For many solution providers, the information protection discussions they have with clients can be quite revealing. The system issues and vulnerabilities uncovered on those conversations can easily lead to solutions some may consider overkill. Of course, the customer’s budget concerns may limit the options. That’s where compromises and long-term roadmaps come into play, addressing the most immediate needs while establishing a framework for future improvements.   

In my role at CompTIA, I have seen a variety of approaches to data security. As more IT businesses, professional societies and industry associations get together to think through the challenges of security more tried-and-true methods have begun to crystallize. You can spend hundreds of thousands of dollars in consulting and audit preparation fees and still not feel comfortable going home each night.

Instead, you can abolish that uncertainty and create a compelling reason for your clients to trust you with their most precious resource: information. All it takes is a willingness to spend time, effort and commitment on your business. These tips are written with the intent of hanging a lamppost on your way.

Understand your risk

There is an entire industry built up to assist companies in risk assessment. If you don’t have the cash lying around to bring in an expert to put you through the paces it doesn’t mean you’re all alone. But if you ignore potential pitfalls and exposure, you will be. One stumbling block for many comes right away. How do you know what you don’t know? This question can quickly escalate and paralyze any efforts to address risk. So you need a guide. Something to bump against.

Many industry groups have put together self-paced guides to assist you, and here CompTIA is no different. The Security Assessment Wizard provides a quick health check for you, or your clients, to see if there are any areas of concern. By answering simple questions, a basic diagnostic can be provided that you can use to prioritize improvements to your security controls. An internal review is a great first step, but this wouldn’t be a list without subsequent steps.

Understand the client’s risk

Who are your customers? What services do they provide? What information are they collecting? Is it your responsibility to protect that information? If not, where does that responsibility lie? The role of the IT solution provider has grown exponentially. From the days when IT was only expected to setup and fix hardware to the modern realities of integrated services, hybrid cloud, on-and-off premise support, and pure solution selling your value and importance to the day-to-day operations of your customers has never been higher.

With that increased role comes increased responsibilities and diligence. At some point, you will likely have to show you have taken the proper precautions and due care to protect data and comply with the law. But as those familiar with the patchwork of data security laws across the nation will tell you, this is much easier said than done.

The key here is to have frank discussions with your customers. Have them before they come aboard with you. Have them when they’re most excited about working with you. Have them regularly. Ask not about technical needs and “IT stuff”. Ask about their worries. About what it is they’re trying to do with their business. As you get into what their desires are, opportunities for exposure to risk will become apparent. Utilize technology to help close those gaps.

If things get tough, bring in some help

An official risk assessment goes a long way to demonstrate your commitment to due diligence. Luckily, CompTIA has again found a way to bring services normally reserved for the largest firms to the small and medium IT businesses. CompTIA’s new Legal Services Program, ITLA, is an amazing Premier Member benefit that includes an annual Risk Assessment.

Nearly every security standard requires a risk assessment. It’s why it’s the first tip in this list. You can only know what needs to be addressed if you have identified it as needing to be addressed. If you’re not a Premier Member of CompTIA, this program is an excellent reason to get involved. Or, you can look for a similar service from other industry groups. However you end up getting there, on your own or with outside help, a risk assessment is vital.

Prove yourself with an industry standard

Security standards are numerous. But if you dig down into them, you will find a lot of overlap. As I mentioned above, quite a few best practices for managing data have been defined over the years. The CompTIA Security Trustmark+, like some other security standards, relies upon the National Institute of Standards and Technology (NIST) 2014 Cybersecurity Framework. What really separates CompTIA’s Trustmark from the others its applicability to IT service providers and its extremely favorable price (under $2,000!) – especially when compared to other security audits.

By working through a defined process to identify, protect, detect, respond, and recover all the tenets of security are covered. Boiled down to common language and specific questions to think over, your security controls will be improved and validated by getting engaged with a security standard. And once that is done, you can begin to turn what could be a painful process into a huge benefit.

Build unique value statements around the work you completed

Data security is not something that should be glazed over. By achieving a standard such as the CompTIA Security Trustmark+, you have demonstrated a level of commitment and intelligent business practice that immediately separates you from the pack. Be proud of the accomplishment. Explain how this process has made your business better, and can therefore provide a better solution. Brainwash your sales and marketing until they can sing the virtues of how much you care about your customer and their data. This is where the pay-off really happens.

Compliance, legal regulations, hackers, and organized crime are a few reasons data security will continue to be an area of concern for IT providers. By taking a reasonable approach to understand your risks, your customer risks, and potential gaps, you can quickly change fear of the unknown into a reason to do business with you. Join the CompTIA IT Security Community or similar industry groups. Staying involved and educated is the only way to combat the constantly evolving ways data networks are being attacked.