Get Support

Request a Quote

Platform
PSA & RMM

PSA

RMM

CPQ

Remote Access

Reporting

Documentation

Payments

Customer Feedback

Solve any challenge with one platform

Operate more efficiently, reduce complexity, improve EBITDA, and much more with the purpose-built platform for MSPs.

Explore the Platform

Innovation Webinar

See new and upcoming product enhancements in our monthly innovation webinar series!
Cybersecurity & Data Protection

MDR

SIEM

Cloud Backup

BCDR

Security Dashboard

Backup Dashboard

SaaS Security

Vulnerability Management

Ensure security and business continuity, 24/7

Protect and defend what matters most to your clients and stakeholders with ConnectWise's best-in-class cybersecurity and BCDR solutions.

Explore Cyber and BCDR

Innovation Webinar

See new and upcoming product enhancements in our monthly innovation webinar series!
Hyperautomation

RPA

Sidekick

Integrations

Integrate and automate to unlock cost savings

Leverage generative AI and RPA workflows to simplify and streamline the most time-consuming parts of IT.

Explore Our Marketplace

Innovation Webinar

See new and upcoming product enhancements in our monthly innovation webinar series!
Solutions
By Use Case

Client Onboarding

Increase agility and reduce complexity

Service Desk Ticketing

Deliver fast and efficient service

Cyber Remediation

Deliver holistic cybersecurity and data protection

Billing Reconciliation

Error-free invoicing and revenue protection

Patch Management

Automate patching across all your endpoints

The first and only true MSP platform

 
By Market

MSPs

Purpose-built MSP solutions to accelerate profitability and growth

IT Departments

IT service management (ITSM) software and cybersecurity for IT teams

Managed Print

Print security, event management, and monitoring

VAR

Proven as-a-service offerings and integrations

The first and only true MSP platform

 
By Category

Business Management

Streamline end-to-end business management with robust professional services automation

Unified Monitoring & Management

Unlock workflows, automation, and insights you can’t get anywhere else with one suite of solutions

Cybersecurity & Data Protection

Get the software, services, and support you need to sell and secure your clients 24/7

Expert Services

Expert MSP Support and Help Desk Services

The first and only true MSP platform

 
Community
IT Nation

IT Nation Evolve™

Accelerate your MSP business growth with the premier annual membership program and peer experience focused on planning, accountability, and success

IT Nation Connect™ Global 

Join the groundbreaking MSP community at the can't-miss industry conference for education, inspiration, and networking. Attendees return year after year to be part of a collaborative community focused on helping individuals solve business challenges and grow. 

Service Leadership, Inc.®

Drive financial performance and Operational Maturity Level™ through benchmarking, advanced peer groups, industry best practices, education, and speaking.

Let’s meet up at the industry’s largest MSP event! 
Events

IT Nation Connect Global

November 5-7, 2025 | Orlando & Virtual

IT Nation Connect Europe

March 9-11, 2026 | London

IT Nation Connect ANZ

August 20-22, 2025 | Sydney

IT Nation Secure

June 8-10, 2026 | Orlando

IT Nation Grow

August 13, 2025 I Denver

PitchIT

Apply Today for your chance at $100K in prize money!

Explore ConnectWise Events

Join fellow IT pros at ConnectWise industry & customer events!

Explore Today

Let’s meet up at the industry’s largest MSP event! 
University

Product Training

Calendar

What's New

University Log-In

Check out our online learning platform, designed to help IT service providers get the most out of ConnectWise products and services.

ConnectWise University

Explore our product training course catalog.
Resources

Webinars

Blog

eBooks

Case Studies

Resources

Feature Sheets

On-demand Demos

Live Demos

Cybersecurity Center

Explore the ConnectWise Resource Center

Search our resource center for the latest MSP ebooks, white papers, infographics, webinars and more!

Explore Today

Explore the latest product innovations designed to enhance your ConnectWise experience.
About Us
About Us

Mission & Values

Careers

Leadership

Board of Directors

Philanthropy

Experience the ConnectWise Way

Join hundreds of thousands of IT professionals benefiting from and contributing to a legacy of industry leadership when you become a part of the ConnectWise community.

