Episode Summary
Moss Jacobson joins Brandon Garcin on Syncronized to discuss the critical intersection of cybersecurity and compliance. Moss clarifies the common misconception that security guarantees compliance, or vice versa. He emphasizes the importance of technical controls, administrative policies, and a company culture that prioritizes both, starting from the top down.
Moss highlights the unique challenges managed service providers (MSPs) face supporting diverse client needs. He stresses the shift to endpoint security and the necessity for MSPs to maintain high security standards for themselves. He advises MSPs to adopt a robust compliance framework like NIST CSF or CMMC, especially if serving clients in regulated industries like healthcare or government contracting.
The conversation also explores the growing personal liability of executives for compliance gaps. Moss points out that proactive compliance not only mitigates risk but also unlocks growth opportunities. He shares an anecdote of a client gaining significant revenue after improving their security posture. Moss concludes by encouraging MSPs to commit to compliance and leverage available resources, predicting that those who prioritize compliance will thrive.
Guest-at-a-Glance
π‘ Name: Moss Jacobson
π‘ What they do: VP of Sales & Marketing
π‘ Company: CTN Solutions
π‘ Noteworthy: Business and marketing expert specializing in cybersecurity and compliance.
π‘ Where to find Sandra: LinkedIn
Key Insights
Compliance Doesn’t Equal Security (and Vice Versa)
Cybersecurity and compliance are often confused as interchangeable, but they are distinct concepts. While they overlap in areas like technical controls, achieving one doesn’t automatically guarantee the other. Security focuses on protecting systems from threats, while compliance centers on meeting specific regulatory requirements. Organizations can be secure without being fully compliant, and conversely, they can be compliant without being truly secure. A comprehensive approach addresses both, integrating technical solutions with administrative policies and a security-minded culture. This holistic strategy minimizes risks and strengthens an organization’s overall cyber posture.
MSPs Face Unique Compliance Challenges
Managed Service Providers (MSPs) encounter a complex compliance landscape due to the diverse needs of their clients. Unlike internal IT departments serving a single organization, MSPs must navigate varying security requirements across different industries and regulatory frameworks. This necessitates a multi-layered approach to security and compliance, often requiring MSPs to adhere to higher standards than their individual clients. A strong baseline security posture for the MSP itself is crucial, coupled with the flexibility to adapt to specific client needs and industry regulations. This proactive approach allows MSPs to offer tailored solutions and positions them as trusted advisors in a constantly evolving threat landscape.
Compliance as a Growth Driver
Compliance is often viewed as a cost center, but it can be a powerful engine for business growth. Organizations with robust compliance programs gain a competitive edge by demonstrating a commitment to data protection and security best practices. This can lead to increased trust from clients, particularly in regulated industries like healthcare and government contracting where compliance is non-negotiable. Furthermore, achieving compliance can open doors to new business opportunities, as many organizations now require their vendors and partners to meet specific security and compliance standards. Investing in compliance not only mitigates risks but also enhances an organization’s reputation and attractiveness to potential clients, ultimately driving revenue growth.
Listener Takeaways
The Importance of a Security-First Culture
A strong security posture requires a cultural shift within organizations, starting with leadership. Executives must champion security and compliance, fostering a mindset that prioritizes these aspects throughout the company. This cultural change ensures that security is not treated as an afterthought but is integrated into every facet of the business. It also means that security policies apply to everyone, regardless of their position, creating a level playing field and reinforcing the importance of security across the board.
“It’s also cultural. The security-minded and compliance-oriented mindset, that culture begins at the top of the organization. They need to drop the apathy and infuse a culture of security-mindedness and compliance-mindedness into the organization. The rules have to be for everybody.”
Endpoint Security in the Age of Remote Work
The rise of remote and hybrid work models necessitates a shift in focus towards endpoint security. With employees accessing company resources from diverse locations and devices, traditional office-centric security measures become inadequate. Protecting each device and user, regardless of their location, becomes critical. This requires a change in perspective, emphasizing the endpoint β the device and the user β as the first line of defense.
“It was easier. All the desktop computers were in an office behind a firewall, protected by physical security. Now, we protect everything at the endpoint. So, we’re protecting at the device level and the user level, so it doesn’t really matter where they go.”
Selecting the Right Compliance Framework
Choosing a suitable compliance framework can be challenging for MSPs. While some industries have specific requirements like HIPAA for healthcare, others necessitate more general frameworks. CMMC, NIST CSF, and SOC 2 are among the options, each with varying levels of detail. Moss suggests starting with the most stringent framework the MSP can comfortably manage, as this establishes a higher initial security standard. The decision should also take into account the client base and the specific industries they operate in.
“Pick the highest level you’re comfortable with and start there. The reason is that we all need to do better security, so I don’t think someone should start in the basement of security. If we’re out there being the trusted resource, we need to start with a higher bar.”
Executive Responsibility and Personal Liability
Executives face increasing personal liability for compliance shortcomings. Regulatory bodies are actively investigating security breaches and holding senior leaders responsible, both financially and legally. Whistleblowers are encouraged to report non-compliance, further escalating the risk for executives who neglect their obligations. This emphasizes the importance of Directors and Officers (D&O) insurance and proactive compliance efforts. Claiming ignorance is no longer acceptable, and organizations must prioritize compliance to safeguard both the business and its leadership.
βGartner said by 2024 we’re going to see that this pleading of ignorance by senior executives, it’s not going to cut it anymore. The executives that own risk in an organization are going to be personally held liable, both financially and criminally, for gaps in following compliance.”
Syncronized is the MSP podcast that drives MSP growth, from startup to scale-up. In each episode, we dive into the topics that matter most to IT providers, such as automation, AI, service delivery and profitability. Join us as we engage with experts and gain hands-on insights and practical advice you can directly apply to propel your business forward.