Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.

Show Notes: Misconceptions About Internal IT and Service Providers When it Comes to Security

Listen on Apple Podcasts
Listen on Google Podcasts

Quick Take

On this episode of Compliance Unfiltered, The CU guys have a quick conversation about the perils of just assuming your internal IT folks or 3rd party IT Providers, “have cybersecurity covered.” Adam dives in to the biggest threats facing companies on this topic today.

Curious why some organizations struggle with identifying their weak points? Wondering about the common misconceptions surrounding internal IT? Concerned about outsourcing?

Well, you’re not alone, and the CU guys have you covered! All on this week’s Compliance Unfiltered.

Remember to follow us on LinkedIn and Twitter!

Read Transcript

So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.

Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the pumpkin pie to your compliance Thanksgiving feast. Mr. Adam Goslin, how the heck are you, sir? I, you know, I’d be even better if I had a gigantic tub of like Cool Whip. I’ll tell you what, I think everybody would be better with a gigantic tub of Cool Whip.

But today, we’re going to talk, Adam, about the misconceptions that organizations, IT people or service provider know what they’re doing when it comes to security. In other words, when I got IT folks, they know what they’re doing on this front, right?
And that’s not always the case. You often say to me that the biggest threat level to a company is bad assumptions. Tell us more about that. Well, you know, well, you know what they say when you make an assumption, you make an ass out of you and me. So, yeah, there’s that. But no, back in the day, I had a speaking engagement as I was talking. It was in Michigan at actually at automation alley. And I was talking alongside at the time, Congressman Mike Rogers. who was the chairman of the House Permanent Select Committee on Intelligence and he blasts out this, you know, this quote that, you know, hey, if your IT person tells you that your company’s just fine and you don’t need to worry about security, then fire them. And I’m sitting here going, it’s a little extreme, but I kind of, I got what he was getting at, which is, you know, hey, people, you know, you got to wake up, you know, your IT folks, you know, just straight up don’t know everything. You know, I think that’s what he was trying to kind of drill home, you know. For me, you know, for me, I’m not a gigantic fan of moving straight to like, to canning, but if they don’t get the memo and they’re, you know, whatnot, okay, well, maybe you got a case. But, you know, I think the more it plays on, again, this misconception, and this bad assumption that just way, way too many organizations make, you know, which really elevates their threat level.

Well, why do companies struggle with understanding the difference, Adam? Well, if you think about it, right, security is a specialty. So let me bring it into a medical arena, right? You’re not gonna go to your day-by-day general practitioner for sniffles and colds and mandate brain surgery or heart surgery, right? In the same sense, you know, you get into just the IT arena. You’ve got whatever, a whole bunch of different titles, but you’ve got devs, you’ve got network administrators, you’ve got IT support companies, whatever, day-by-day IT support people. Yeah, the ecosystem is vast. Yeah, I mean, there’s a whole bunch of different, you know, kind of, you know, different kind of factions, if you will, within the IT space. But generally speaking, these individuals are not security specialists. What they are is they’re damn good at making the things run that they are responsible for making run. So, you know, whatever your developers are, you know, they’re kicking butt at going and writing code and making things work, and your network administrators are making sure we got all the right connections, the right things, and, you know, that we’re able to onboard and offboard different pieces of equipment and da-da-da, you know, your day-by-day IT people can, you know, sure as, you know, sure as the sky is… blue, you know, address, you know, mouse issues, monitor problems and keyboards, you know, keyboards that go sideways, da, da, da, da. But it doesn’t mean any of these people are security specialists. So, you know, they’re real good at what they do, but, you know, the connection just isn’t there in, generally speaking, into the, you know, into the security arena.

There’s very few organizations that have somebody with the right caliber of expertise that they just happen to have on staff. Well, why is this a misconception for companies? Is it related to their internal IT? Well, unfortunately, it’s all the way around. It’s a bad assumption. This kind of comes from a historical perspective, right? You know, you’re in a situation where the boss has already made this assumption that, you know, hey, IT just knows everything about IT. you know and IT, similarly the IT crew they’re used to just handling things right? Yeah they’re kind of like a jack-of-all-trades. So you know the Boss comes by and says I need blop and you know hey, they just do it, it’s magic right they just they go behind the curtain you hear some banging and clanking and you know googling and whatever and poof out you know out comes the solution you know, and a lot of folks in IT are really good at you know at this notion, it’s almost become an expectation from you know the levels of leadership you know. So that expectations there you know that they’re gonna you know go ahead and handle things around security, in fact it’s almost and I say a bad assumption the expectation of the of leadership at most organizations is that your IT people knows how to do things you know securely, that they know how to do things in a company, you know in accordance with you know with compliance best practices you know etc. You know the reality is that you know the pressure from the top levels you know should not absolutely not be putting you know, be putting this on people and again I harken back to this like bad assumption, but it’s almost a situation where the circumstances have you know have kind of led to this point where you know the leadership expects IT can do anything and that you know IT doesn’t want to disappoint the you know the leadership so much so that I’ve actually have seen you know kind of day-by-day IT practitioners almost feel like you know almost feel like they’re inadequate or they’ve somehow failed you know in their job duties etc and you know . and we don’t deserve that type of pressure honestly, shouldn’t be coming from the top levels of management down to the, you know, down to these IT folks.

