Coastal Cyber launches to help MSPs build repeatable SME governance and security frameworks

Industry veteran Daniel Johns created security advisory after seeing common security gaps among MSPs.

Coastal Cyber, a new cybersecurity advisory practice, has launched to offer MSPs and resellers independent guidance and services on GRC, risk management and security posture.

Founded by Daniel Johns, whose 30 years in the industry includes stints at MyCISO, CyberCX and ASI Solutions, the practice serves mid-market organisations and channel partners across financial services, healthcare, and technology and SaaS.

Through his industry involvement in ISACA and CompTIA networks (now GTIA), Johns found MSPs struggling with the same thing — how to assess and connect governance, technical controls and business risk for their clients.

“The MSPs asking me for help aren't struggling for want of technology. They're struggling for want of a framework that turns what they already do well into something they can articulate, scope, price and repeat,” he said.

In response, Coastal Cyber offers several dedicated services. These include Essential Eight assessments MSPs can provide to clients to validate their security posture.

A governance and information security management system (ISMS) uplift is offered to help MSPs “get their house in order” by addressing common governance and security gaps.

For example, Johns has found many MSPs lack an ISMS, tested incident response plans and business continuity and disaster recovery plans.

“Cleaning up your own governance isn't just good practice. It's the foundation of the trust relationship with every client you manage,” he said.

Coastal Cyber also offers a 90-day MSP security offering buildout to help service providers build a repeatable, sellable security practice to offer to their clients.

It provides MSPs with four things: a defined security service offering; a documented, repeatable service delivery process; a realistic pricing model; and staff who understand what they're selling and how to have the governance conversation with a client.

“A big part of that last point is policy. Governance needs to be right-sized, and for most SMEs that means it doesn't need to be complex; it needs to be proportionate,” he said.

Governance should be aligned to the Essential Eight and cover additional protections such as incident response, third-party risk and disaster recovery.

“These aren't optional extras; they're the areas where organisations get into serious trouble and where having documented, tested processes actually changes the outcome,” Johns told CRN Australia.

“Building out governance capability is resilience planning for both sides of that relationship. The MSP reduces its own exposure while genuinely improving the client's posture. That's not a coincidence; it's the point,” he added.

For MSPs with no security practice, the security service buildout offers a starting point. “It’s a scaffolded approach that doesn't assume capability they don't yet have.

For MSPs with an existing security offering, it helps document and formalise their program.

“They usually have good instincts and solid processes, but it's all in someone's head, it's not documented, and it doesn't survive key person risk or growth,” he added.