One of the biggest issues in cybersecurity this year has been third party assurance, particularly when it comes to big businesses working with smaller ones. The Accepted Wisdom among cybersecurity professionals for a few years now has been that the easiest way to hack a big company is usually by hacking a smaller service provider or contractor first. To deal with this threat, enterprise organisations did what they do best: come up with a complicated and inflexible assessment and compliance framework and then tried to apply equally it to every third party they have any kind of relationship with.
You know how this story goes: Corporate security architect sends long ass cybersecurity questionaire written in Klingon to small business. Small business responds with answers that either make no sense or are woefully inadequate. Corporate security architect has the balls to be outraged that small business obviously does not take cybersecurity seriously because they cannot demonstrate an equivalent level of maturity as his company. Also genuinely has no idea why small business does not behave as though bad cybersecurity is an existential threat. Then Frank from risk management approves the provider anyway, and the security architect throws up his hands in disbelief and/or frustration.
A lot gets said by cybersecurity folks in enterprise organisations about how cybersecurity at small businesses is generally so terrible, but few of them seem to understand or care why. Well, having spent the last few years trying with great unsuccess to build a cybersecurity company that specialises small business, I have worked out the answer. So wonder no more, because I am about to tell you.
The problem is IT (managed) service providers.
Yeah, I said it, though you probably already guessed from the title of this article. Do you run or work in an IT MSP? Did you just read that and think “Now hold on a minute, that’s an unfair generalisation! It doesn’t apply to us anyway, we’re very focused on cybersecurity and we do a good job of providing it for our customers!”. Well you should shut up and read the rest of this article carefully, because that kind of attitude is exactly the problem.
For those of you buried in corporate environments with no insight into how small business IT works, let me explain: IT managed service providers are the life blood of small business. Without their MSP, every small business would literally die. A typical small business doesn’t just lack an internal IT person or department, they don’t even have anyone who knows how to work a computer beyond being able to read their email, make Excel spreadsheets, and spend hours scrolling through Instatwitbook. They rely on the MSP to keep their IT running, to fix it when it breaks, and to advise them on what to do about anything that it too technical for them to understand, which is everything - and is especially cybersecurity. IT MSPs are therefore one of the most trusted third parties a small business deals with.
When I first started on my mission to bring my experience in enterprise cybersecurity to small business, I thought that MSPs would be a natural fit for partnering with, surely they would love to be able to supplement their own capabilities with those of an experienced subject matter expert. As it turns out, I was totally wrong. IT MSPs are terrified of the idea of having a “real” cybersecurity professional come anywhere near their customers, because they know that any deficiencies we highlight are going to reflect badly on them, and their customers are going to ask hard questions like “you said I was secure, how come this guy found all these vulnerabilities?”
In the defence of MSPs, it’s not really fair to expect them to be great at cybersecurity, and personally I don’t hold it against them or think of it as some kind of professional negligence when they aren’t. For a start, most of them are small businesses themselves, they have the same problems with time and money that all small businesses have. More importantly however, they have probably spent most of their lives doing a fairly specific thing: building, fixing and managing Windows computers and small office networks. For the most part they’re very good at that, but right now they are also trying to come to grips with the disruption of a lifetime in the shift from on-premise servers to cloud services. Throwing the constantly and rapidly evolving problem that is cybersecurity onto that pile is not really viable.
Unfortunately however, as far as most small businesses are concerned cybersecurity is just an IT problem, and so they expect their IT service provider to deal with it. Of course, the providers don’t help with this misconception - they have a vested intrest in their customers believing they have cybersecurity under control - not just to keep specialist security companies from scrutinising their work, but to make sure they get to keep as much of the customer’s IT budget as possible, rather than having to share it with a stable of specialists. Further complicating the matter, small businesses often have a mentality that says security should be an inate property of any IT product or service they buy and so they don’t want to pay extra for it (“why would I pay for that if it isn’t secure?”).
Taking all these points together - we end up with service providers who are being held responsible for something they know next to nothing about yet having claim they are experts in to protect their revenue base, and then have to deliver a solution for next to no cost. Which brings us to the crux of the problem - the MSP business model.