Learn More

Transform your business with the ConnectWise community
News & Press

Press Room

Awards

Case Studies

Experience the ConnectWise Way

Join hundreds of thousands of IT professionals benefiting from and contributing to a legacy of industry leadership when you become a part of the ConnectWise community.

Learn More

ConnectWise Partner Success Stories
ConnectWise

3/29/2021 | 6 Minute Read

Building an Information Security Program

Topics:

Contents

    See what good cybersecurity looks like

    Learn how to develop, implement, and mature your security program.

    Get the playbooks

    Which comes first, the chicken or the egg?

    If the chicken is security and the egg is compliance, which comes first? Both are needed to build an information security program. If you think about it based on the answers to these next questions, you will probably come up with two right answers. What do I need to keep my organizational assets safe? Answer, security, the chicken. Do I need a framework to know my organization’s assets are safe? Yes, compliance, the egg.

    Can you have security in place without compliance? Of course, you can. But how will you measure your security posture and maturity without following a compliance framework?

    Ok, enough with the chicken and the egg question, as I could go on forever. With the number of small to medium businesses that outsource their IT operations and services to the partner MSP community, it is important to establish mature cybersecurity and compliance practices to better address the unique risks, threats, and attacks that accompany the shared services model within the MSP community. As global regulations increase in scope and complexity, and security threats multiply exponentially, organizations find themselves in a position of deciding where to invest, security or compliance. The solution to this question is to build an Information Security Program which balances the need for more robust security and defines a compliance structure based on the guidelines, regulations, and legislation to which your organization must adhere.

    The approach

    You can develop and implement an Information Security Program using these key steps.

    • Identify the Compliance Framework that will be the basis of the security program.
    • Establish a Security Management Structure.
    • Perform a risk assessment and review the assessment findings within the context of the selected Compliance Framework.
    • Identify risk levels and establish a priority for developing policies, procedures, and controls around these risks.
    • Implement an active training and education program.

    It is critical to note these are not just one-time actions. These are iterative steps used to mature the security posture and program over time.

    Identify the compliance framework

    Choosing a compliance framework has a couple of advantages. First, the framework represents the collective guidance of other organizations that have implemented security programs using the chosen framework. Many security and compliance frameworks are designed with the flexibility to be easily tailored to meet your organization’s requirements. Second, by adopting a framework, you bring a common vocabulary and understanding of security and compliance to your organization, leading to greater collaboration and communication across business operations.

    Several common frameworks are available for you to build your Information Security Program:

    • IT Nation Secure MSP+ Cybersecurity Framework – designed for MSPs and defines what good cybersecurity looks like.
    • NIST 800-XX – several publications available based on whether federal or non-federal.
    • ISO/IEC 27001 – widely known, providing requirements for an information security management system.
    • COBIT – COBIT® 2019 is the most recent evolution of ISACA’s globally recognized and utilized COBIT framework.

    These frameworks provide guidance on the core elements of a security program: Governance, Policies, Risk Management, Training and Awareness, Security Controls, and Continuous Monitoring.

    Establish a security management structure/committee

    Establishing an Information Security Committee is a critical step and needs leadership buy-in from throughout your organization. The person who ultimately is responsible for the security budget should lead the Committee and have support from all areas of the organization, especially Human Resources and Legal. Their early involvement ensures cooperation in the establishment of policies and procedures which affect the entire organization.

    The Committee generally provides guidance on the activities which appear below. This list is not intended to be inclusive, nor exhaustive, but captures the general scope of activities to be performed:

    • Governance: The Committee serves as the governing body for the creation, revision, education, awareness, and enforcement of all policies, standards, and procedures, whether internal or contractual.
    • Risk: The Committee is accountable for ensuring an appropriate risk posture is assessed and maintained to protect the employees, intellectual property, customer property, and alignment with regulatory requirements.
    • Communication: The Committee is accountable for conveying incidents and status to the Chief Executive Officer, Board of Directors, and as appropriate, to employees, customers, media, and regulators.
    • Decision: Through appropriate governance, assessment, and communication, the Committee will act as a decision-making body on all items pertaining to the Security and Compliance posture and will engage the Chief Executive Officer and others as needed to enable appropriate decisions.

