- Contact Us
The outsourcing of information technology (IT) functions has become incredibly common with businesses, especially among small and medium sized companies. There are many benefits to outsourcing IT. For one, the cost is normally much lower than hiring even a single employee to manage IT for you. The tools and technology available such as 24-hour monitoring, offsite backups, and the use of a ticketing system are usually included in the services being provided. You also will be gaining a team of experienced IT personnel that require very little training.
As a Virtual Chief Information Security Officer (vCISO) for multiple organizations, I have had the privilege of working with numerous managed service providers (MSP). Some experiences good and some on the not so good side. One of the biggest drawbacks I have seen is from a security perspective. I am going to share some of that perspective in the hopes that you will be better prepared when the time comes to work with or manage your MSP.
1. Set Expectations from the Beginning
What you expect from your MSP should be discussed and included in the contract. A service-level agreement (SLA) should be in place that clearly sets response times and includes the systems and tasks that the MSP is responsible for. Willy-nilly is not the right approach here. You need to know exactly what you are getting from your MSP!
Monthly reports should be provided by the MSP that include but are not limited to:
before even entering into a contract. This allows you to gather information around the security controls that they have in place and lets them know that security is going to be important in this relationship! An example question: Do you complete a background check on all employees? If the answer is no, and you are a company that has PII, PHI, or sensitive company information that this employee will have access to, are you comfortable giving this person access to it? I know I would not be!
The management and oversight of any third-party or contractor is a necessary responsibility that no organization can take lightly. Make that third-party an MSP and multiply that necessary responsibility by ten! Be sure you have attached the appropriate level of due diligence around vetting and managing your MSP both before onboarding one and during your time with them as a part of your team. Contact us today to learn more and discuss your unique situation!