Whether you’re handling it in-house or outsourcing it to a managed service provider (MSP), risk management is no easy feat. Ever-increasing regulatory requirements and the shifting threat landscape mean the very definition of risk management changes constantly, too. In this episode of the Insider Series I sat down with Vinod Paul, COO of Align Managed Services to explore what’s changed, and what advice he’d offer to businesses trying to get a handle on risk management.
James Mignacca (JM): How is cybersecurity risk management shaping up in the MSP space? How have things changed and how are you helping your customers when it comes to risk management?
Vinod Paul (VP): There has been a tremendous evolution in the MSP space over the last 20 years. If you look back just ten years ago, our clientele included mostly financial services firms. Typically, they were managing risk to just check a box for regulatory concern, and that was usually where the risk management responsibilities stopped as far as they were concerned.
Yet over the last five years there has been a tremendous evolution where investor due diligence, changes in the regulatory landscape, and most importantly, the changes in the threat landscape, are really bringing risk management to the forefront of what we're doing as an MSP and a partner to clients across different industries.
JM: Where do you start the conversation around risk management?
VP: Risk management isn’t new, but a lot of folks that we talked to know they need to do something. It's not like five years ago when everyone thought, I won’t get breached. It's not going to happen to me. Back then, compliance was based on checking a box.
JM: How does a typical engagement work for you with your clientele?
VP: With our clients we try to instill that you can't approach risk management with a silver bullet mentality. We look at risk management as putting as many layers of protection in place as possible with the understanding that at some point, you may have a cyber event.
Then the conversation focuses to how to manage risk and mitigate damage when a cyber event happens. How do you minimize the data a bad actor has access to, and block opportunity to infiltrate the organization.
Our guidance to clients is, put as many protections in place as possible. If you're trying to secure a house, you can put in a great alarm system. But if you don't lock the windows and lock the doors, you’ve failed to security your home at in the most basic level.
When it comes to risk management, I always recommend starting from the bottom up. Start by putting in steps and protections on the platforms you use, and then start putting additional layers to manage your risk profile – which means understanding your risk profile, knowing where your data is located at and what the potential vulnerabilities are specific to your organization.
If you deploy a systematic approach of putting layers of protection, by starting with the protections on the platforms you use, leveraging software to help you put yourself in a better risk profile position, understanding what your data footprint is, then you’ll be in a much better place. You have to start somewhere, and the easiest place is to build upon the foundation.
JM: Cybersecurity has always been a moving target, and certainly we've seen that throughout the years where even the target has changed. It used to be high profile, large enterprise. Now the target is anyone. How often do you recommend reviewing risk as an organization?
VP: Whatever tools you use or whatever partners you use, don't set your threat protection systems and walk away. That's the worst thing you could do. The threat landscape changes on a daily basis.
Put systems in place but review the output of those systems. Typically, we encourage our clients to be engaged as a partner and review the information being generated. We deploy systems to our clientele systems which becomes layers of systems, layers of data. Typically, with our average client, we're looking at outputs and reports on a monthly basis, minimally, just so that the client can understand what their data footprint is and also understand potential vulnerabilities around that data footprint.
And by doing that, you're putting yourself in a better cybersecurity posture. You can think ahead and say: alright, I want to eliminate a potential risk with ABC data and ABC location, or put in new systems to protect myself. When it comes to the risk landscape and threat profile, businesses should do an overall assessment of the organization and their partners at least once a year because technologies change and your partners and their technologies change.
JM: Are folks leveraging their managed service providers, or are they trying to still do it in house?
VP: Most of the CFOs that we work with and COOs that we work with understand what their obligations are to their clients, and they are leveraging the MSP to help them do risk management profiling, map their data and truly understand what their obligations are to their clients.
If you go back six, seven years ago, typically one individual at one of our clients was in charge of it, and they were paying the bills and making sure that the systems were up so that they could go about daily operations.
I've seen a tremendous change in the clientele that we work with where now an individual is taking true responsibility and accountability for the vendors that they're picking, especially the MSP. That individual understands their risk profile. They also understand that they're the single point of administration of the company's data.
As their partner, we can provide risk management. We can provide them data maps of where all of their data is located. But if on the other side, there isn't someone designated to take action with all of that data, those systems mean nothing.
JM: Where do you see the future of risk management going?
VP: If you look at the political landscape as well as the regulatory landscape, the burden is only going to compound on our client base. Most of our clients are registered investment advisors, and they're governed by the SEC (Securities Exchange Commission), and some are actually governed by other organizations. If they're working outside the country and depending on what type of strategy they have, their burden increases.
Our clients are approaching this in a matter of how do they manage data risk mitigation? Over the next three years specifically, you're going to see a rise in leveraging tools and dashboards where individuals are going to understand and take accountability - this is my vulnerability, this is my data, this is how I’m managing that data and how I’m understanding my risk because of the data.
As an MSP, we want to minimize the burden on our clients. We want to enable them to handle these new responsibilities effectively and in a cost-effective manner. But leverage the right tools. To do that well, you need to really understand your business’s threat landscape and the simple steps you can take to reduce your threat landscape and data footprint.