This month, Alan interviews Jason McNew, CEO & Founder Stronghold Cyber Security, member of The ASCII Group since 2017.
Alan Weinberger: How important is it for a Managed Service provider to create a ‘culture of security’ within their own organization?
Jason McNew: In terms of staying in business (business continuity), a security culture is every bit as important as the safety culture that all businesses, including MSPs, already have (safety is mandated by law however). If the fire alarm goes off, everyone knows exactly what to do, because they have been trained and drilled year in and year out. We need to see people at the same level with security – they know exactly what to do in the event of a fire alarm, and they should know exactly what to do in the event of a cyber breach as well. This is not generally the case in SMB’s at all.
Weinberger: What does this security culture entail?
McNew: The 3P (people, process, product) concept can be applied to security culture. We need to have the right people, with the right training, in the right places. There has to be a hierarchy of people who fill certain security roles – Security Manager, Security Analyst, etc.
Next is “process”, which would equate to policies. Formal policies have to be written, and these policies must have the backing of the business owners/executives, etc., so that they can be enforced effectively by the IT folks. This isn’t as hard as it sounds however, because every security policy an MSP could ever want has already been written and is readily available through NIST, ISO, SANS, etc. Usually these policies will need to be tailored for a particular organization, but they definitely do not need to be written from the ground up.
Last (but not least, I view the security 3P components as equal) of the 3P is “products,” which for security culture equates to technology. We have to have the right technology, such as endpoint protection, firewalls, IDS, etc., in the right places.
Technology is like a moat, but it is your people and your policies that really make the castle.
Weinberger: How does this MSP ‘culture of security’ translate over to the needs of their clients?
McNew: The bottom line is that if the MSPs themselves are not secure, then neither are their clients. The overseas threat actors who are shopping for IP (intellectual property) know this, which is why MSPs are being actively attacked. Once they gain unauthorized access to an MSP, they can move laterally into the client networks, so MSPs are the “keys to the kingdom”, so to speak. That said, it needs to be understood that if a cybercriminal (especially one that is state-sponsored) wants to get into your network badly enough, they are going to use a zero day exploit and highly advanced spear phishing attacks to get the job done. For that reason, it is imperative to have (at a minimum) an IRP (Incident Response Plan) and BDR (Backup and Disaster Recovery) plan in place. In addition, it is also highly advisable to have a DRP (Disaster Recovery Plan), and BCP (Business Continuity Plan).
Weinberger: Since security practitioners are not licensed, what steps can qualified cyber professionals take to separate themselves from the so-called experts?
McNew: The Department of Defense Instruction 8570 (known simply as DoD 8570) is widely recognized in the cyber security community as an excellent framework for identifying what certifications are necessary to fulfill a particular security role. 8570 is vendor agnostic, and is a simple three tiered chart that maps various certifications to particular security roles. I highly recommend that anyone who is interested in filling a cyber security role acquire and maintain one of the certifications listed in this instruction, such as the Security+, CISSP, CAP, etc.
There is an excellent brief on 8570 located on the SANS website: https://www.sans.org/dodd-8570/.
The ASCII Group is a vibrant community of independent MSPs, VARs and solution providers across North America. ASCII offers members leveraged purchasing programs, education and training, knowledge sharing among peers, discounts on business services and more. Find out why ASCII is the most established community in the industry. Learn more about becoming an ASCII member at www.ascii.com.