Most of us will have to meet some form of regulation at some point in our businesses. For cybersecurity, there are several possible ones, depending on your industry.
It’s already a nuisance dealing with migration into the cloud, or dealing with remote or hybrid workplaces. And now there is a regulatory requirement we have to meet as well?
As expected, many businesses turn to their service providers for help. The conversation goes something like, “I need to get compliant with regulation X.”
And the provider responds, “Absolutely! We can help with that.”
The issue is, when all is said and done, the provider believes this is all about technology. And while they can probably install anything into your environment, they are less equipped to handle the change in how these new controls coordinate in your daily routine and practices. Providers provide services. Good or bad; right or wrong. It is up to you, the client, to get it right.
Either way, the service provider will likely play an important role in your compliance effort, regardless of their experience in governance. So how do you find out what the service provider’s capabilities actually are? Here are a few questions to help get you started.
- Do you have a service agreement in place with your provider? What are their current responsibilities… not what they do, but what they have agreed to do? (We often see that the provider doesn’t live up to their obligations, or they are inadequate to fulfill the compliance needs of the client.)
- Have they ever conducted or had experience with a cybersecurity breach?
- Do they provide any security services where they can provide documented procedures on how they do it? For example, do they conduct vulnerability scanning on your system and provide you with a report? What tool(s) do they use, and how do they track remediation?
- How do they validate their own security practices and standards? If they do it for themselves, there’s a good chance they can help you with yours.
- Do they follow a security plan for each of their clients? Do they use a standard security framework to ensure a holistic approach to protecting their clients? (Basically, a security framework is a series of documented processes that define your policies and procedures around how you implement and manage the various security controls.)
If your provider is willing to help you with your compliance effort, that’s fantastic and a good sign for the future.
However, we still must be vigilant when it comes to whom to rely on when making decisions that directly affect our businesses, such as compliance, which is not forgiving.
Clients do not always have the answers, but they certainly know where they need to be. Service providers are the engines that turn instructions into a robust system with all the bells and whistles.
Harmony comes when MSPs/IT department and your compliance arm work together. You don’t expect the crew to be able to navigate choppy waters or even understand the undertaking of the entire journey. That’s the captain’s job – to work with the crew of the owner’s ship to get to port safely.
If you would like to discuss how a virtual CCO (Chief Compliance Officer) can captain your compliance efforts, let’s have a conversation.