LINKEDIN
Share
Reading Time: 3 minutes

Last Updated on July 28, 2020

Keeping IT and Information Security Assessment Separate

One of the challenges in our industry is everyone wants to be an information security company to at least some degree, and it’s not hard to understand why— everyone needs it. Everyone is being asked about it. There’s a lot of money to be made.

How this plays out for many SMBs is that their IT service provider/managed service provider (MSP) ends up becoming their information security provider also. This means the MSP needs to provide not just IT strategy, but also information security strategy. Yet clearly that’s a conflict of interest that presents a risk to the client.

How do we address this conflict of interest issue?

Check out our “Virtual CISO Podcast” episode on “The Virtual CIO: What It Is and What It Isn’t,” to find out. This episode features Darek Hahn, CEO of VelocIT, a leading managed service provider and IT support firm that focuses on IT leadership, strategy and planning. Darek and host John Verry, Pivot Point Security’s CISO and Managing Partner, pulled this thorny topic right up by the roots and into the light of day.

Darek has built his view on this matter into the core of his company’s operations: “We’ve made it very clear that we will never be a cyber auditing, cybersecurity firm, because we think [IT and cybersecurity consulting] should be separate. Just like in accounting, there’s the people who do the doing every day and there’s an auditor who comes in and audit them.

“We think there should be somebody auditing us. … The risk is you’ve got the fox watching the henhouse, right?

“And if we’re really confident in what we do and competent in what we do, we shouldn’t be worried about somebody coming in and doing an assessment on us,” emphasizes Darek. “[InfoSec providers] should meet with our clients and they should have an independent contract with our clients and we should trust that they’re going to help us be better.”

John then raises the excellent question, “Where does the line of IT implementation end and information security start? We have endpoint protection, … NOC monitoring… we can get the security logs there, too… Having to wrestle with multiple providers makes [running a business] a little bit harder.”

Yet we all know bad things can happen when an entity is overly reliant on a single service provider.

Darek again compares InfoSec to the more mature accounting segment: “The reason there’s all these accounting rules and auditing in place is because people do bad things—you’re dealing with money. IT is getting to that realm. It’s a lot of money that’s involved, a lot of data… And if you’re putting that all in one basket, that’s pretty dangerous.

“I would rather somebody checked us and made sure we were doing it right or correct it, than to ignore it and hide it, which is the danger,” Darek reiterates. “It’s really easy for me to go, ‘Yeah, we’ll get to that next month or next week or next year,’ and just hide it from you, the client. And then you’re in danger. You’re at risk.”

Take a listen and ask yourself, “Who is watching our hen house?”

To check out this episode in its eye-opening entirety, or to view any of the growing slate of episodes in Pivot Point Security’s “Virtual CISO Podcast” series, click here.

LINKEDIN
Share

ISO 27001 Roadmap ThumbnailISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know –
and things you may already be doing.

Get your ISO 27001 Roadmap – Downloaded over 4,000 times