CISA is giving advice about MSPs. Here are three things you should do about it.
A few days ago I blogged about the advice CISA* is giving to your clients. Today I want point out some action steps you should take in response to these documents.
That blog post is here - https://blog.smallbizthoughts.com/2021/09/the-government-is-telling-your-clients.html
The document you need to read is: Risk Considerations for Managed Service Provider Customers.**
I know many people are tempted to say that they don't have to pay attention if their clients are not going to read it. Not true. I consider this primary document and the related documents to be a peek into the future.
And since you can peek into the future of your business for free, I think you should. Here are some specific items I think you should pay attention to.
First, your company's financial health and well-being matter. I know that sounds obvious, but this is going to become a publicly-discussed element of a sound business relationship.
The CISA advice to your clients is to request documentation of your financial health AND performance records based on the service provided to other clients. There are no specifics of what that looks like, but a one-page note from your accountant is probably a good place to start.
In my white paper on transforming an industry into a profession, the first pillar I call out is financial security. You need a good, sound business model in order to have a sound future. Your clients have a right to know whether you're a "going concern" or losing money. See https://www.nsitsp.org/wp-content/uploads/2021/07/Transformation_Industry_to_Profession_Palachuk.pdf
In the original blog post on this topic, I mentioned that advice from the CISA document will slowly work its way into usage. I can pretty much guarantee that's the case with financial health. This is "low fruit" and will become a checkbox on checklists that will emerge for hiring an MSP.
Today, you can ask for a quick note from your accountant. In fact, you can write it and ask them to put it on their stationary and sign it. That will probably be good for a year or two. We'll see after that.
Second, as my mother used to say, Watch Your Language! I have long advocated that we avoid casually referring to contracts or service agreements as Service Level Agreements. The CISA document uses SLAs accurately: It encourages your clients to get a refund if you do not meet your SLA targets.
I highly encourage you (and always have) to avoid using the term SLA unless you have a formula for giving clients their money back when you have unscheduled downtime. Many people (hundreds, perhaps thousands) have argued with me about this over the years.
SLA means something. You cannot get away with saying, "Well that's not what we mean. And our clients understand what we mean." These words exist outside your informal agreements. And when this advice trickles down from big business to small business, the government's (accurate) use of the phrase will dominate.
As a reminder, people also say that they use the term "All you can eat" and are sure that everyone understands that it doesn't actually mean all you can eat. I won't repeat that diatribe here for the 1,000th time.
So, watch your language. Words mean things.
Third, create some client data documentation to cover the basics of the CISA concerns. If you prepare these documents, you can actually bundle them together in a zip file or printed onboarding package with other documents.
The goal here is to address some legitimate concerns and pre-empt the need to create these docs on the fly because you didn't expect someone to ask for them. This might also be a nice differentiator for the next year or so.
Here are four examples of documents/checklists you should prepare, as recommended by the CISA advice to your prospects:
- Data Management. This document could start with your Privacy Policy statement on how you manage data. In particular, CISA encourages businesses to ask you how you will manage their data, how it will be separated from other client data, and how you secure their data.
- Vetting employees and securing clients' intellectual property. This starts with having employees sign non-disclosure agreements regarding your company and your clients. You should be doing this already. But now you should define that process for your clients and prospects.
- Document your incident response. This is particularly useful for ransomware attacks, but is also useful in any disaster (fire, flood, etc.). The CISA document encourages prospects to inspect all monitoring systems, intrusion detection logs, and "data telemetry" from monitoring systems.
That's simply not possible with most systems. Luckily, clients won't ask for this in SMB . . . today. But if it happens in the mid-market, the standard tools for SMB IT consultants will someday include the ability to give clients this access. Heads up.
- Document each client's backup. This is another one you should already be doing. The CISA document specifically calls out the request for an air-gapped backup. In my opinion, that's not being done by most SMB systems, especially cloud-based and BDR systems. As the advice of CISA propagates, the term air-gapped backup will find its way into your clients' vocabulary.
The bottom line: Act Now. Don't Respond Later.
Managed service - in fact, all modern tech support - puts a heavy emphasis on preventive maintenance. Consider this the preventive maintenance of your company's business well-being.
Yes, it takes some work. The the items outlined here are mostly common sense and "best practices." The exception is the client's ability to look into your monitoring systems and logs. That issue - transparency - is in its infancy. But get used to it. Five years from now it will be old news.
Once again, my advice is to take action now so you're not responding to a new reality in an urgent environment. This is a case where you really can see the future.
And if you haven't done so already, please join us over at the National Society of IT Service Providers. We're looking at these things and preparing to take a stand on legislation that's inevitably coming down the road. Check us out at https://www.nsitsp.org.
-----
*CISA is the Cybersecurity and Infrastructure Security Agency. See https://www.cisa.gov
** Risk Considerations for Managed Service Provider Customers. See https://www.cisa.gov/publication/risk-considerations-msp-customers
:-)