In the world of cybersecurity risk reduction, there’s a concept that we call “the boom”. It’s the moment a ransomware note appears on a screen, or your company name shows up on a breach list after your entire CRM database gets dumped.
It’s the explosion. And by the time it happens, your options are limited. Everything before that moment is “left of boom”.
When reviewing how strong our security programs are, we tend to focus a lot of attention on preventative measures. This is the proactive territory where you stop the explosion before the fuse is even lit.
For MSP owners and SMB leaders, staying left of boom is about building disciplined, proactive security habits before an attacker ever gets a foothold. That work starts with the first two pillars of the NIST Cybersecurity Framework: Identify and Protect.
This post breaks down what each pillar actually requires in practice and why getting them right is the foundation of a resilient, defensible security program.
Pillar 1: The discipline of identification
You cannot secure what you do not know exists. This sounds like a simple truism, yet it is the primary reason why many security programs fail. Identification is the technical foundation of your entire defense strategy. It involves more than just a list of laptops.
A complete identification process covers:
- Hardware. Every device on your network, including ones that weren’t formally onboarded
- Software. Licensed applications, SaaS tools, shadow IT and temporary solutions that became permanent.
- Vendors and third parties. Anyone with access to your environment or your clients’ environments
- People. People are assets, and access privileges need to be mapped accordingly
- Data flows. Where sensitive data lives, where it moves and what would happen if it were compromised
In an MSP environment, a thorough identification process often reveals surprises: cloud applications nobody officially approved, personal devices that have bypassed standard onboarding or undocumented critical services.
Automate your asset discovery
To master the Identify pillar, you must implement automated asset discovery tools that run continuously rather than quarterly. These tools should provide a live view of every IP address on the network, alert you to changes or deviations and capture SaaS application in use.
Classify risk appropriately
Beyond hardware, you must also identify your “crown jewels”. Which datasets would end your business if they were compromised? This classification allows you to allocate your limited resources toward the highest-risk areas. If you treat every piece of data as equally important, you effectively treat nothing as important.
Pillar 2: Hardening the environment through protection
Once you’ve identified your assets, the Protect pillar is where you build the walls. In a modern threat landscape, the perimeter is no longer just a physical office or an endpoint device. It’s the identity of your users.
Start with zero trust and strong MFA
Protection starts with zero trust principles, and specifically with enforcing multi-factor authentication on every single entry point. Not all MFA is equal, so you should ensure that the type you use matches the risk level of the account it’s protecting. Using challenge-response authentication or FIDO for highly permissive accounts makes more sense than relying just on SMS-based MFA (which I highly recommend you never use).
Patch aggressively and verify it
Technical protection also means aggressive patch management. Most breaches exploit vulnerabilities that have had patches available for months before the attack. For an MSP, this means having an automated, verified pipeline for updates that covers not just the operating systems, but also the third-party applications that often fly under the radar.
Train humans, not just systems
Finally, protection includes the human element. Security awareness training should move away from annual “box-checking” exercises and toward frequent, simulated phishing tests that provide immediate feedback to users. A well-trained employee is often the last line of defense when a technical control is bypassed.
The bridge between the two pillars: SOC visibility
Identify and Protect don’t operate in isolation. The bridge between them is visibility, And this is where a Security Operations Center (SOC) or dedicated security team becomes indispensable.
Visibility is the telemetry that tells you if your Identify and Protect pillars are actually working. Without a centralized view of logs from endpoints, firewalls, and cloud environments, you are essentially flying blind.
A SOC provides the continuous monitoring necessary to spot the “smoke” before the boom occurs. For example, if your Identify phase noted a critical server and your Protect phase implemented strict access controls, the SOC is the entity that notices a successful login from an unusual geographic location at 3 AM. That real-time visibility transforms your security from a static set of rules into a dynamic defense.
For MSPs, this often means moving beyond simple alert monitoring and toward Managed Detection and Response (MDR), where experts actively hunt for threats within your visibility data.
Three steps to start moving left of boom
To move your organization or your clients left of boom, consider these three immediate steps:
- Conduct a comprehensive asset and data audit. Use automated discovery tools to eliminate blind spots in your network. Map hardware, software, SaaS tools, vendors and data flows, then classify what you find by risk level.
- Mandate hardware-based or app-based MFA for all administrative and user accounts without exception. Retire SMS-based MFA wherever possible and match authentication strength to account risk.
- Centralize your security logs. Implement a SIEM or partner with an MDR provider to ensure that your identification and protection efforts are backed by 24/7 visibility, not periodic check-ins.
By shifting your focus to these proactive measures, you reduce the likelihood of a catastrophic event and build a business that is resilient by design rather than by luck.
Go deeper with these resources
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
CISA Cyber Essentials for Small Business: https://www.cisa.gov/resources-tools/resources/cyber-essentials
CIS Critical Security Controls: https://www.cisecurity.org/controls/v8
Security frameworks are better with a community behind them
Want to connect with MSPs who are already putting these principles to work? The CyberMSP Community is a space for security-minded MSPs to share real-world experience, access practical resources and learn from peers who are building the same kind of practice you are. Join now.
