Whether you do it in-house or outsource it to a managed service provider (MSP), managing risk is no easy task. Constantly increasing regulatory requirements and the changing threat landscape mean that the definition of risk management is also constantly changing. In this episode of the Insider series, I sat down with Vinod Paul, COO of Align Managed Services, to find out what’s changed and what advice he would offer to companies trying to get a handle on risk management.
James Mignacca (JM): What is cybersecurity risk management like in the MSP space? How have things changed and how do you help your clients manage risk?
Vinod Paul (VP): In the last 20 years there has been a tremendous development in the MSP field. If you look back just ten years ago, our clientele was mostly financial services companies. Typically, they managed risk by just ticking a box for regulatory concerns, and that was usually the point at which risk management responsibilities ended for them.
However, over the last five years there has been tremendous evolution where investor due diligence, changes in the regulatory landscape and most importantly the changes in the threat landscape have really brought risk management to the forefront of what we do as an MSP and a partner for clients out different industries.
JM: Where do you start talking about risk management?
Vice President: Risk management isn’t new, but many people we spoke to know they have to do something. It’s not like five years ago when everyone thought I wouldn’t get cracked. That won’t happen to me. Back then, compliance was based on ticking a box.
JM: How does a typical engagement with your clientele work for you?
Vice President: We try to convey to our customers that risk management cannot be approached with a panacea mentality. We see risk management as putting in place as many layers of protection as possible, with the understanding that you may have a cyber event at some point.
The conversation then focuses on how to manage risk and mitigate damage when a cyber event occurs. How do you minimize the data an attacker has access to and how do you prevent the possibility of infiltrating the organization?
Our guidance to customers is to take as many protective measures as possible. If you’re trying to secure a home, you can add a great alarm system. But if you don’t lock the windows and doors, you’ve failed to secure your home at the most basic level.
When it comes to risk management, I always recommend starting from the bottom up. Start by setting up steps and protections on the platforms you use, then add additional layers to manage your risk profile – which means understanding your risk profile, knowing where your data resides and potential vulnerabilities for are specific to your company.
If you take a systematic approach to implementing layers of protection by starting with the protections on the platforms you use, leveraging software to help put you in a better risk profile position, and understanding what your data footprint is, then you are You doing a much better place. You have to start somewhere, and the easiest way is to build on the foundation.
JM: Cybersecurity has always been a moving goal and we’ve certainly seen that over the years where even the goal has changed. It used to be a high profile, big company. Now the goal is everyone. How often do you recommend reviewing risks as a company?
Vice President: No matter what tools you use or what partners you use, don’t shut down your threat protection systems and walk away. That’s the worst thing you can do. The threat landscape changes daily.
Use systems, but check the results of those systems. As a rule, we encourage our customers to engage as partners and verify the information generated. We deploy systems for our customer systems that become system layers, data layers. Typically, with our average client, we look at the results and reports on a monthly basis, minimally, just so the client can understand what their data footprint is, and also understand potential vulnerabilities in that data footprint.
And by doing so, you put yourself in a better cybersecurity posture. You can think ahead and say, okay, I want to eliminate a potential risk with ABC data and tracking, or install new systems to protect me. When it comes to the risk landscape and threat profile, organizations should conduct an overall assessment of the organization and its partners at least annually as technology changes and your partners and their technologies change.
JM: Are people using their managed service providers or are they still trying in-house?
Vice President: Most CFOs we work with and COOs we work with understand what their obligations to their clients are and they use the MSP to help them create risk management profiles, map and truly understand their data what their obligations to their customers are .
If you go back six, seven years ago, there was usually one person at one of our customers who was responsible and they paid the bills and made sure the systems were up so they could continue with their day-to-day operations.
I’ve seen a tremendous shift in the clientele we work with where now one person takes real responsibility and accountability for the vendors they choose, particularly the MSP. This person understands their risk profile. They also understand that they are the central point of administration for the company’s data.
As your partner, we offer risk management. We can provide them with data maps showing where all their data is located. But if, on the other hand, no one is destined to take action with all that data, those systems mean nothing.
JM: Where do you see the future of risk management?
Vice President: When you look at both the political and regulatory landscape, the strain on our customer base only increases. Most of our clients are registered investment advisers and are governed by the SEC (Securities Exchange Commission) and some are actually governed by other organizations. When they work outside the country and depending on what kind of strategy they have, their burden increases.
Our customers approach this problem by asking how they approach data risk mitigation. In the next three years in particular you will see an increase in the use of tools and dashboards where individuals will understand and take responsibility – this is my vulnerability, this is my data, this is how I manage this data and how I manage my risk from the data understand.
As an MSP, we want to minimize the effort for our customers. We want to enable them to manage these new tasks effectively and cost-effectively. But use the right tools. To do this well, you must truly understand your organization’s threat landscape and the simple steps you can take to reduce your threat landscape and data needs.
*** This is a Security Bloggers Network syndicated blog from Cavelo Blog and a press release written by James Mignacca. Read the original post at: https://www.cavelo.com/blog/insider-series-how-shifting-regulatory-demands-and-the-evolving-threat-landscape-has-changed-risk-management