Matt Middleton-Leal is the Managing Director, EMEA North, of Qualys, a pioneering and disruptive cloud-based IT, security and compliance solutions provider.

An Interview With Matt Middleton-LealWhat MSPs are Missing About Risk

When we hear the words ‘vulnerability’ or ‘risk’, says Matt, there’s a tendency for MSPs to just jump straight in with a solution. However, he suggests a different, more effective approach:

“Step back and say, ‘What are you trying to secure and why? What’s the inherent risk if you don’t secure it?’ Because they might not need a vulnerability management tool. Maybe they need a patching tool, or something completely different.

“When that happens, the MSP has missed the point and therefore an opportunity to sell their services and solve a pain point. So I always encourage people to step back and say ‘why’ and explore the benefit the client is looking for before you do anything else.”

Why Qualys Provide a ROC Solution

A few years ago, Qualys decided to introduce patching for CISOs so they could remediate risks. Matt explains: “And a lot of people laughed. They didn’t want to take responsibility for mediation of threats and vulnerabilities – they just wanted to report them.

“But we found that what we were doing up to that point wasn’t working. SOCs (security operations centres) were finding, triaging and solving incidents, but really by that point it’s too late. 

“So a ROC (risk operations centre) is proactive. It measures the risk, communicates with the right stakeholders in the business about it and then solves the problem. It also give the CISO more data to report back to the CFO on where there are risks and how these are increasing business costs.”

The Opportunity for MSPs and MSSPs in Offering a ROC

Having a ROC is about bringing together multiple capabilities, integrating them and normalising the risk data. It’s not about the things that are traditionally done in the SOC, Matt says. He shares the four key service areas that Qualys have identified.

“We believe that the MSPs can build their business around cyber risk quantification advisory services. There’s high level consultancy to quantify the financial impact of risk. Then, there’s onboarding technologies to help clients manage it.

Thirdly, there’s ongoing risk monitoring services, and finally remediation services. These combined, with or without the use of Qualys technology, will help MSPs to help their clients to change the way they do business and get ahead of threats.”

How the ROC Approach can Reduce CISO Burnout

Matt acknowledges that CISOs are asked to do a lot, and it’s a challenge to afford enough staff, meaning those that are in a company work even harder. “So I think leveraging technology will make a massive difference.

“And to me, that’s through automation of repetitive tasks. It won’t solve all the problems, but it will reduce stress and remove pointless tasks for people. For instance, a lot of time is spent on patching, but the risk perspective is very low. 

“Start looking for areas of low risk, high volume issues where you can start to remove the workload and allow people to focus on high risk items. If you measure through risk, this is straightforward. And it reduces overwhelm and makes people feel more valued and appreciated.”

How to Stay Ahead of the Cybersecurity Curve

For UK-based MSPs, it’s important to stay up to date with what the National Cyber Security Centre (NCSC) is doing and the guidelines they produce, says Matt. Look into Cyber Essentials and the Plus version.

“However, what’s more important is that the NCSC then challenged MSPs by asking them to aim to patch high risk vulnerabilities on internal systems within seven days of detection and external ones within five days of detection.

“Now, these are just guidelines for the moment. But forward-looking MSPs and MSSPs should be thinking of how they can build their services and support offering to help their clients remediate or eliminate risks faster. We know that cybercriminals quickly exploit vulnerabilities, so adhering to the guidelines is key.”

How to Show Your Clients You’re Mitigating Risk for Them

The easiest way to show how you’re protecting your clients comes down to KPIs (key performance indicators), says Matt. You should have an agreed set of deliverables and articulate how you’re progressing with them. He adds:

“Look for quick wins. Find partners who want to improve their business, agree those deliverables and give them the outcome they want. That’s not ‘I detected some malware’; it’s ‘I protected your system from getting hit by malware.

“Be clear about how you measure your KPI and communicate clearly and regularly with your clients so they know you’re being proactive. Always share when you’ve removed a risk and continually demonstrate your value.”

How to Connect With Matt Middleton-LealQualysLike Qualys on FacebookFollow Qualys on XFollow Qualys on LinkedInConnect with Matt on LinkedInHow to Connect With MeSubscribe to TubbTalk RSS feedSubscribe, rate, and review TubbTalk on iTunesSubscribe and rate TubbTalk on SpotifyFollow TubbTalk on iHeartRadioFollow @tubblog on TwitterMentioned in This EpisodeBook: Richard Seiersen: How to Measure Anything in Cybersecurity RiskUK government agency: National Cyber Security CentreCertification: Cyber EssentialsYou Might Also be Interested inComplement Your Cybersecurity Strategy With Security Awareness TrainingUnderstanding Deep Fake Technology: Why it’s a Risk to Your BusinessPodcast: Cybersecurity, Phishing and Automated Human Risk Management for MSPs