You know that Essential 8 is, well, "essential", but you just don't have the time to stay on top of all the requirements. So what do you look for when outsourcing to an Essential 8 Managed Service Provider?
The first thing to ask of an E8 MSP is what E8 Maturity Level ranking they have achieved within their own business. Discuss the process they went through to reach that ranking. Ask what the key barriers they experienced were, how long it took to reach their ranking, how many hours of work were involved, and who did that work.
If the MSP can speak knowledgably and confidently about their own experience this goes towards their credibility and their capability to complete this work for your business. Also who wants to be working with an E8 MSP whose own business is sitting at less than Level 3?
There are three key steps to effectively staying Essential 8 compliant - Audit + Remediation + Management.
Auditing will provide visibility into your current E8 compliance state and provides an ACSC Maturity level rank.
Remediation work addresses your Essential 8 compliance gaps and risk profile, providing a security uplift over time.
The Management piece is about ensuring you are completing the regular/constant tasks that are required to stay compliant e.g. patching applications within 48 hours, performing daily backups.
Does the E8 Managed Service you are considering include all three components or will you pay separately for audit and remediation, and management work?
Essential 8 requirements do not vary by organisation, so all MSPs will have a similar list of tasks that will be performed to stay compliant or move the business into a more compliant state.
Understanding the methodology adopted by the MSP refers to how they will go about this work, how manual/automated the workload is, and how much engagement your team will still be required to commit to.
Will the MSP be expecting your team to provide information or access - what data and how often?
How will they go about auditing your environment and how often? How will remediation work be prioritised?
How often and what is the nature of their reporting? How will they quantify arriving at your Essential 8 Maturity Level?
Most organisations are looking to outsource because they lack either the capability or the capacity inhouse (plus its difficult to obtain and retain security talent). So, the less time and work required of your inhouse team, is to the better.
Many MSPs charge an exorbitant sum for Essential 8 management because they are following a mostly manual, human-centric process based on spreadsheets and checklists. Anything that is time-intensive is always very costly.
Before rushing into how the MSP is going to lift your security posture, first understand how they are going to audit your environment, and how they will determine your ACSC Maturity level rank.
An E8 audit will give you visibility of your cyber risk and compliance levels. It will pinpoint your vulnerabilities, allow you to plan out your remediation path, and benchmarks your Essential 8 Maturity Level.
The audit informs everything that comes after so it is important to understand how it will be completed, by whom, and providing what outcomes.
What are the data sources that will be accessed as part of the audit?
Access to a number of specific data sources will need to be made available to the MSP to allow the auditing process.
Will there be any gaps in your audit?
The Essential 8 controls were designed to protect Microsoft Windows-based internet-connected networks. E8 was not designed for Apple devices, iOS, or any server infrastructure. It is important to understand how the MSP will manage any Apple devices you have.
An Essential 8 audit is just a 'snapshot' in time. It is relevant only to the moment it is being completed because the Essential 8 controls require regular/constant tasks to be completed to remain compliant e.g. backups, software updates; and environments can also be compromised by changes in personnel and policies.
Regular audits - ideally fortnightly - will 'catch' any slips in compliance and also provide evidential history of performance improvements.
Of course, this is impossible if the MSP is using manual checklists or relying on your staff for audit information.
To provide an Essential 8 security uplift, an MSP will need to undertake remediation work.
The scope of remediation work is not likely to differ significantly from one MSP to another, as they will all be working to achieve the same outcome.
The key takeaway from this question is not what the MSP will do to remediate your vulnerabilities but how they will do it, how long it will take, and at what cost?
Remediation work can be project or outcome-based and charged as an upfront fee, an hourly rate; or it can be part of a managed service with an agreed number of man hours.
If you go for a managed service package, you will want to understand how many hours are being allocated for management work such as backups and patching, and how many are 'left over' for remediation work.
Often IT personnel get very involved in the detail of the work that will be undertaken in their environment, but spend comparatively little time discussing what their Essential 8 reporting will include.
It will be important to understand what data is being collected, how the data will be presented, and whether it will be interpreted with accompanying commentary and recommendations or not.
Essential 8 is not a service that you want to skimp on, but it is also not a service that you want to drop enormous funds on. After all, it's a protective "must have", rather than a proactive digital transformation investment.
Generally MSPs will have three main components to their commercials for an Essential 8 Managed Service.
These reflect the main scope of work - Audit, Remediation, and Management.
It can be difficult to find pricing in the public arena for Essential 8 as-a-Service.
Why?
One reason, it is a relatively new area of focus as a standalone service. The tremendous spike in cyber attacks over the past couple of years has focussed concentrated attention on cyber security and the Essential 8 framework. MSPs are slow to react and promote a responsive offering.
At MobileCorp we are transparent with our pricing. Because it is what you are looking for - right?
Our Essential 8 Audit as-a-Service includes
Pricing for our Essential 8 Audit as-a-Service starts at $19,700 for 12 months for organisations with less than 100 seats.
Our Essential 8 Remediation as-a-Service includes
Our Essential 8 Remediation as-a-Service starts at $4050 per month based on 25 hours per month remediation and management work for an organisation with less than 100 seats.
The key benefit of E8 as-a-Service is knowing your cyber risk and compliance levels at all times, and having the means in place to uplift your security posture and address your vulnerability gaps.
It also provides independent oversight, meets most governance protocols, and provides compliance reporting which can be provide to internal and external stakeholders.
It may also allow you to obtain Cyber Security Insurance, or a more favourable rate for your premiums.
One advantage that MobileCorp has over many E8 MSPs is our use of automated enterprise-grade auditing software. This proprietary software is already being used by Australian government departments and hundreds of Australian organisations. This automated software means we will undertake to audit your environment fortnightly and even on-demand.
Our team of security and network engineers are based at our Mascot headquarters in Sydney. They are experts in their fields and they respond swiftly and effectively to any issues sent their way. Our automated Service Desk ticketing system holds our team accountable to SLAs and allows you to see the status of your ticket online.
We don't believe in reports for the sake of reports. We do believe in providing you with the level of reporting you need, in the format you need, to be effective. We also present your reports to you, being on hand to discuss or explain the findings so that everyone is on the same page. Finally we build out a remediation roadmap from the reporting.
We are focussed on getting your organisation to ACSC E8 Maturity Level 3 and minimising your risk profile. That is whole point of an E8 managed service after all. We don't provide you with one or occasional assessments. We do this everytime we undertake an audit so dependent on your package this will be either 12 or 26 times a year.
Automating the audit component of our managed service means we are able to turn around results quicker and also at a far lower cost than an outdated manual hands-on process. This makes our commercials the most competitive in the market. We are transparent about the cost of our services so if they make sense to you and fit within your budget, it's probably time we talked.
No form to complete!
MobileCorp is an enterprise ICT solutions company with a mission to deliver our customers a communications technology edge. We provide Essential 8 as-a-Service, Managed Mobility Services, Enterprise Mobility Management, Complex Data and IP Networks, and Unified Communication solutions. We have a proven track record providing managed services for Australian enterprise and business, and we are a Telstra Platinum Partner.