Edouard Von Herberstein CEO | SPECTRA
When you’re looking for help with your cybersecurity, how do you choose a Managed Service Provider?
You want one with the right tools, of course, and experts who are qualified to protect your network, data, and IP, 24/7, and who stand behind their work and have a strong track record of protecting businesses like yours.
Figuring all that out on your own is no easy task. That’s why SPECTRA was started and has been certifying MSPs nationwide and connecting them with businesses, brokers, and insurers who value exceptional cyber resilience and the peace-of-mind the best MSPs deliver. According to a recent survey by Mastercard, of the many millions of SMBs that are operating globally, 46% of them will experience a significant cyber incident, and one in five will go out of business within 6 months of the incident. This underlines that the majority of SMBs have insufficient cybersecurity and insufficient cyber insurance, if any, and millions are not cyber resilient. The SPECTRA program exists because we need to provide SMBs a network of high-quality, trusted, inspected MSPs, who provide best-in-class cybersecurity solutions protecting and mitigating existential, malicious, and non-malicious cyber incidents. However, while cyber resilience begins with cybersecurity, it does not stop there. It ends with a comprehensive cyber insurance policy delivered by a cyber insurance broker who understands the customer's needs. SPECTRA exclusively partners with brokers and insurers who value SPECTRA certified MSPs expertise and treat them as cyber risk expert partners –
before and after – a cyber incident. Let’s learn more about what makes the SPECTRA certification unique and all the work that goes into producing a certification that has critical business value for the MSP and the SMB customers.
MSPs go through an intensive certification process before they can be on the map of Certified MSPs.
First and foremost, all the standards MSPs must meet to get certified and recognized as an exceptional provider of cybersecurity services align with the most rigorous standards (NIST, SOC, ISO, and others), but it goes well beyond, including evaluating the security solutions delivered to customers, but also verifying deployment. We go through a long list of objective criteria. And if an MSP meets our objective criteria, we’ll give them the certification badge.
Those criteria are:
Exceptional security performance and customer satisfaction
SPECTRA certified MSPs are expected to show exceptional performance in delivering cybersecurity solutions and high customer retention. The program verifies performance and customer satisfaction by analyzing the MSP’s operational track record and history of disruption, the effectiveness of helpdesk and support function, and alignment of services agreed to services delivered.
SPECTRA monitors MSP performance regularly throughout the year:
During preferred insurance customer registration with our insurance partners
Use of tools, software, and infrastructure with proven reliability, most cybersecurity vendors provide various solutions. While SPECTRA does not prescribe specific security vendors' products, the SPECTRA certifier works with the MSP to ensure the tech stacks and the security solutions deliver the cyber resilience performance our certification requires, and your customers and their insurers expect. As a customer, and without someone checking, how do you know what you're getting?
Although we don’t tell MSPs what tools to use, we do verify the adequacy and quality of the solutions deployed, through reference to reputable, independent testing as well as our own inspection.
Use of the right tools
SPECTRA certified MSPs are required to have the solutions and equipment necessary to properly block, identify, isolate, mitigate and remediate threats and cyber incidents on all the SMBs they provide services to. The program also requires certified MSPs to continuously update their security stack and look for and evaluate better technology vendors to secure their customers as threats evolve.
Technicians with appropriate certifications
Just as important as the right security software is making sure the right engineers are deploying, configuring, monitoring, and patching them. Technicians can either be vendor certified by an specific software provider (Palo Alto, Microsoft, Crowdstrike), or independently certified by a recognized institute like Certified Information Systems Security Professional (CISSP) or Comptia for example.
Those certifications only last a couple of years, before recertification is required, so security engineers have to renew them to demonstrate they’re up-to-date in their industry and on the cybersecurity they work on.
In-person inspections & interviews
So how does the SPECTRA Certifier know if an MSP delivers the cybersecurity excellence for customers, what software, infrastructure, processes it’s using, or if they have sufficiently trained technicians?
When an MSP applies to become SPECTRA certified, they fill out an onboarding form in the SPECTRA portal and set up a 30min call with a SPECTRA certifier Field Specialist who will go through specific controls requirements. The Certifier will verify foundational controls and request some evidence sharing (standard contracts, RMM screenshots, and other evidence) Most MSPs typically become SPECTRA “Approved” after that onboarding call and access some initial benefits. To access the full suite of SPECTRA benefits (service warranties, most preferred insurance coverage and pricing, warm leads from insurers, lower litigation risk, and no rip-and-replace situations by insurer incident response team post breach...) the MSP will need to provide additional evidence of controls, pricing best practice. It is not a hand wave. It can take a few days or a few weeks if MSP needs to implement additional or better cybersecurity controls. We're getting documents from MSP, we’re looking at tools, meeting technicians, and verifying their professional certifications. We are also looking at MSP processes, we are talking to the MSP about how they do business, quality and performance control processes, change management, staff training, security vendor relationships.
If a shop doesn’t meet requirements in an area, they can either modify that process going forward or decide not to continue seeking certification.
Once SPECTRA certified, the MSPs must maintain the Certification Standards
While SPECTRA does not require real time monitoring (no agent, connectors or API), theMSP agrees to notify SPECTRA of significant change to their security offering that could affect their certification. SPECTRA also has regular touchpoints with the certified MSP when service warranties are activated or when the MSP or its customers are registered with a SPECTRA broker partner for a preferred insurance quote.
There is effort required on the part of the certified MSPs, including:
Cooperation between MSP and insurer reduces breached customer disruption
Obtaining a certification of resilience delivered and warrantied by a third-party also demonstrates the MPS's confidence in its offering and willingness to go through a rigorous inspection. As Joshua Stricker, a certified MSP owner, said “the SPECTRA certification is straightforward if you know what you are doing.”
No matter how good the MSP security solutions are, breaches and cyber incidents occur. Those incidents can have significant or even existential financial consequences for the MSP customer.
Certified MSPs must have:
Finally, SPECTRA insurance partners consider certified MSPs their partners and agree to:
Such cooperation leads to shorter disruption, limited brand damage and maximizing chances of recovery for your business.
One MSP recounted an incident where a customer had experienced a breach (unrelated to MSP performance) and had isolated affected endpoints and was a few hours away from restoring the customer network and IT operations but the insurer asked the MSP to stop all work and asked a new MSP to work on repairs. It took two full weeks to change all infrastructure, technology and security leading to a much more significant impact for the customer.
Working with a certified MSP changes this dynamic. Lack of trust leading to worst outcomes is replaced by cooperation where all benefit, the customer in particular.
There’s nothing else like it
There are no other business providing the peace-of-mind that our certification offers. All other assessments are accounting and policy compliance audits (SOC and ISO) or selfreported assessments offering no guarantees, with little or no evidence provided, no inspection, and no verification. There is no third-party checking that the MSP does what they say they do, leaving all cyber resilience stakeholders (businesses, insurers, suppliers, customers, investors, etc.) in the dark and unsure of the value of the security service and posture.
The SPECTRA certification is changing this.