Managing your Managed Service Provider

By Jasmine Fransen, Senior Healthcare Cybersecurity Consultant, Crowe LLP.

The IT managed services industry has seen continuous growth in the last few years. Large health systems to Software-as-a-Service startups are turning to managed service providers (MSPs) to take on ongoing operational or security responsibilities. MSP services can range from complete outsourced IT and security operations to smaller responsibility divisions such as help-desk and logging and monitoring services.

Why do Organizations Rely on MSPs so Heavily?

There are many reasons organizations rely on managed service providers for IT and security operations but three major factors influencing the change are: talent shortage, the cost benefits, and risk transference. Technology and security talent can be hard to come by, especially when your organization is in a rural area or just doesn’t have a “Silicon Valley” vibe to attract potential employees. According to Cybersecurity Ventures’ cybersecurity jobs report, there will be 3.5 million unfilled cybersecurity positions by 2021 and a recent Gartner survey of 137 senior executives showed that a talent shortage is the most concerning risk facing organizations.

The cost savings from using MSPs rather than relying on fully in-house operations can be substantial. It is possible for a midsized hospital to contract a full virtual information security office (VISO) or security department for much less than the cost of full time employee salaries, benefits, and training specific to cybersecurity, not to mention the additional technology and software costs associated with the activities performed. MSPs are becoming increasingly flexible by offering creative solutions, multiple skillsets, and services tailored to meet your needs and budget. These benefits can particularly be realized in healthcare, where allocating budget to information security is a relatively new concept as cost savings are at the forefront of every executive’s agenda.

Risk management has become one of the largest challenges for organizations large and small. Properly identifying, prioritizing, and managing risk in an ever-changing threat landscape can be a baffling undertaking, especially when operations and security functions are performed in-house. By leveraging MSPs to perform key IT and security operations, organizations can transfer risk related to the services being offered by the MSP. For example, if an organization uses a “storage as a service” vendor in which the MSP is responsible for endpoint hardening and maintenance, the organization is no longer directly involved in the risk management activities related to patch management, access controls, and configuration management of that storage; thus the risk is transferred to the MSP. However, it is important to remember that just because the MSP is responsible for certain risk management activities, a breach or incident at your MSP could still create operational and reputational risk for your organization. As long as your organization does not fall victim to the following common pitfalls of managing MSP relationships, utilizing MSPs to transfer risk and the related management responsibilities can be highly beneficial.

Common Pitfalls of MSP Relationships

Some of the most common issues Crowe Cybersecurity Consultants identify during Healthcare assessments are related to the mismanagement of MSPs. Organizations who heavily rely on MSPs often fail to identify where the organization’s responsibilities end and the MSP’s responsibilities begin. For example, if you have an MSP performing identity and access management (system access, modification, and termination processes), the nuances related to how Human Resources communicates with the MSP to setup a new employee users can seem straight-forward.  However, if it is not clearly defined at the beginning of the relationship, critical activities can fall through the cracks. Does the MSP have the responsibility for confirming that system access has been disabled in appropriate manner for terminated employees? Who is responsible for performing access/account reviews? On what schedule? These are the details that will not be commonly found in a SLA but are crucial to the success of the relationship.

Another common pitfall with MSP relationships is the lack of oversight and communication. Once again, the out-of-sight, out-of-mind mentality can be detrimental to the effectiveness of the relationship.

Think about your managed service provider relationships.

  • Do you have regularly scheduled business and service review meetings?
  • Are any status reports or metrics being provided back to you?
    • Are the metrics valuable to understanding how the services support your business?
  • Do you even have a clear understanding of what they are responsible for?
  • Do you regularly and thoroughly review and update agreements to satisfy your needs?

If any of these answers are no, which is commonly the case, then it is time to ramp up your MSP communication. Without thorough oversight of the activities being performed by the MSP, it is impossible to validate that they are providing the maximum possible value to your organization. This process goes past performance monitoring against SLAs. SLAs are commonly monitored to allow for renegotiation upon contract renewals if the MSP has not held up their end of the agreement; however, some of the more qualitative aspects of the relationship get left out. Identifying whether or not the MSP is providing quality reports and communication pertaining to operations is not commonly performed in a consistent manner. Even if you are leveraging a larger, well known MSP, your organization should not assume they are being proactive in meeting your expectations. This is why it is important to follow these tips for managing your managed service providers.

MSP Relationship Ground Rules

  1. Responsibility Definitions – Your organization should define in each MSP relationship; who is responsible for what. This should be as detailed as possible to remove any ambiguity. For example, it is important to define the jurisdiction of an MSP, should they be entrusted to manage your organization’s firewall, logging, and alert requirements. Management should comfortably be able to answer:
    1. Who is responsible for blocking malicious traffic?
    2. When should potential issues be escalated to in-house IT staff?
    3. What are the procedures and required frequency for reviewing policies and rules and who is responsible?
  2. Set Expectations – This is not only defining SLA terms. Setting expectations with your MSP can include how often and in what format you require project reports, what rules and regulations they must abide by to remain compliant, how frequently and which metrics should be provided to your organization, and the specific workflows they will need to abide by to fit into your organizational standards.
  3. Right to Audit – In the healthcare industry, standard Business Associate Agreements and contracts include the “Right to Audit” your vendors. This should instead be read as the “Responsibility to Audit”. When going through a HIPAA Security Risk assessment or similar, the MSPs should be equally involved in the process as they would be if the functions were performed in-house. All too often we see organizations excluding MSPs from the scope of the assessments instead of taking the opportunity to audit the processes performed by the MSPs to ensure that they are complying and abiding by the organization and regulatory standards.

MSPs can be an Asset, not an All-Encompassing Solution

Overall, it is important to stay diligent in all aspects of your information technology and security operations. Managed service providers are not perfect. All organizations need to have point-people or technical liaisons responsible for communicating expectations and project management goals with your managed service providers. To gain a better understanding of how you can more effectively manage your MSPs, be sure to speak to a cybersecurity professional with experience managing and/or assessing multiple MSP relationships. The resources are out there, all you need to do is ask the right questions.