The Government is Telling Your Clients How to Select an MSP
It's not all bad news. In fact, some things just fall into the category of, "It's done. Now, what you're going to do about it?" Here's what I mean.
The U.S. government has published a detailed nine-page report on how to find a good MSP. They've also published hundreds of pages of related advice, which could send some of your prospects down a major rabbit hole. There's nothing you can do about that.
But "that" isn't all bad news. You get to decide how to use this to focus your marketing and your sales approach.
Let's back up and look at the big, big picture.
The Cybersecurity and Infrastructure Security Agency has published a number of documents directly related to you and your clients. Start Here: https://www.cisa.gov
The specific document in question is, Risk Considerations for Managed Service Provider Customers. See https://www.cisa.gov/publication/risk-considerations-msp-customers (Published September 2021)
First thing to note: Your clients won't read this. Well, your small clients won't read this, and 90% of your medium-sized clients won't read this. How can I say that?
The document is filled with jargon. It's also filled with advice that makes clear that whoever wrote it has never worked in the SMB market. Example: The first "best practice" for small businesses is to establish "a supply chain risk council that includes executives from across the organization."
Second, the document assumes that keeping IT support and security support in-house is a reasonable option. It's not. If a business owner is balancing overall cost and security, there's no way the in-house option can win.
An in-house employee who is actually competent and up to date with network infrastructure, cloud services, and security cannot be had for under $60,000 plus tax and benefits in the US. So let's round that to about $75,000 all in.
I'll bet (because I already know) that almost none of your clients are paying are paying you $75,000 per year for the labor component of managed services. With luck you have one or two. But not a lot of $75K+ clients.
So, thankfully, even if your clients found this document, they would see that the advice is not meant for them. Or - as is often the case - they will hand it to you and ask your opinion.
But you cannot ignore this document or the larger efforts of CISA. These documents (an incomplete list is below) WILL be used by mid-market and enterprise organization. And they will be used by government agencies at all levels.
This matters for several reasons. First, the folks who will use these documents for guidance have large budgets. They can afford top notch hardware, software, and services. If they need a committee to determine the size of technology committee sizes, they'll just create one.
Second, and more importantly, it is extremely likely that these documents will influence future regulation and legislation. Once in use by larger businesses and government agencies of all sizes, they will become the "emerging norm" for choosing IT service providers and MSPs.
On top of that, the longer these docs are out there being referenced, the more they begin to affect actual standards.
Governments and larger organizations have a lot in common. Very often, decisions are made so someone can avoid being seen in the light of day. It's not that they're doing anything wrong. But avoiding controversy is associated with keeping your job. Implementing a government-approved standard feels safe.
Bottom Line: Don't Panic
Be aware that this is real and it's happening.
Download these docs. Read the one covering advice to your clients on hiring an MSP. At least browse through the rest.
And if you haven't done so already, please join us over at the National Society of IT Service Providers. We're looking at these things and preparing to take a stand on legislation that's inevitably coming down the road. https://www.nsitsp.org
-- -- --
Other CISA publications worth your time:
- Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses https://www.cisa.gov/sites/default/files/publications/CISA%20Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf (2 pages)
- Implement robust network- and host-based monitoring solutions. https://us-cert.cisa.gov/ncas/alerts/aa20-245a
- CISA’s Cyber Resilience Review resources https://us-cert.cisa.gov/resources/assessments
- CISA’s Cyber Essentials https://www.cisa.gov/cyber-essentials
- CISA offers a range of no-cost cyber hygiene services to help organizations assess, identify, and reduce their exposure to threats https://www.cisa.gov/cyber-hygiene-services
- National Institute of Standards and Technology (NIST) “Key Practices in Cyber Supply Chain Risk Management” report https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8276.pdf (23 pages)
- CISA and NIST joint publication, “Defending Against Software Supply Chain Attacks” https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf (16 pages)
- CISA Information and Communications Technology Supply Chain Risk Management Task Force publication - Vendor Supply Chain Risk Management Template https://www.cisa.gov/sites/default/files/publications/ICTSCRMTF_Vendor-SCRM-Template_508.pdf (47 pages)
Comments and feedback welcome.