Shared Responsibility Matrix Crucial for MSPs, MSSPs

What’s the shared responsibility matrix (SRM)? For starters, it has nothing to do with Keanu Reeves or Morpheus.

Instead, it’s a concept that will sweep the channel in 2024. In short, it’s who’s responsible for what when things go wrong in cybersecurity.

There has always been a shared responsibility among end-user organizations, service providers and the vendors who supply the technology or the professional services to support them. However, with increasing liability with cyber insurance, cyber regulations and compliance requirements, MSPs face transitioning from stating their capabilities in marketing materials or conversations to a documented description of responsibility for all players in the cybersecurity industry.

In this MSP Summit session at the Channel Partners Conference & Expo, March 11-14, titled “The Shared Responsibility Matrix: The Next Big Thing in Service Delivery,” you’ll learn what is involved in the documentation of where one's MSP/MSSP responsibility starts and another's ends. Layer in the vendor capabilities for each area of security, and you have a multilayer SRM.

Joy Beland, vice president of partner strategy and cyber education at Summit 7, will address all things SRM. As a certified Cybersecurity Maturity Model Certification (CMMC) assessor and provisional instructor who has taught 300 students in the certified CMMC professional boot camp, she’ll leverage the CMMC program guidelines as an example for how the channel ecosystem can prepare for the rise of SRM.

Related:Register for CP Expo/MSP Summit 2024, March 11-14, Las Vegas

In this Q&A, Beland provides a sneak peek of what she’ll share with attendees.

Channel Futures: What is the SRM? What does this mean to MSPs and MSSPs?

Summit 7's Joy Beland

Joy Beland: The SRM generally outlines individual security controls from any given cyberscurity framework and indicates the MSP’s level of responsibility (full, shared or none) that they obligate themselves to in their SLA with each customer. It not only graphically allows the customers to understand where they share or are fully responsible for their own security versus the service provider, it provides a legal structure for liability.

CF: What is involved in the documentation of where one’s MSP/MSSP responsibility starts and another ends?

JB: Ideally, the SRM would demonstrate the weaving of responsibilities between the service provider, the security vendor and the customer. The documentation supporting the high-level SRM would detail the implementation of controls required of each party, as well as which assets (digital, physical, people, facility) those controls apply to.

Related:Clients, Regretting ‘Mad Rush' to Public Cloud, Looking to Private, Hybrid Deployments

CF: What are the dos and don’ts of drafting an SRM document?

JB: Do thoroughly understand the implications of each full, shared or none designation per cybersecurity control. The service provider’s staff must fully take accountability for those designations. Do review it thoroughly with your customers so they can see what they themselves are accountable for. Do not underestimate the importance of scoping/applicability of assets when completing the document.

CF: What do you hope attendees will learn and make use of from your session?

JB: Not only is the old “one throat to choke” or “we do everything for you” way of selling outdated, but it is dangerous. The SRM represents the landscape of IT and cybersecurity in 2024, where everyone plays a role. Due to the legal and insurance mandates imposed on service providers, the sooner you have your SRM completed, reviewed with every client, and fully baked in your service delivery capabilities, the better off you will be.