IT Security Education: The New MSP Mandate?

By Doug Bonderud, PivotPoint. The idea of outsourcing is no longer an outlier for many companies — locating and leveraging a reliable managed service provider (MSP) is now par for the course. However, with internal IT budgets shrinking and many C-suites expecting IT professionals to do more with less, a new MSP mandate may be emerging in the form of IT security education. Can third-party providers effectively take on the role of outsourced chief information officer (CIO)?

Knowing Is Half the Battle

According to a recent Information Age article, many businesses now outsource a large part of their IT operations to MSPs. A side effect of this trend, however, is that IT security education takes a backseat. In effect, training employees becomes an "out of sight, out of mind" task for IT professionals trying to find the balance between outsourced and in-house technologies.

For MSPs, this provides an opportunity to enhance client relationships by delivering comprehensive security training in addition to the underlying services that help protect company networks. As noted by the article, timely knowledge of cyberthreats and response strategies can provide an approximately 50 percent boost to cyberdefense. When employees are properly trained to recognize phishing emails and avoid unsafe websites and hardware missteps, the chances of a security breach significantly decrease.

For MSPs, this means outsourcing more than just technology. Instead, they offer a kind of "CIO-in-situ" service that provides training alongside security software and back-end infrastructure. In other words, technology is just the beginning.

A New Mandate?

Taking on the role of an outsourced CIO is no easy task. MSPs must become intimately familiar with each firm's IT inner workings and deliver specialized services to match unique needs. However, according to Forbes, this type of next-level service may be mandatory before too long — as the MSP market grows, so do client expectations. Firms are looking to move on from MSPs that cannot grow and change quickly enough or provide expert advice. For MSPs, this means service delivery and speed are no longer enough. Pressure on in-house IT to do more with less is pushing even C-suite positions out the door, and the first one to go is often the CIO. By filling this gap and offering robust IT security education, service providers can become indispensable components of an organization rather than outsiders, making them part of the team rather than a line in the budget.

MSPs need to develop a basic security education program that applies to any business and includes common advice such as not opening malicious emails, practicing safe Internet use and the importance of regular patching. They should also develop security-specific advertising that details a provider's strategy to create a cybersecurity program unique to each client, including face-to-face meetings, the development of software tools and access to 24/7 technical support. Ultimately, the goal is to help companies transition from traditional security roles, such as in-house CIOs, to on-demand security. Much like the cloud has come to replace on-site offerings that are no longer financially viable or flexible, outsourced CIOs can look to become an agile resource, complete with in-depth knowledge of security best practices and a lower price tag than a full-time equivalent.