(TLP:CLEAR) Insights for Choosing a Managed Service Provider
Created: Thursday, January 8, 2026 - 14:35
Categories: Cybersecurity, Security Preparedness
Summary: As the demand for security, transparency, and accountability continues to rise, water and wastewater sector organizations are continuing to turn to managed service providers (MSPs) for their IT infrastructure management and data security needs. While many utilities often consider utilizing MSPs, there are several nuances that each utility may wish to consider regardless of scope or size. That said, WaterISAC is sharing information regarding MSPs, and important considerations when choosing one.
Analyst Note: The UK’s National Cyber Security Centre (NCSC) recently shared guidance pertaining to MSPs and what to consider when selecting one. The guidance includes issues to discuss with your MSP, what details to check in the contract, and it also has a due diligence checklist to help simplify efforts to ensure you’re adequately validating your MSP.
When selecting an MSP, utilities should evaluate service quality, security practices, scalability, cost-effectiveness, regulatory compliance, and cultural fit to ensure a successful partnership that supports both immediate needs and long-term operational goals. Whether a utility decides to utilize an external MSP, or to solely control it in-house, it’s important they at least do something about how their data and operations are secured.
It’s particularly important for utilities that outsource technology services and support to MSPs to understand whether “cybersecurity” is part of their contract and to what degree, if any. It’s important to not assume that since the MSP is patching your devices and updating antivirus that they are providing proactive cybersecurity services such as what an MSSP and MDR would provide. A general rule of thumb is if “cybersecurity services” are not written in the contract or statement/scope of work, then the service provider will likely not be watching your back for threats and vulnerabilities.
An additional resource to reference when validating your MSP is WaterISAC’s 12 Cybersecurity Fundamentals for Water and Wastewater Utilities #11 – Secure the Supply Chian. This fundamentaldiscusses how third-party relationships must be assessed and better managed for the risks they pose to the overall risk profile of an organization.
Original Source: https://www.ncsc.gov.uk/guidance/choosing-a-managed-service-provider-msp
Additional Reading:
- Cyber Resilience – Which Managed Service Provider May be Right for You?
- Third-Party Risk Management – Evaluating Cyber Risk Posed by IT and Managed Service Providers
Related WaterISAC PIRs: 6, 6.1, 11, 12