Massive data breaches and stiff new privacy and security laws have ushered in an age of the “cascading security requirement” to shore up the integrity of the supply chain. As a result, SMBs increasingly find themselves being asked by customers and business partners to complete questionnaires about their security practices. They’re turning to MSPs for help.
“The MSP tends to be the first one consulted on these questionnaires whether they have the expertise or not,” says Mark Kirstein, vice president of customer success at Tempe, Ariz.-based Cosant Cyber Security.
Questionnaires that ask SMBs to document their security infrastructures, protocols, and policies vary from industry to industry, ranging from several dozen questions to many hundreds. Guy Baroan, president of Elmwood Park, N.J.-based IT services provider Baroan Technologies, has helped his SMB clients complete security questionnaires for nearly 10 years. These days, however, they are more frequent and more in-depth.
“What used to be 10 questions is pages-plus,” Baroan says. “It started with the EU’s GDPR [General Data Protection Regulation].” That was followed by the California Consumer Privacy Act and now the New York SHIELD Act, he says.
Al Alper, CEO of Wilton, Conn.-based Absolute Logic, is also experiencing an uptick. “I would say we are seeing five or six of these detailed questionnaires a month,” he says, with those pertaining to CMMC Level 3 the most frequent.
Security questionnaires tend to boil down to three main controls: physical, technological, and administrative. Filling out the form is typically a collaborative effort with the customer, who is familiar with policy while “the MSP’s expertise is more on the technical side,” which includes the physical infrastructure and the technological controls, says Kirstein.
Security questionnaires can take an hour to complete or weeks, and channel pros should charge accordingly. “You can charge a few hours if you are very familiar with the client,” Baroan explains. “Or you go all the way up the ladder with a full discovery and review.” Alper, for his part, considers security questionnaire services to be CISO-level work, and for that he charges $750 per hour.
Baroan uses the task as an opening to drive more sales, referring to past recommendations. “When these survey questions come in, we can say, ‘Hey, do you remember that conversation we had?’ and we can educate them,” he explains.
As part of the security questionnaire process, Baroan also pitches the firm’s compliance-as-a-service offering. “We said, ‘If you buy all of these services, you would meet all of the NIST requirements,’” Baroan says. “When we have clients with this service, we know what they have in place, and we can complete their questionnaires fairly easily.”