You know that Essential 8 is, well, "essential", but you just don't have the time to stay on top of all the requirements. So what do you look for when outsourcing to an Essential 8 Managed Service Provider?
1. Are they walking the walk? What is the MSP's E8 Maturity Level?
The first thing to ask of an E8 MSP is what E8 Maturity Level ranking they have achieved within their own business. Discuss the process they went through to reach that ranking. Ask what the key barriers they experienced were, how long it took to reach their ranking, how many hours of work were involved, and who did that work.
If the MSP can speak knowledgably and confidently about their own experience this goes towards their credibility and their capability to complete this work for your business. Also who wants to be working with an E8 MSP whose own business is sitting at less than Level 3?
2. What does the E8 managed service include?
There are three key steps to effectively staying Essential 8 compliant - Audit + Remediation + Management.
Auditing will provide visibility into your current E8 compliance state and provides an ACSC Maturity level rank.
Remediation work addresses your Essential 8 compliance gaps and risk profile, providing a security uplift over time.
The Management piece is about ensuring you are completing the regular/constant tasks that are required to stay compliant e.g. patching applications within 48 hours, performing daily backups.
Does the E8 Managed Service you are considering include all three components or will you pay separately for audit and remediation, and management work?
3. What methodology will the E8 MSP adopt?
Essential 8 requirements do not vary by organisation, so all MSPs will have a similar list of tasks that will be performed to stay compliant or move the business into a more compliant state.
Understanding the methodology adopted by the MSP refers to how they will go about this work, how manual/automated the workload is, and how much engagement your team will still be required to commit to.
Will the MSP be expecting your team to provide information or access - what data and how often?
How will they go about auditing your environment and how often? How will remediation work be prioritised?
How often and what is the nature of their reporting? How will they quantify arriving at your Essential 8 Maturity Level?
Most organisations are looking to outsource because they lack either the capability or the capacity inhouse (plus its difficult to obtain and retain security talent). So, the less time and work required of your inhouse team, is to the better.
Many MSPs charge an exorbitant sum for Essential 8 management because they are following a mostly manual, human-centric process based on spreadsheets and checklists. Anything that is time-intensive is always very costly.
4. How will the E8 MSP audit your environment?
Before rushing into how the MSP is going to lift your security posture, first understand how they are going to audit your environment, and how they will determine your ACSC Maturity level rank.
An E8 audit will give you visibility of your cyber risk and compliance levels. It will pinpoint your vulnerabilities, allow you to plan out your remediation path, and benchmarks your Essential 8 Maturity Level.
The audit informs everything that comes after so it is important to understand how it will be completed, by whom, and providing what outcomes.
What are the data sources that will be accessed as part of the audit?
Access to a number of specific data sources will need to be made available to the MSP to allow the auditing process.
Will there be any gaps in your audit?
The Essential 8 controls were designed to protect Microsoft Windows-based internet-connected networks. E8 was not designed for Apple devices, iOS, or any server infrastructure. It is important to understand how the MSP will manage any Apple devices you have.
5. How often will there be an E8 audit?
An Essential 8 audit is just a 'snapshot' in time. It is relevant only to the moment it is being completed because the Essential 8 controls require regular/constant tasks to be completed to remain compliant e.g. backups, software updates; and environments can also be compromised by changes in personnel and policies.
Regular audits - ideally fortnightly - will 'catch' any slips in compliance and also provide evidential history of performance improvements.
Of course, this is impossible if the MSP is using manual checklists or relying on your staff for audit information.
6. How will E8 remediation work ?
To provide an Essential 8 security uplift, an MSP will need to undertake remediation work.
The scope of remediation work is not likely to differ significantly from one MSP to another, as they will all be working to achieve the same outcome.
The key takeaway from this question is not what the MSP will do to remediate your vulnerabilities but how they will do it, how long it will take, and at what cost?
Remediation work can be project or outcome-based and charged as an upfront fee, an hourly rate; or it can be part of a managed service with an agreed number of man hours.
If you go for a managed service package, you will want to understand how many hours are being allocated for management work such as backups and patching, and how many are 'left over' for remediation work.
7. Don't forget E8 reporting
Often IT personnel get very involved in the detail of the work that will be undertaken in their environment, but spend comparatively little time discussing what their Essential 8 reporting will include.
It will be important to understand what data is being collected, how the data will be presented, and whether it will be interpreted with accompanying commentary and recommendations or not.
8. How do the commercials look?
Essential 8 is not a service that you want to skimp on, but it is also not a service that you want to drop enormous funds on. After all, it's a protective "must have", rather than a proactive digital transformation investment.
Generally MSPs will have three main components to their commercials for an Essential 8 Managed Service.
These reflect the main scope of work - Audit, Remediation, and Management.
It can be difficult to find pricing in the public arena for Essential 8 as-a-Service.
Why?
-
One reason, it is a relatively new area of focus as a standalone service. The tremendous spike in cyber attacks over the past couple of years has focussed concentrated attention on cyber security and the Essential 8 framework. MSPs are slow to react and promote a responsive offering.
- Another reason is many IT MSPs have always considered the Essential 8 controls to be part of their broader IT Managed Service scope. They have not traditionally separated out a specific E8 managed service and they don't have generally have a structure in place to handle very regular auditing.
- The final reason is many MSPs don't want you to know what you charge. They would rather you called them for a conversation. That could be a waste of your time and theirs. It is not uncommon for large MSPs to charge upwards of $20k just for a benchmarking E8 Audit - which is crazy because audits need to be repeated regularly. However, they have to do this because their auditing methodology is so manual and labour-intensive.
