When the designers of Monopoly were deciding what to include on their shiny new board game, it probably seemed like a no brainer for water and electric to be the featured utilities. Two services vital to the success of any city. However, if the board was being designed today, there’s every chance that data centres, connectivity or even IT service providers would be included in those squares – so vital are they to the success and growth of a modern economy.
OK, OK, so maybe Hasbro won’t be rushing to redesign the iconic board, but the point stands. Reliable, secure IT services are absolutely vital. Not just for businesses but for the success of the wider, digitally fuelled economy. And with more and more businesses turning to managed service providers (MSPs) to supply these services, it’s an industry that carries a lot of responsibility on its shoulders. A fact that makes it all the more remarkable that, until recently, there was no professional charter or recognised standard to guide UK-based MSPs in terms of best practice. For an industry made up of more than 10,000 businesses, employing more than a quarter of a million people, this was a significant gap.
Although it was a gap others had started to look at, they often aligned to Cyber Assessment Framework guidelines. This was all well and good except for the fact that by adhering to such a high standard it would essentially have excluded all but the very largest ITMSPs operating in Scotland.
That’s why, six months ago, following the rapid growth of our IT managed services community and lots of feedback from our members, we decided to develop our own charter for MSPs. One that was fit for purpose and provided a practical, helpful guide for those operating in the industry. This wasn’t something we could have done without the support of ITMSPs across Scotland, as well as funding from Scottish Government, and the spirit of cooperation was absolutely vital throughout the process. As the first of its kind in the UK, the charter provides a framework that establishes the standards that customers should expect of IT managed service providers.
Since we first started developing the charter, we’ve worked closely with IASME and are grateful for their continued support. Moving forward, we look forward to also engaging with NCSC and UKC3 as well as other groups representing MSP’s, like COMPTIA, Network Group and Cyber Resilience Units. Forging these partnerships will help us continue to raise the bar and enhance cyber resilience across the UK and throughout the supply chain.
We now have more than 20 MSPs who have signed up to the charter and the number is increasing all the time. The feedback along the way has been largely positive and constructive but has informed tweaks to the charter and how it’s used.
We’ve seen an encouraging and consistent improvement in overall standards, especially when it comes to areas like cyber security and data protection. It’s also allowed us to develop a better understanding of emerging threats and areas where some members may be vulnerable.
Working together, we’ve developed a comprehensive set of questions for customers to ask potential managed service providers to help ensure they get the most appropriate service. We’re also creating a categorisation based on the ScotlandIS capability directory to ensure there is a clear guide, detailed in layman’s terms, to the services that are available, so they can choose the most appropriate service. All of this is aimed at giving businesses the information they need to make an educated choice that means they are signing up to the right service for them.
Any minor challenges we’ve encountered have been largely overcome as a result of the community working closely together. We aren’t interested in pricing models and product lists; we’re solely focused on helping the sector provide a better service to customers and protecting our members from bad actors. There is a recognition of how important it is to raise standards within the sector and build cyber resilience throughout the supply chain as well as the benefit of joint working to achieve this.
It hasn’t all been smooth sailing though and we’ve certainly learned a lot along the way. For example, balancing a desire to be inclusive with the necessity to maintain a minimum standard is always tricky. We also need to ensure that we’re not just creating an echo chamber of like-minded organisations that all agree with each other.
One thing’s for certain - the last six months have certainly been informative. Launching the UK’s first charter of this type certainly hasn’t come without its challenges but we’re confident that the industry has benefited from the process and customers are getting a better, less confusing service as a result. We’re already in conversations with similar organisations across the UK about expanding the project and it’s exciting to think that, before long, the Scottish blueprint may be rolled out across a much larger footprint.
As more organisations come on board and the charter is adopted across other regions, it is vital that we ensure it continues to meet the needs of all signatories. Ultimately, this will mean expanding the working group and adopting an assurance process to ensure that all members meet the criteria of the standards within the charter. This will be a challenge but we’re very much looking forward to working with other organisations like UKC3, Welsh Cyber Resilience Unit and Norther Ireland Cyber Cluster to achieve this.