The appeal of the MSP is twofold, according to experts: It spreads out infrastructure costs over a longer period, and it gets universities out of the hardware upgrade cycle.
Along with infrastructure modernization, higher education institutions increasingly rely on third parties for managed IT security services. Managed detection and response is a common example, as such services essentially provide a 24-hour, remote security operations center to monitor against threats — a must-have for organizations facing more cyberthreats than ever.
Seven Key Features of MSPs Well Suited to Higher Ed
Organizations benefit from working with MSPs that have industry experience. MSPs need to do more than simply ensure FERPA compliance; they should understand data governance and respect student data, ensuring that it is protected but accessible when necessary.
Other characteristics that institutions should look for in an MSP are:
- New functionality embedded in existing workflows: Any new solution that’s built and deployed, whether for faculty, administrative or IT users, needs to be fully integrated into existing workflows.
- Scalability, up and down: It’s common for MSPs to increase computing power at go-live or during a research initiative. The relationship shouldn’t change when an organization needs less horsepower, and operating expenses should decrease accordingly.
- Support to match higher ed’s business model: Around-the-clock support should cover more than cybersecurity monitoring. Technical support and data replication services should also be available 24/7.
- Consistent governance and protection policies: For many MSPs, around-the-clock support means around-the-globe support. Data privacy and protection should run the gamut from how data is handled to where employees work.
- Transparency and frequent communication: Readily available governance policies should be table stakes for an MSP. Transparency should extend to communication about how the MSP operates.
- Robust tools for performance monitoring: Legacy workflows all too often consist of a team of analysts getting alerts from dozens of monitoring systems. Beyond using tools with a holistic view of enterprisewide performance, MSPs should be able to provide insights to leadership.
READ MORE: Managed security services boost cyber resilience.
Choosing the Right MSP: It’s About the RFP and the SLA
The process of selecting the right MSP for higher education begins with a request for proposals, which should include technical and business safeguards. Organizations will want written policies in areas such as data security and governance, technical support and data breach notification. Legal reviews can ensure an RFP is airtight.
Technical requirements and expectations should be as explicit as possible. A well-defined scope of work and cost of services can help indicate which applications the MSP will be responsible for managing. Any new services the MSP implements need to at least be in production.
Part of the RFP due diligence process is getting to know the MSP as a company. This means finding out who owns the company, where it operates and how long it’s likely to be in business. It doesn’t hurt to ask for an opportunity to audit the company.
After choosing an MSP, it’s critical to write a service-level agreement with teeth. For example, the SLA should state what the consequences will be if an MSP falls short of a downtime guarantee or experiences a breach. A credit alone may not suffice if an incident impacts downstream revenue or student outcomes.
The organization and MSP also should discuss what will happen when the partnership ends. The SLA should spell out the MSP’s responsibilities as a contract winds down, with particular attention to how student data is migrated from the MSP to the institution.
