CP: What’s the benefit of not having segmented, unregulated IT and cybersecurity?
DS: There are many benefits to working with an XSP and not having segmented, unregulated services. First, we make decisions rapidly through open lines of internal communication between our teams, unlike MSPs and MSSPs, which are two separate entities. If a client has a security incident or IT issue, we quickly collaborate across our internal teams to get to a solution. We are also able to transparently and accurately provide insights as to why the incident or issue happened because we have full visibility into our clients’ IT and security operations.
Additionally, holding ourselves to the XSP standard is important because MSPs and MSSPs have no industry regulation, yet their clients frequently do. For example, a client in health care may have to meet certain security standards to be Health Insurance Portability and Accountability Act (HIPAA) compliant. There is no HIPAA equivalent in the managed IT and security industry. The lack of standards and regulations in the service provider industry means the clients of MSPs and MSSPs are open to significant risk through their service provider, even if their business meets their own industry’s regulation requirements. As an XSP, we follow Center of Internet Security (CIS) standards, a set of globally recognized best practices that help security practitioners implement and manage cybersecurity measures.
CP: What sort of unique problems/challenges can XSPs address?
DS: XSPs address the rampant risk that exists in the IT and security managed services industry. We understand the risk we pose to our clients and understand the risk our clients pose to us. Because of this, we require all clients to adhere to our same strict security standards that we follow in order to mitigate the impact of a breach event on our network of clients. Working with an MSP or an MSSP is a risk because you are exposing more variables to your environment. As an XSP, we are aware of this risk and walk the walk by putting safeguards in place to protect both our clients and ourselves.
XSP is the natural evolution of the technical service industry. It is built on the same principal as standard plane safety. In the event of an emergency, you must put your own oxygen mask on first before helping others. In other words, to ensure the safety and success of others, you must first prioritize your own safety so you do not unconsciously become a liability to someone else.
CP: How does a service provider become an XSP?
DS: An organization can become an XSP by offering integrated IT and security services, and maintaining and requiring stringent cybersecurity standards for their clients and themselves. They need to follow CIS controls and map these standards into their solutions. They also need to have 24/7 managed detection and response (MDR) monitoring, and require microsegmentation, privileged access management (PAM), multifactor authentication (MFA) and regular security assessments, including pen tests, for their clients.
Outside of the security requirements, being an XSP is a mindset. Your team needs to be security tool-agnostic, and constantly vetting new solutions and partners. You need to be constantly exploring and striving to provide the best solutions that balance your clients’ budgets while prioritizing both security and usability. Finally, you need to be aware and honest about the risk that you pose to your clients and the risks they pose to you.
CP: What do you hope attendees can learn and make use of from your session?
DS: We hope that attendees will understand the gravity of the purpose behind XSP and why it is important to have integrated IT and cybersecurity services for not just their clients, but their own businesses. Over the past three years, we have performed over 70,000 hours of incident response work for new clients who are not managed under our XSP stack. We help those companies in some of their darkest days recover from ransomware, and it is honestly heartbreaking to realize that many of these companies could have easily avoided the mental and financial stress of a breach. By being an XSP, you can be a true partner to your clients and help them become more resilient.
Right now, it seems like even the market is confused about what it means to be an MSP versus an MSSP as the lines become more and more blurred. Instead of trying to navigate this blurred line, we charge you with helping us erase it all together.