“Monthly Recurring Revenue” is the catch-cry of MSP success. I have spoken to many MSPs in the past few years and I am yet to meet one whose business is not fundamentally dependent on this principle. Each of their customers is billed a recurring monthly fee, usually per-user or per-device, for the “services” they are provided, but the reality is that most of those services are just software products and cloud services they resell on behalf of bigger vendors and service providers. $20/user/month for Office 365, $15/user/month for Dropbox, etc. The service component is whatever effort the provider goes to in setting up and managing these products, but given many big vendors also allow customers to buy direct, the margins on software can be pretty thin, and so the MSPs have an inherrent reliance on the the products being quick and easy to setup and maintain - set-and-forget is best. If they have to burn a lot of time configuring and fixing them it starts to eat into their margins pretty quickly.
So in many ways the MSP business model has basically devolved into a glorified software reseller. In the by-gone days of on-premise infrastructure, MSPs had a lot more control over the IT environment and made most of their profit from hourly billing for “extra” work doing maintenance on servers, providing helpdesk support, and other project work that wasn’t covered under the standard support agreement. Now the servers are gone and cloud services that replaced them need a lot less hand holding. They rarely have outages and when things go wrong rolling back is often as simple as a few clicks. The days of getting fat managing infrastructure for small business are over and one of the fundamental underpinnings of the MSP business model for the last 2 decades has collapsed.
This creates a difficult situation for MSPs. When their customers say they want security the only thing they have the experience and skills to provide without engaging external consultants, and the only thing they can afford to provide without eating into their margins, is some set of security related products. So they tell their customers “Yes I can sell you cybersecurity!”, then they roll out Lastpass, Cloudflare, Azure ATP, sell them an “upgraded” firewall (assuming the client even has their own network anymore - coworking spaces are killing that too), and move things like “Anti-Virus” and “Patch management” to the security section of the invoice. The customer goes on happily about their day thinking that they have taken care of cybersecurity - until they get the email from Corporate Security Architect with a 500 question cybersecurity checklist that starts with “Do you have written cybersecurity policy that is endorsed by senior management?”.
The other aspect fueling this problem is that with revenue from on-premise infrastrucure having basically evaporated, assessing and improving cybersecuity is seen as the new cash-cow for MSPs. It’s the thing that isn’t covered by their standard support agreement but their customers are startding to get worried enough about that when they say “that’s a $10000 project” the customer will still (maybe) be willing to pay. So they have a go at doing it themselves without bringing in an external (and indepentent) subject matter expert, but the output from these sorts of projects is almost invariably geared towards getting the client to take up more ongoing services (products) which will add to the monthly recurring revenue spend of the client, or at the very least drive more project work deploying new solutions.
Getting back to the enterprise third party assurance perspective, when you look at a self assessment questionaire from a small business and it comes back with “No” for all the things which seem so fundamental like having a documented cybersecurity policy, using risk management, and having centralised logging and alerting (or they tick “Yes” but the evidence they provide says otherwise…) the reason isn’t that small business doesn’t care about cybersecurity, it isn’t even necessarily that they can’t afford it. It’s that they don’t know any better, and the reason for that is they are reliant on the advice of service providers that only think of cybersecurity in terms of products that they can sell for a margin, and who want to keep other service providers out of the picture. Governance, risk, and compliance might as well be foreign words to most MSPs, and advanced technical controls like centralised identity management or SEIMs are not the sort thing that they can easily package up and sell as a low-margin software solution (or would have the capability to deliver even if they could).
What’s the solution? I don’t enitrely know, but out of necessity it must be multi-facted. For a start, IT MSPs need to stop propagating the myth that cybersecurity is an IT problem and that IT service providers are best placed to deal with it. They also need to be more open to working with specialist cybersecurity firms to suplement their internal skillsets. If that means having to change or adapt your business model, I suggest you start thinking about it now, because the next logical step for this industry is for cybersecurity firms to start offing their own IT managed services to get better control of IT risk and eliminate the hassle of working with uncooprerative IT companies. When that happens you’ll be the ones at the negotiating table who can only offer part of what the client is asking for.
Bigger firms have a role to play too, in coming up with more flexible third party assurance frameworks, and in educating their smaller partners about the true nature of cybersecurity as a business problem rather than a technical one. Given that in most cases it is pressure from bigger partners/clients that gets a small business to start doing something aboutcybersecurity all, if you want better cybersecurity outcomes you need to take more responsibility for shaping small business perceptions of cybersecurity rather than leaving it MSPs and product vendors. That means less 500 question checklists and more consultation and relationship building.
Finally, we need audit and compliance people working with small businesses to start pointing out to them that while their IT service provider is a critical part of their cybersecurity strategy, putting them in charge of it is really a conflict of interest.