About the Author
Zach Duke is the Founder and President of the cybersecurity firm Finosec. He leads the vision of the company to help financial institutions navigate the complexities and burdens of cybersecurity. Zach has over 20 years of experience in helping community banks manage information security and cybersecurity. He has held positions in technical, product management, business development, and leadership at network services company Safe Systems and Gladiator Technology—until its acquisition by Jack Henry and Associates INC. Zach has a passion for community banks and has taught numerous banking topics related to technology strategic planning, cybersecurity, and compliance.
Duke is on the advisory board of Management Information Systems at the University of Georgia and he is the immediate Past President of the financial technology user group The Association for Financial Technology (aftweb.com).
Duke received his BBA in Management Information Systems from the University of Georgia. His unique background and presentation style allow him to be able to communicate complex topics in ways that keep the audience engaged and informed.
Best Practices Webinar for Building Security Services Register Today >>
If your managed security offerings don’t align to an industry framework, chances are you will struggle packaging, pricing, and selling your services.
Industry standards like the NIST Cybersecurity Framework (CSF) provide structure and guidance for an organization to align their risk tolerance at the executive level, with the business and the operations to support the critical infrastructure of the company. A new common language will begin to emerge for many MSPs and their customers. This language will have terms like Identify, Protect, Detect, Respond, and Recover, along with the implementation tiers known as Partial, Risk Informed, Repeatable, and Adaptive.
If we take a step back and look at why we implement the security solutions we do, the intent is to protect the data. Interestingly, most MSPs don’t have a data identification or classification process and therefore mainly work in the Protect and Detect sections of CSF. Often what’s missing when an MSP works with their clients or prospects is understanding what and where the crown jewels are. Meaning, the foundation of a solid security practice needs to be in the area of discovery (Identify).
The crown jewels are different for different clients and different verticals. For example, healthcare organizations typically care about patient records and their EMR system. Financial organizations like banks, often care about their core banking system and Personal Identifiable Information (PII). Retail organizations typically care about credit card data, and most organizations care about their accounting solutions, like QuickBooks, where we’re seeing an ever increasing amount of invoice fraud.
Successful managed security service offerings must take into account all five functions of CSF and make it relevant to the customer’s risk tolerance, budget, and your ability to reframe your client or prospect as to why they would spend more to meet their objectives.
In our upcoming webinar on March 21 at 2:00pm ET, our industry experts will discuss these topics further, and share the path forward.
Join us March 21 at 2:00pm ET to learn how to build out your security practice.