- Remediation commercial models are usually presented as scope/outcome-based, or hours of work-based. It is probably sensible to have an Audit completed first. This will provide you with the visibility of your vulnerabilities and risk. You can then decide how quickly to address those gaps which may influence your decision-making.
MobileCorp Essential 8 as-a-Service Pricing
At MobileCorp we are transparent with our pricing. Because it is what you are looking for - right?
Our Essential 8 Audit as-a-Service includes
-
12x Audits performed monthly
-
12x ACSC E8 Maturity Level assessment and rating provided monthly
-
a reporting package which includes an Executive Summary report with a compliance score for each control, a Gap Analysis report and detailed compliance report for each control, and a remediation recommendations
-
an aligned MobileCorp account manager who will present your E8 Audit reporting.
-
access to our Cyber Security service desk for any enquiries you have around the Essential 8 Audit.
Pricing for our Essential 8 Audit as-a-Service starts at $19,700 for 12 months for organisations with less than 100 seats.
Our Essential 8 Remediation as-a-Service includes
- Australian-based cyber security service desk as a single point of contact for all your E8 enquiries/requests, 8.30am-6pm Monday to Friday AEST
- fortnightly (26x) E8 Audits - and on-demand if required for extra fee
- fortnightly (26x) ACSC E8 Maturity Level assessment and rating
- prioritised Remediation Roadmap
- ongoing remediation of all E8 control gaps
- proactive improvement of your ACSC maturity rating
- monthly Account Management meeting to review your risk profile and progress towards Level 3.
- monthly reporting package which provides full visibility of your E8 security posture including Executive Summary report E8 Maturity Level score report, Gap Analysis report and Risk Profile, detailed compliance report for each control, and a remediation roadmap
- MobileCorp account manager
Our Essential 8 Remediation as-a-Service starts at $4050 per month based on 25 hours per month remediation and management work for an organisation with less than 100 seats.
The benefits of outsourcing Essential 8 to an MSP
The key benefit of E8 as-a-Service is knowing your cyber risk and compliance levels at all times, and having the means in place to uplift your security posture and address your vulnerability gaps.
It also provides independent oversight, meets most governance protocols, and provides compliance reporting which can be provide to internal and external stakeholders.
It may also allow you to obtain Cyber Security Insurance, or a more favourable rate for your premiums.
Why use MobileCorp for Essential 8 as-a-Service?
1. Automated Fortnightly E8 Audit
One advantage that MobileCorp has over many E8 MSPs is our use of automated enterprise-grade auditing software. This proprietary software is already being used by Australian government departments and hundreds of Australian organisations. This automated software means we will undertake to audit your environment fortnightly and even on-demand.
2. Responsive, expert Australian-based cyber security support desk
Our team of security and network engineers are based at our Mascot headquarters in Sydney. They are experts in their fields and they respond swiftly and effectively to any issues sent their way. Our automated Service Desk ticketing system holds our team accountable to SLAs and allows you to see the status of your ticket online.
3. Business Intelligence Reporting
We don't believe in reports for the sake of reports. We do believe in providing you with the level of reporting you need, in the format you need, to be effective. We also present your reports to you, being on hand to discuss or explain the findings so that everyone is on the same page. Finally we build out a remediation roadmap from the reporting.
4. Proactive Improvement of your ACSC E8 Maturity Level
We are focussed on getting your organisation to ACSC E8 Maturity Level 3 and minimising your risk profile. That is whole point of an E8 managed service after all. We don't provide you with one or occasional assessments. We do this everytime we undertake an audit so dependent on your package this will be either 12 or 26 times a year.
5. Affordable Commercials
Automating the audit component of our managed service means we are able to turn around results quicker and also at a far lower cost than an outdated manual hands-on process. This makes our commercials the most competitive in the market. We are transparent about the cost of our services so if they make sense to you and fit within your budget, it's probably time we talked.
Ready to talk to a human ?
Jim JoannouHead of IT
MobileCorp
E. jim.joannou@mobilecorp.com.au
M. 0419 173 333
No form to complete!
About MobileCorp
MobileCorp is an enterprise ICT solutions company with a mission to deliver our customers a communications technology edge. We provide Essential 8 as-a-Service, Managed Mobility Services, Enterprise Mobility Management, Complex Data and IP Networks, and Unified Communication solutions. We have a proven track record providing managed services for Australian enterprise and business, and we are a Telstra Platinum Partner.
MobileCorp Managed Services Michelle Lewis 24 Feb 2023
Related Posts
Popular Tags
- Mobile Devices (79)
- Mobility (78)
- Telstra (64)
- 5G (59)
- MobileCorp Managed Services (55)
- Mobile Network (34)
- Networks (33)
- Cradlepoint (31)
- Apple (29)
- MobileCorp (29)
- iPhone (25)
- Remote Working (23)
- Covid-19 (16)
- Mobile Security (15)
- Network (15)
- Wireless WAN (15)
- Cyber Security (14)
- UEM (14)
- MDM (11)
- Mobile Expense Management (10)
- Mobile Device Management (9)
- TEMs (9)
- Mobile Device Lifecycle (8)
- Cloud (7)
- Unified Comms (7)
- Unified Communications (7)
- Wandera (7)
- Android (6)
- Sustainability (6)
- Data Networks (5)
- Network Security (5)
- Samsung (5)
- Security (5)
- Digital Experience (4)
- IOT (4)
- Microsoft Intune (4)
- IT Services (3)
- Microsoft (3)
- Data (2)
- Government (2)
- Microsoft 365 & Teams (2)
- Retail (2)
- nbn (2)
- webinar (2)
- Blog (1)
- EMM (1)
- Emerging Technologies (1)
- Hosted Telephony (1)
- Managed Desktops (1)
- SD-WAN (1)
- Starlink (1)
- Telstra Services (1)
- video (1)