Some MSPs see users as the weakest link in the security chain.
But not Adam Levin, CISO of New Jersey-based MSP Network Doctor. From his perspective, while user error can often be the cause of a security breach, they are also your strongest defense for upholding security.
“Your users are a double-edged sword, a lot of people point out your users are your weakest link. But at the same time, they’re also your first line of defense,” he said.
“If you have a process in place and users are following that process, a lot of times that’ll protect you more than any system or tool that exists.”
With a strong security foundation, Network Doctor leads by example for its clients.
That’s why Network Doctor prioritizes its internal security foundation. With security processes in place, Network Doctor can lead by example for its clients and deliver a sophisticated level of service, unlike many of its competitors in the small to medium-sized business range it serves across the United States.
Achieving internal SOC 2 compliance was integral to establishing Network Doctor’s security foundation. Levin turned to ControlMap to make it happen.
Pursuing SOC 2 compliance can get messy fast if you don’t have the right tool for the job. When working with different organizations and auditors, the management and execution of the compliance process can be a lot to handle for any MSP.
That’s why Network Doctor wanted to find a better way to meet the SOC 2 standards for themselves.
“Every time you work with an auditor,” Levin said, “you have to use their methods and systems.”
If you switch auditors, you have to adapt to a different auditing system. Network Doctor wanted to have its own internal system that would be able to gather all the information as needed, independent of any auditor.
When it comes to risk assessments, the process of getting that done can be a massive effort. With specific requirements for compliance frameworks, MSPs can quickly end up with a massive spreadsheet containing entries for every sort of risk. Levin said it can be easy to miss something when filling out those sorts of forms, which could disqualify it on review by an auditor.
He said the same is true for vendor risk assessments. However, it could be very difficult to evaluate all of the forms and action items.
“You’d send out all these PDFs, you get them all back, and now you have to try to parse all this information into something usable as opposed to just saying “Yeah, we sent out vendor risk assessments. Here’s the pile of things. Oh, what did you do with them? Nothing,” Levin said.
That’s when Network Doctor found ControlMap.
“What brought us to ControlMap was that everything is very neatly operated. It was built for MSPs. We’re of the belief, if you’re going to sell something, you should also be utilizing it,” he said.
“We used ControlMap internally. We saw the value of it. We saw that it’s very intuitive. It was very easy to pull everything together, have everything sourced. Same thing with policies and procedures, you’re able to have everything in a centralized location, and on top of that, have all these integrations to be able to pull a lot of the evidence in automatically.”
Having a centralized risk register with the typical risks they encounter laid out, with the option to add or remove as needed, gave Network Doctor staff a better starting point for assessments. That way, MSP staff can do meaningful work while keeping the organization and its clients secure.
Improved processes and procedures, internally and for clients, improve the consistency of the first line of defense, the people using these systems and workflows. ControlMap has helped Network Doctor strengthen the users’ workflow security, reducing the number of security breaches overall.
ControlMap is ready to help you get started on your compliance journey. For more information on how ControlMap helps you follow the path to compliance with SOC 2 or other frameworks, book a demo today.
Network Doctor’s security-focused offerings began with reactive solutions like Endpoint Detection and Response (EDR) and eventually incorporated Managed Detection and Response (MDR). More proactive services like vulnerability scans, cybersecurity awareness training, and pen testing were added over time.
Once Network Doctor incorporated ControlMap into their business internally, they began offering clients compliance advisory and guidance services. Based on the framework the client is following, ControlMap’s tools help Network Doctor perform a gap analysis to see what items they might be missing and how they can assist with obtaining those items.
Levin shared an example of a financial firm regulated by the SEC. Network Doctor advised the firm to follow the NIST cybersecurity framework.
“They just want to make sure they’re secure. So for them, you may look at the CIS controls… the way I see it is more of a checklist to say, ‘are you following? Do you have X, Y, Z?’ and then going down the row and saying, ‘Okay, do you have this in place? Do you have this?’ So it’s leveraging the compliance needs to do it as a gap analysis from a security standpoint,” he said.
Managing risk for clients has been one of the biggest benefits Levin has seen for enhancing service quality. The risk register and vendor risk management are key pieces in driving conversations with clients. Centralizing risk management through ControlMap allows the team to review risks and share findings in client discussions.
“It’s a much easier conversation to have with clients,” Levin said. It allows for discussions around who the risky vendors are, the risk mitigation steps already in place, and more. Centralizing the entire risk profile reduces time and effort spent collecting data, giving MSPs and their clients better visibility into achieving and maintaining compliance.
Now with ControlMap, Network Doctor provides reliable information to help their clients make informed decisions about the impact, severity, and costs associated with security risks and mitigation strategies.
Through their expanded focus on security, Network Doctor has empowered their clients to make more informed security choices. By implementing security measures to meet standards like SOC 2, the day-to-day operation of both the MSP and their clients is more secure overall.
Levin recognizes that security has become mandatory for meeting MSPs’ evolving demands. Having the right tool for the job can make a big difference in your MSP’s success.
With a platform like ControlMap, MSPs can take steps with clients to create a stronger first line of defense. That means training and supporting staff to promote a culture of security.
“I say this all the time, and ControlMap also helps to prove a point, which is you can have all the tools under the sun, but at the end of the day, what’s really protecting you is your processes and your people.”
Interested in developing your MSPs’ security and strengthening your team’s defenses? Learn more about ControlMap’s cybersecurity and compliance features in the on-demand demo.