    Perform a risk assessment and identify risk levels

    Assessing your organization’s risk is an important, beginning step in developing an Information Security Program. Without an understanding of your risk, you will not be able to determine the proper policies, procedures, guidelines, and standards needed to ensure the placement of adequate controls. The risk assessment has three major components: Threat Assessment, Vulnerability Assessment, and Asset Identification.

    After completing the threat and vulnerability assessments and identifying your at-risk assets, you must balance and prioritize your remediation based on determined risk and cost to remediate. As this method does not always distill down to an obvious choice, the decision-making process to prioritize these risks typically requires heavy reliance upon your experience and professional judgment. Knowing where your most significant risks reside, and which of those risks need short-term attention, allows you to build the backbone of your security roadmap. With this risk assessment, with prioritized risks on your roadmap, you can now address these additional program elements: Risk Management, Security Controls, Policies, and Monitoring.

    Implement an active training and security awareness program

    Having established your policies, procedures, guidelines, and standards, based on your risk assessment and compliance framework, their existence must be shared and circulated across the organization through the education and training process. An Awareness and Training program is critical to their implementation and crucial to the Information Security Program’s success. Security Awareness needs to be visible to employees on a regular basis. If all your hard work only sits around and collects dust on a shelf or slowly degrades as a digital file, then you have wasted a lot of time and effort to not make it past the goal line. Annual Security Awareness training is necessary to keep everyone up to date on the latest security information. It is also equally important to provide brief email updates, newsletters, posters, and other reminders throughout the year.

    Summary and conclusion

    Creating an Information Security Program supports an incremental approach towards maturing your organization’s security and compliance.

    Choosing a compliance framework introduces a common security vocabulary and improves communication around security issues. Within the context of your framework, performing a risk assessment identifies the areas with the highest risk, thus prioritizing the policies, procedures, and security controls to implement. Continuous auditing and monitoring of the work and effort put into the program is the real test of whether the program is accomplishing its goal and securing your organization. Awareness and training are the cornerstones for building a culture of security and compliance throughout your organization.

    An iterative approach to building an Information Security Program affords your organization the ability to set the pace at which the Information Security Program grows and matures. The availability of your resources and personnel, along with the known, accepted risk, determines how fast the program evolves and matures. Whether you think the chicken, or the egg, came first, your organization’s security posture will continue to get stronger and stronger as you implement and develop your Information Security Program.

    You do not really need to answer the question of which came first, the chicken or the egg, to secure your organization. However, you do need your security and compliance programs to be proactive and work together to build an Information Security Program and avoid security failures within your organization. Competing priorities and lack of resources often prevent us from establishing an Information Security Program. If you need help in developing, implementing, or maturing your program, make sure you download the MSP+ Cybersecurity Framework and the Fundamentals (Yellow), Advanced (Green), and Masters (Blue) books to guide you on your journey.

    Topics:

    Frank DePrisco
    by Frank DePrisco

    Related Articles

    Blog

    EDR vs. SIEM: How they differ and why you need both

    03/07/2025

    EDR and SIEM software shouldn’t be an “either or” scenario. Learn why you need both of these powerful tools to help your clients.
    Blog

    What is attack surface management?

    03/03/2025

    Learn about the critical role of attack surface management in identifying, reducing, and protecting your organization's digital vulnerabilities.
    Blog

    How to prevent ransomware: Mitigation strategies for MSPs

    03/10/2025

    While it’s not possible to prevent ransomware attacks, we can significantly reduce the potential and impact of a ransomware event. Learn essential detection and mitigation techniques.
    Blog

    Phishing prevention tips: 8 ways MSPs and SMBs can prevent attacks

    12/17/2024

    Discover essential phishing prevention tips for MSPs and SMBs. Learn how to stop phishing attacks and protect sensitive data with these expert strategies from ConnectWise. 
    Blog

    10 common cybersecurity threats and attacks: 2025 update

    02/18/2025

    Learn about the top most common cybersecurity threats and attacks that are used today and how to prevent them with ConnectWise.