BARR Advisory recently teamed up with Vanta and Electric for an insightful conversation about the compliance journey for managed service providers (MSPs). By delving into the relationship between automation solutions, auditors, and MSPs, thought leaders from the three organizations explore how successful collaboration can overcome common pain points and help achieve unparalleled success on the journey to compliance.
Panelists included Vanta’s Director of Auditor Partners Sam Bradley, BARR’s President and Founder Brad Thies, and Electric’s CISO Aaron Shierlaw.
We’ve outlined a few of the questions asked during the webinar and highlights from the panelists’ answers. Click here to watch the full video on demand.
***
How do your three separate organizations come together to support the security and compliance of a single customer—like three legs on a stool?
“There’s a lot of nuance and subtleties that happen between an MSP, us as the auditor, and an automation solution. You have to determine who’s responsible for what and ensure you’re bringing the real issues to the table so we can solve those issues together,” said Thies.
“From my standpoint, Vanta is like the glue that connects the three parties for the customer. That includes developing a security maturity program or completing an audit. Vanta does a really good job at helping customers who might be upstream from an audit, getting their ducks in a row for potentially going through an audit, and then taking them through an audit,” said Bradley.
“As an MSP, we are contractually obligated to meet the customer’s needs, so bringing in a third-party auditor can be challenging. Ultimately, I coach our customers so that they’re still accountable for their systems or platforms. I would tell MSPs and customers alike to ensure they have a transparent relationship and closely align with each other during the audit. That way, each entity can function more like we talked about—three legs of a stool,” said Shierlaw.
How does the compliance-auditing-MSP collaboration work to create the most successful experience for a joint customer?
“Ultimately, the accountability is still on the customer,” said Bradley, adding, “It’s important to make that clear and that the message is driven at the policy level. Communicating roles and responsibilities beforehand and understanding where the accountability lies should set up the experience for the customer in the best way to drive positive results.”
Adding onto that, Thies said, “Paradoxically, when you don’t have issues you can measure or don’t have transparency, things look perfect because you simply don’t have any findings. However, I think that’s the value we see with this three-legged stool analogy. There’s bound to be issues with any organization, and you have to be willing to work through those issues through a partnership.”
“If you’re going through an audit and you have an MSP, it’s imperative to prepare ahead of time for the audit,” said Shierlaw. “You need to sit down with your MSP and talk through any difficult areas.”
“I’d like to add that security and compliance will never be plug-and-play where issues go away once you hire an MSP. There’s still a human component that requires communication,” said Bradley.
What success stories have you experienced using this approach?
“We’ve found a lot of success when the MSP puts more of their coaching hat on and makes sure the customer understands the capabilities of the tools and what they’re designed to do versus not do,” said Thies.
“Similarly, the partnerships that have been successful for us are when the customer takes ownership,” said Shierlaw. “In these situations, you see the auditor talking to the customer with the MSP as support. The customer is answering the questions from the auditor, and the MSP is there to handle the more difficult, technical issues.”
“Another great approach is leveraging the internal audit requirement, especially if you’re adhering to ISO. We’ve got a great network of MSP partners who offer internal audits to our customers. It’s a very low-risk activity in terms of maintaining compliance, but organizations can leverage an internal audit to help them prepare for and understand what exactly they’ll be taking on during an audit,” said Bradley.
How does shared accountability and responsibility work as an MSP when working with multiple organizations?
Shierlaw said, “It takes constant, consistent effort to stay compliant. Technology doesn’t always work, and sometimes you need a human to take a look at, follow up with, and fix the issues. A tool like Vanta combined with the Electric platform is a perfect example of how this can work out. These platforms give the customer and the MSP visibility when issues arise.”
“I always work to understand the client’s culture because that influences how they might respond when it comes to compliance or autonomy,” said Thies.
“Understanding culture is spot on,” said Bradley. “I’d add that working together and having that shared accountability accurately defined and depicted at the policy level sets the tone at the top for a trickle-down effect.”
We’ve also seen a culture of fear emerge when it comes to auditing and compliance—such as a fear of issues like a minor exception. What can we do to change that culture of fear?
“It’s a mindset shift. You want to have findings. In fact, in my prior roles, I would help steer the auditor to findings so you can use them as a lever to help your organization improve,” said Shierlaw, adding, “It’s not uncommon for folks to have fear around not seeming perfect, but really, successful compliance is about finding a way to break through that mindset.”
“At BARR, we strive to meet the client where they are because we realize security and compliance is a journey. In business and other aspects of life, you have to get comfortable accepting uncomfortable truths. Our role is to uncover and communicate those truths as quickly as possible so organizations can take action without fear,” said Thies.
Bradley added, “When I see issues highlighted in a report, to me, it’s actually a good thing. I look at that and think, ‘the customer was being honest with the auditor, or the auditor was doing an excellent job of finding issues.’”
From this collective’s experience, what are the most critical cybersecurity considerations that organizations often overlook in the pursuit of compliance?
Thies said, “Scope, having good visibility of where your attack surfaces might be, and knowing who owns these issues is critical. If you don’t know what you’re trying to protect, how will you protect it?”
“Prioritize what you’re doing,” said Shierlaw. “Find the key, administrator accounts, and databases that have critical data. Focus on getting those controls in place, and don’t get lost trying to fix every problem everywhere. Prioritize what you have.”
Bradley added, “Applying your time and money in terms of security and compliance toward the highest risk area is important. I think risk management is more an art than a science. You have to understand your organization’s unique risks and focus on chipping away at those higher-risk areas before trying to make everything perfect.”
Contact us today for more information on BARR’s approach to partnering with automation platforms and MSPs and how this collaboration can help you reach your security and compliance goals.