A focus on the fundamentals and building a strong foundation is integral to any security approach
Security frameworks provide managed service providers (MSPs) and managed security service providers (MSSPs) with a map to follow. The non-profit Center for Internet Security (CIS) has developed configuration policy benchmarks that organizations of all sizes should follow to protect themselves and mitigate risks.
The framework provides organizations with 18 categories of high-priority best practices that they can follow to improve their cyber hygiene while remaining in step with key regulations.
Liongard Co-founder and CTO, Joe Alapat, and Vice President of Product, Matt Miller, recently spoke with SC Media’s “Cyber for Hire” podcast about what MSSPs and their clients should know if they follow CIS guidelines compared to other frameworks.
“We love the fact that CIS keeps things up to date,” Joe said. “The thing that I find with CIS more so than most any other framework is the ability for it to actually be common English language; the vocabulary is very down to Earth, very understandable for anyone servicing an end customer.”
“Security is a complex topic. It can be mysterious; it can be intimidating,” Joe added. “And so having common vocabulary based on what I would consider to be a basic understanding of things that the end customer understands, it helps bring them into the fold and helps build confidence around them making investments around these areas.”
Joe praised CIS’ recognition that what worked a few years ago may no longer be relevant as the landscape evolves rapidly.
“Every MSP worth their salt is doing something in the form of security,” Matt said. “But that’s different than having a formalized security program that is really implemented, and it’s probably implemented. And that’s what CIS is about.”
Joe and Matt highlighted the potential pitfalls companies might face if they immediately jump in and attempt to implement all 18 controls simultaneously.
“That’s not how the real world works, especially when you’re running a real business with real fires and real customer onboardings,” Matt said.
“The thing that I find with CIS more so than most any other framework is the ability for it to actually be common English language; the vocabulary is very down to Earth, very understandable for anyone servicing an end customer”
– Joe Alapat
“The CIS framework, I think, also does a good job, though, of laying those things out, giving you a framework, not just for the security — what boxes need to be checked, which switches need to be flipped which direction — but also, what’s the one priority? In what order should you tackle those things?” Matt said.
Matt suggested that controls are the top priority, followed by the inventory of assets and software. He also noted that CIS controls are not a shiny new widget but administrative in some ways.
“How are we going to have a governance process around not just did we set the thing up correctly but can we prove that we’ve set it up correctly, and can we then on a repeatable basis, prove that it stayed set up correctly?” Matt said.
“Do you even know what you have?” Matt said. “We say that a lot. At Liongard, we say that about how to utilize our product, but also just about how to run a good MSP. You can’t possibly secure and manage what you don’t even know about.”
With the explosion of the complexity of the IT stack in the past 15-plus years and with the move to cloud technologies and the diversity of tech stacks, MSPs need visibility into their systems.
“I think it starts with first having visibility to see those assets and being able to show that complexity to the end customer,” Joe said. “I don’t think they’ll have an appreciation for what it is that the service provider is dealing with unless they can actually see all of these things. I think that’s one of the biggest struggles every service provider has.’”
Click here to listen to the full podcast and check out how Liongard can help support the security efforts in your MSP