Unlike the introductory classes, which are one-day bootcamps that certify people individually, the advanced courses provide a half day of instruction per month for 12 months, and culminate in an auditing process aimed at awarding an entire company ConnectWise’s SECURE MSP credential.
“There’ll be some third-party validation,” Ryerse says. “We’re going to have them show us that they’ve met that minimum criteria necessary to deliver secure services.”
Frameworks and enablement aren’t the only tools ConnectWise will use to help partners protect customers more effectively. Due to reach market soon as well is a managed detection and response (MDR) solution, delivered through the ConnectWise Fortify portfolio, that’s designed to consolidate and correlate information from multiple security products.
“Right now, a partner who needs to deliver secure services might have 15 tools,” Ryerse says. The forthcoming MDR solution will ultimately enable them to plug all those tools into a single management console.
ConnectWise plans to take a “crawl, walk, run” approach to defining which specific tools users can integrate. “Crawl is going to be just the products that we’re currently supporting out of our SOC,” Ryerse explains. The company’s closest partners in the security vendor community will get access to the platform at the walk stage, which ConnectWise expects to reach in the next year.
“Run is when we can open it up to the entire ecosystem and they can plug in based on APIs and other interactivity,” Ryerse says.
Hardening its RMM, PSA, and other products amid escalating attacks on such platforms by cybercriminals hungry for the end user passwords and payment information they contain, is a key part of ConnectWise’s master plan for security as well. Multiple ConnectWise executives addressed that topic during a breakout session at IT Nation Secure this morning.
“We know that when we do have an issue, it hurts our partners,” said CTO Steve Cochran. “It’s critical that we get ahead of it and we stay ahead of it, so our commitment, our investment, is to make sure that we have all of the right components in place.”
Core to that effort is the “shift left” initiative ConnectWise launched at the beginning of the year, which is designed to build security considerations earlier into the software development process.
“In the old ways, we would code and code and code and code and then we would do these big bang tests at the end, try to find all the issues, get them back into the development cycle again, and push them through,” said Tom Greco, ConnectWise’s director of information security. “It’s inefficient, because you end up doing a lot of work and rework, as well as you don’t really connect your developers to security. So the notion here is let’s move it all the way to the beginning.”
Included in the program are secure coding instruction for programmers, heightened threat modeling, and the use of testing software from Vericode to ferret out hidden vulnerabilities before new systems go into production.
ConnectWise is inspecting existing products for weaknesses as well. “We brought in several boutique firms that specialize in deep dive penetration testing and code revealing,” Greco said. “We’ve already worked through most of [ConnectWise] Automate, and Control and Command are also in progress today.”