Building a risk-first security culture

| By:
Matt Lee

Cybersecurity is not the sole responsibility of the MSP. Read that again. When it comes to cybersecurity, it is absolutely a joint and shared effort between the managed services provider (MSP) and the customer. 

The digital world is rapidly changing, and the time to embrace and enforce a culture focused on risk and protection is right now. The alternative is almost definite compromise and, in many cases, loss of a business. 

The truth is, we don’t live in a security culture; we live in a convenience and profitability culture. Building a risk-first culture requires a change of mindset. It’s not an innate, immediate change, but once you increase your general understanding of risk, you’ll be much better off.  

So why and how should we become risk-first? Let’s explore.  

Why is it important to be risk-first? 

The reality is that we are operating in a world full of cyberthreats, and those threats are not going away—cybersecurity is a requirement. As an MSP, you’ve worked really hard to get your business to where it is, and your clients have done the same. Now, all efforts need to be made to protect what you’ve built. 

Straight up, you will not be in business if you neglect cybersecurity. 

Think about it this way: when you buy a home, do you leave all your windows and doors unlocked because you don’t want to accept that home invaders exist? No, you probably buy insurance, invest in a security system, store your important documents in a lockbox, and so forth. You make efforts to protect your house. Why wouldn’t you do the same for your business?   

New regulations, guidelines, and privacy acts are coming. MSPs who don’t understand cybersecurity, who don’t become risk-first, and who don’t stay abreast of these new regulations will certainly experience business loss. Now is the time to bulk up your security measures, not just for your MSP, but for the benefit of your clients as well.   

It would be lovely to live in a world where bad actors didn’t exist but wishing them to go away will not protect us during a cyberattack. Once we accept and understand that risks are very real, we can operate under a mindset of protecting ourselves at all times. 

How to shift to a risk-first mindset 

To be risk-first means you understand, accept, and believe in risk. As an MSP, you may feel that you have a general lack of understanding of how much risk actually exists, and that’s okay! You can take steps to change that. The most important thing is to commit to changing your mindset and prioritizing security. 

Here are actionable ways to encourage a risk-first security culture in your MSP:  

1. Educate yourself  

There are existing resources specifically created to help people learn about and incorporate cybersecurity practices into their day-to-day activities. Take advantage of certification programs, trainings, peer groups, and experts who can share best practices. The CompTIA Information Sharing and Analysis Organization (ISAO) is an essential resource that provides critical threat intelligence to those in the technology space. 

However, be aware that cybersecurity education is not the responsibility of a single person.   

Every individual in the organization needs to feel educated and empowered, and they should all be speaking the same language and understanding various security components.

When each person within the MSP goes through the same training—whether it’s a sales manager or a technician—it benefits the greater good because it helps contextualize pieces of information. 

The deeper everyone dives into security, the more everyone can solve for what they don’t know. 

The other piece of this is that the more educated you are as an MSP, the more you can educate your clients. When you can come to your clients with expert knowledge and guidance, you start to position yourself as a trusted advisor rather than just a vendor. This sets you up for repeat business, and long-term wins. 

2. Identify a security champion

This is something every organization should consider moving forward. Who is the one person in your company who can lead the charge when it comes to cybersecurity? This doesn’t mean the full burden of cybersecurity will fall on the champion’s shoulders, but it means there will be a point person who will encourage and enforce policies and protocols. 

The right person for this job really depends on the company’s operating model and size. For example, a five-person shop will probably have the CEO leading the charge, a 20-person shop may name a vCIO as a security champion, and a 200-person shop may have a dedicated, full-time employee in this role. 

Regardless of size, a security champion should help all colleagues look at everything through a lens of risk. For example, look at critical assets and understand what’s most important and what’s less important, and help educate on risk (such as not using the same passwords across apps). 

Security is never a finite game, so this role would always be evolving to identify new risks. For this to work, the champion would have to be empowered by management to move forward because, again, security is everyone’s job. With the support of upper management, MSPs can learn to be secure-first instead of convenience-first. 

3. Plan for the unpredictable

It’s impossible to predict every situation an organization may face, but when you always have a security lens on, you’re conditioning people to change and be iterative. By updating processes, separating risk by role, and iterating, you’re allowing yourself to adapt to unpredictable circumstances. 

Planning helps you understand what you know, what you don’t know, and what you don’t know you don’t know. By shifting to a security-mindset and asking intelligent questions, you can contextualize, uncover what you don’t know, and learn. 

An effective way to plan is to hold frequent “Security Days,” which are essentially practice runs for unexpected circumstances. It’s a way to condition yourself to always be in security/attack mode. Doing this allows you to look at your operations and critical systems and see what can harm you or where there are holes. Just by getting in the habit of conducting Security Days, you will develop ways to harden your systems and be better.   

4. Understand your risk scores

An effective way to constantly wear a cybersecurity lens is to give various areas of your business a risk score. Do this by coming up with a risk calculation that makes sense to you (for example, risk = likelihood x consequence).   

If you understand your risk scores, it will allow you to apply new and better policies to reduce risks and threats. Just adjusting to this mindset brings actionable change because you’re going to see holes and be able to iterate. 

If you think about it, bad actors are always iterating. They’re always thinking of novel ways to break into systems and accomplish their goals. If bad actors never stop working to make the digital world dangerous, then collectively, we should never stop taking action to protect our data. 

Before any action is taken, an MSP should ask, “Is this a security concern?” or “What’s my risk score here?” For example, if an employee reaches out to a tech on Slack asking for help resetting a password, that tech needs to make sure the person messaging is who they actually say they are. It may seem small, but approaching everything with that lens shifts the way we tackle cybersecurity. 


As colleagues in the technology space, we need to change the way we talk about cybersecurity. Too often, we’re highlighting the failures, which is demotivating and discouraging. Instead, to make cybersecurity a social norm, we all need to focus on the wins and what we’re doing right. 

FUD is real. There’s no denying it. But focusing on how we can all succeed is better than the despair of failure.

MSPs and clients alike can start taking actionable steps to incorporate cybersecurity, creating a butterfly effect, so to speak. It will change the way we all do business, and we will be benefiting the greater good.

The time to become a cybersecurity expert and to be that trusted advisor for all clients is now. It’ll take some effort, but we truly can all put cybersecurity at the forefront of our businesses. 

Matt provides overall leadership and strategic direction for information technology environments throughout Iconic IT on behalf of its numerous customers (internal and external) and partners. A technology veteran with expertise in virtualization, platform as a service (PaaS), cloud security, and technology transformations, Mr. Lee has been tasked with developing the Iconic IT roadmap and leading Iconic IT’s technology initiatives while working closely with customers and partners.

Mr. Lee creates mutually valuable partnerships by participating actively on major partners’ advisory boards, as well as service delivery councils. He was the recipient of the Wichita Business Journal’s 2016 CIO award. Mr. Lee has been a featured presenter for industry events such as Continuums Navigate and Watchguard Partner Summit. He participated on the Green Clouds Partner Summit 2019 Pac. Under Matt’s technological direction Choose Networks was ranked in the top 50% in the prestigious ChannelPro 2019 501 list.