Should Your IT Service Provider Manage Your Firm’s Cyber Security Program?

Conflict of interest

By Michael Brice, Founder and President, BW Cyber

Do you visit a dentist when you need a physical check-up? Do you see a doctor when you have a cavity? Of course not, but that scenario is exactly what we encounter when working with new clients who have relied on their IT Managed Service Provider (IT MSP) to lead their cybersecurity program.  Don’t get me wrong, your IT MSP should be responsible for implementing the critical security technologies needed to protect your organization and its data. However, the implementation of protection should be directly related to your organization’s evaluation per regulatory compliance, threat assessment, and security tested. And it is critical that those three steps are performed by an external organization that possesses a core competency in cybersecurity and is unbiased to the organization implementing the security. 

So why is a segregation of duties between cyber and IT so important? Let’s unpack the fundamental differences between cyber specialists and IT specialists:

  • IT specialists are focused on making technology work and easy to use.  So, when your computer doesn’t work or you can’t access your e-mail, you (and the IT specialist) immediately know it’s broken. This is important because the IT specialists can then open a ticket and fix the problem. This makes sense, because the IT specialist has spent their entire career training to identify and fix technology to allow users to do their job.
  • Cybersecurity specialists are focused on making technology secure, often making it more difficult to use. They have spent their entire career evaluating technologies that work, but have vulnerabilities that a criminal can exploit. So, when your security doesn’t work, unless it’s been assessed and tested by a cybersecurity specialist, your IT specialist won’t know there’s a problem.

While I could provide plenty more examples that are fundamental to why it is an industry best practice to segregate IT and cybersecurity, suffice it to say that every good security program starts with an inherent ‘conflict’ between the goals of IT operations and IT security. And, when IT operations and IT security are provided by the same organization, security is going to suffer. We see it time and again; and this degradation in security is especially obvious when an organization performs penetration testing on itself (or via a vendor with whom they collaborate). After all, who is going to call out poor security on themselves – especially considering their IT team put that poor security in the first place?

So, for those of you who want more data, and to prove I’m not biased, here are some high-level pros and cons to having your IT MSP manage your cybersecurity program:

The main benefits of an IT MSP managing their customer’s cybersecurity program come in the simplicity of supplier/partner management:

  • A single vendor for all IT and security issues: Less vendors is always good, and this approach provides you with ‘single throat to choke’…
  • Secure by design – You get the proven ‘security stack’ provided by the vendor in a fully integrated package.

The main detriments of an IT MSP managing their customers’ cybersecurity program come with the lack of security and transparency in weaknesses:

  • Staffing by transition – cybersecurity skillsets are hard to find and come at a premium in salary. As a result, IT MSPs are repurposing IT consultants as de facto cybersecurity specialists. This improves margin and prevents staff turnover, but results in a much lower quality of cyber staff.
  • Self-Testing – it is an inherent conflict of interest for an organization to perform a security self-assessment (e.g., perform internal cyber risk assessment) or test themselves (e.g., penetration testing). Candidly, if you don’t find this one concerning you probably shouldn’t be reading this blog. Again and again, I encounter organizations that perform self-testing, and without fail, those tests never meet the same bar as when the organizations are tested externally. Ironically, this testing often produces exceedingly glowing, but incorrect, security results that seem to further instantiate the decision to combine IT and cyber services under a single vendor.
  • Reduce reliance on a single provider – the flip side of having a single IT/Cyber vendor is that over-reliance on one organisation can also be a risk: a single point of failure that carries potentially larger consequences.
  • Margin versus transparency – If you have a breach, are you now going to trust the cybersecurity team that secured you to lead the breach investigation? I’ve seen this numerous times, and – spoiler alert – the in-house IT MSP/Cyber team will never self-report. Never.

Clearly, the cons outweigh the pros.

**********

Michael Brice is BW Cyber‘s Founder and President