:

AgentsMSPsVARs/SIs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like