IT security is headline news. We hear about major security incidents almost every day. In just the last few weeks, breaches have been reported at Kmart, Chipotle, Zomato, Booz Allen Hamilton, DocuSign, Bell Canada and many other organizations. And this is just the tip of the iceberg – the number of reported data breaches rose by 40% in 2016, with the average breach now costing $4 million. Then there are the mega-breaches, such as those at Target or Yahoo – any time a billion accounts are compromised, the impact is almost unfathomable.
Here’s the truth: your IT security is only as strong as its weakest link. That’s why you need to choose a managed services provider (MSP) that has an ironclad security program. If you’re going to trust the management of your mission-critical IT infrastructure to an MSP, you need to make sure that they have the monitoring platform, policies, processes and training in place to keep your systems and data secure. Otherwise, you’re exposing yourself – and your customers – to unacceptable risks.
Security Certifications Are Critical
Don’t take security on faith. If an MSP says that they offer robust security, tell them to prove it. The best way to do this is to demand security certifications – proof of compliance with established security standards and best practices. To get these certifications, an MSP has to undergo rigorous third-party audits – giving you independent confirmation that the MSP is doing what they say they’re doing.
Consider ISO/IEC 27001:2013. This international standard provides a comprehensive framework for information security, identifying more than 100 controls to monitor and manage risk. These controls address key areas such as information security policies, physical security, system security, operations security, access control, human resources, business continuity and supplier relationships. And these controls don’t just focus on preventing security issues – they also make sure that security incidents are handled effectively when they occur.
Driving Continuous Security Improvement
To become ISO 27001 certified, an MSP must pass an initial certification audit – and then undergo recertification every three years. In between full audits, the MSP is subject to regular surveillance visits by the auditor. This ensures that the MSP is complying with their established controls – and that they are continually improving their information security management capabilities.
In other words, security certifications are your assurance that an MSP has a best-practice security model for the services they deliver – and that they are evolving the security program to respond to new threats and risks as they emerge.
Security is an Investment
Let’s be clear. It costs an MSP a lot of money to obtain and maintain security certifications. It’s not just about audits – it’s about implementing a far-reaching information security management system (ISMS) that permeates every aspect of the MSP’s business. That takes commitment and resources – and this investment is reflected in the price of the services they deliver. However, you can’t afford to partner with an MSP if they don’t have a certified security system – the risk is just too high. Ask yourself how much a data breach would cost you – not just recovering from the breach, but also dealing with the legal consequences and damage to your reputation. The choice is obvious.
A Sign of Organizational Maturity
Security certifications aren’t just about having an effective information security management system. They are also a compelling indicator of organizational maturity. If an MSP has a well-defined security model, they are likely to have strong operational processes as well. That translates directly into better business service availability and performance – which should be the number one reason why you choose an MSP.
Which Certifications Should You Look for?
ISO 27001 is crucial. However, if you’re in the healthcare industry, choose an MSP that also has a HIPPA-HITECH security attestation – this shows that they have the policies, processes and controls needed to protect medical data privacy. And the value of certifications goes beyond security. For instance, if your organization has to meet Sarbanes-Oxley requirements, ask your service provider for a SSAE-18 SOC 1 Type 2 report – this demonstrates that they have effective internal controls in place to secure your financial reporting system as required by SOX.
Optanix Continues to Lead in IT Operations Security
At Optanix, we’re committed to information security – and we have an unmatched track record of managing IT environments with the most demanding security requirements in the world. That’s why we’re proud to announce our recent recertification for ISO 27001 and HIPAA-HITECH security, as well as SSAE-18 SOC 1 Type 2. Our systematic, proactive approach safeguards customer data and is backed up by controls that span every layer of service delivery.
This commitment goes beyond security certifications. The Optanix Platform is architected from the ground up to deliver data security. As part of our security model, the Optanix Platform adapts seamlessly to a customer’s existing security policies and resides securely within their firewall – ensuring that no sensitive data leaves the customer’s network. And, as threats continue to evolve, we continue to enhance the Optanix Platform to deliver the robust security that our partners and customers demand.