Separation of duties is a critical factor for effectively managing business risk. Executives understand the importance of financial oversight and hire CPA firms to double check the work of their CFO. The same rules apply to managed IT service providers and cyber security oversight. There is a troubling trend among IT service providers as they look to expand revenue opportunities. Many now offer cyber security services to supplement their own IT services. At first glance this would seem to make sense due to their familiarity with customer environments and operations… but the reality is quite different.
IT service providers manage a multitude of hardware and software technologies that businesses rely on to manage critical daily operations. In doing so, they control administrative privileges (keys to the corporate kingdom) and maintain hardware/software resources on a fixed fee basis. Having the IT service provider also manage cyber security presents a challenge and conflict of interest. There is no check and balance when the same company that manages the IT environment is also responsible for securing it. This example is analogous to having a CFO conduct an audit on company financials to validate that he or she is not embezzling funds.
Let’s consider a simple example to further illustrate the point. A key element of any cyber security program is scanning networks to identify software flaws that need to be fixed. In fact, 60% of all data breaches are a direct result of a software flaw that had a known fix that wasn’t applied. In their managed role, IT service providers are responsible for applying software fixes (in a timely manner) to ensure the flaws are addressed to avoid a data breach. If they are also managing cyber security, the IT service provider is ultimately responsible for scanning the network to identify software that needs to be fixed while simultaneously allocating the resources to fix it. During months when IT support hours have been exhausted, they may delay applying software fixes until resource time is available.
Cyber-attacks happen every day and the attackers never rest. Timely response to rapidly evolving security gaps can mean the difference between narrowly escaping a security breach and being the next headline in the news. There is an old saying that no one should let the fox watch the hen house. Every executive needs to consider the right risk balance for their company and understanding the appropriate separation of duties is a key part of that equation.
Security Vitals offers cyber security services. We stay in our lane and let the IT service providers manage the infrastructure. We have the experience and specialized cyber security resources to help identify blind spots that can have a profound impact on your business. If an unbiased evaluation of cyber security risk is important to your business, contact us.