April 29, 2021

Last Updated on January 14, 2024

If your SMB is like most others, you probably have already outsourced your IT to a managed service provider (MSP)—or more than one. But finding the right MSP for your evolving business can be a challenge. Many SMBs have been through a few, and at any given time might be actively looking to switch.

One of the difficulties with choosing an MSP is the evaluation process. What’s a best-practice approach? Are there any objective criteria you can use? Or is a peer’s recommendation plus a bit of “gut feel” all there is to go on?

One organization that has focused on validating MSPs for over 20 years is MSPAlliance, a global trade association for MSPs. Host John Verry, Pivot Point Security’s CISO and Managing Partner, talked with MSPAlliance co-founder Charles Weaver on a recent episode of The Virtual CISO Podcast.

“There are some great MSPs, and there are some perhaps not so good MSPs,” notes John. “So how do I know whether my MSP is going to be one of those that gets hit by ransomware? How do I know my MSP is competent? How do I know they’re going to treat my data securely? How do I know they’re going to set me up for success?”

“That’s like asking me what kind of clothes I should wear today, or what’s my favorite meal,” quips Charles. “I don’t know! What MSP should I be using? Can you recommend an MSP? My first response is, ‘What do you do? What do you need help with? Where are you?’ There’s a litany of questions to ask. It’s not one size fits all.”

There’s no licensure for MSPs like there is for doctors, lawyers or accountants. So just because someone calls themselves an MSP doesn’t mean they’re worthy of the name. This makes your due diligence all the more crucial. Charles has several suggestions for how to spot a competent MSP.

“It’s about transparency, first of all,” Charles states. “If an MSP is not transparent, be cautious. If you’re asking an MSP legitimate questions, like how they do things and lots of security questions, and you sense hesitancy… Or if they’re not sure about what the question means—those are red flags, red flares of maybe I shouldn’t be talking to you about taking over my IT management.”

How important are industry certifications, either for individual practitioners or the MSPs themselves?

“They’re hugely important at the individual level,” advises Charles. “The MSP needs to have competent people who understand the technology.”

Charles continues: “Are vendor certs useful or not? I think Cisco and VMware and some of the other vendors actually do a pretty decent job of training their channel on the technology that they have.”

Trust but MSP Verify

Are there any industry standards applicable to MSPs?

“There are a handful of decent standards out there that are relevant, in part, to MSPs,” Charles observes. “Nothing was purpose-built for MSPs until a committee of our members got together in 2004 and solved that problem with MSP Verify.”

Designed to provide assurance, foster trust, and show evidence of transparency to consumers of managed IT services based on a third-party assessment, MSP Verify is the most respected industry certification for managed service providers.

“It’s a factual statement of what the MSP is doing with some reasonable amount of assurance behind it that it’s actually being done,” relates Charles.

If you work with—or for—an MSP or MSSP, this episode with Charles Weaver from MSPAlliance is a great one to listen to.

To listen to the complete episode, click here. If you don’t use Apple Podcasts, you can access our fast-growing selection of information security podcasts here.

TPRM for SMBs guide

Through our 17 years of experience, we've collected these 5 fast-track best practices for implementing a vendor risk management program as a small- to medium-size busiess (SMB).
Download our free TPRM PDF guide now!