So what about IT service providers that are outsourced from the IT companies themselves? Yeah, well, when you’ve got an IT service provider basically doing outsourced IT, it’s even worse. It’s even worse because now, you know, I don’t have this kind of, I don’t have the possibility of this kind of familial relationship with somebody that’s on my team, that’s an employee, you know, etc. Now it’s almost like a, and you might have some close relationships with your IT service provider, but at the end of the day they’re a vendor, right? There’s a certain measure of, you know, kind of arm’s length interaction. And with these IT service providers, I mean, you’ve just got to look at, you know, what is it that makes these people tick, right? You know, the IT service providers they’re not there as a charity arm, you know, they’re there to provision services. So when the company is like, hey, we really need help with blah, blah, blah, blah, that has to do with security and compliance and, you know, etc, what are these guys going to say? Oh, sure. You know, whatever. Would you like red or blue ribbon on that increase in your monthly billable amounts and blah, blah, blah, you know? And so they’re of course are going to say yes. It doesn’t matter whether they actually know what they’re doing, whether they’re just going to, you know, do the dance, you know, etc, you know, whether they know it, don’t know it, etc. Their again, they’re going to go off into the cavern and, you know, Google, oh, how do I do fill in the blank and try to come up with a solution that they can turn around and charge money for, you know, that type of thing. So yeah, it’s even worse when you’re talking about those day by day IT service providers, just because they have an incentive to automagically say yes and automagically sign up for whatever the company’s asking for, because it means that they can go ahead and increase their, you know, monthly billable amounts to the target organization.

That makes sense. Now you’ve often used the expression with me, trust, but verify. So how does that fit in here? So, you know, in general, you know, it’s always good to have checks and balances in place. You know, it’s a good and appropriate methodology. It’s a good and appropriate baseline tenant of, you know, security and compliance. Yeah, I mean, heck, this is something that even fits into the, go back even further, you know, look at the financial arena, right? You know, you got your day by day accounting people and then you got the people that come in and do the audit, you know, and look over the shoulder and double check, etc. This is just a good principle, you know. So, you know, I mean, you just, you sit back and you think about it, right? And this, and this is kind of the gauntlet I’d throw down to, you know, to these companies that aren’t, you know, doing something different. You know, how does it possibly make sense to have the same people that are doing the day by day, you know, the day by day work of the security and compliance responsibility and oversight, to be the same ones that are in charge of doing the IT work, you know, hell no. You need a check and you need a balance in that, in that process. You know, it’s, just good common sense that doesn’t appear to be quite so common.

How should organizations model their security in compliance endeavors? Well having some measure of third-party oversight, that’s really a key to what you’re doing here, you know, and really it’s important. The one area that I would recommend to leaders of the organization, you know, is as you move into this, for a lot of organizations they don’t have the trust but verify. They don’t have a third party involved, you know, etc. In some cases, excuse me, in some cases they’ve got, you know, an external assessor, you know, type of the thing. We’ll talk about that here in a little bit, you know, but, you know, having that third-party oversight is really key. You know, the lead, from a leadership perspective, they need to make sure that they’re impressing upon their internal, either their internal IT department or the outsourced IT, excuse me, I gotta grab it. I’m grabbing some coffee, hold on a second here, too much yakking. Copy break. There we go. I’m back. So, you know, they need to make sure that they push as they move into this kind of third-party oversight, third-party validation, you know, etc., that the relationship between said third-party and either internal IT or outsourced IT, but this is literally a partnership. You know, all of the players have a pivotal role. This is for the betterment of the organization. Everybody is going to be better off, especially those folks that are doing, you know, doing the, you know, the day-by-day IT or at the outsourced IT company, but it has to come down from the lead, leadership of the organization to put the right framework of the objective here, to make sure that everybody understands the roles, the benefits, etc. You’re on mute. And I was asking such a stellar question in that moment.

You get another crack at it. Oh, take two. Just curious. You have a lot of experience with internal IT folks at companies and experience coordinating with outsourced IT firms for companies. How many of these had their act truly together when it comes to security and compliance? Well, I’ll give you a little bit of background before I get into the get in get into the answer You know, I’ve been doing this I’ve been doing this now for you know, kind of two decades. The first you know, the first couple of years were doing it for an organization. I worked for, then spent five years with various organizations effectively being their you know outsourced QA, I’ll call it. You know internal audit function you know doing consulting for, it was a myriad of organizations across a myriad of standards. I then you know drop the you know drop the partners and swung up TCT, and when I did that you know now TCT has been a thing for you know north of a decade. And so, you know during the time at TCT, you know we’ve continued to you know, kind of help organizations with navigating their compliance engagements and whatnot. So I’ve seen a lot of organizations with internal IT and with you know, having an outsourced IT firm, so for all of the companies I’ve ever worked with That had internal IT how many how many?
Organizations, quote truly had their act together? that had an internal IT department. zero dead serious zero. And now we’re some of them closer to being in the right spot. Yeah, we’re some very far away. Yep, but honestly zero, I’ve never met a company where the people that work there, they knew everything, they had their act together. I mean, it was a complete waste of my time, you know, etc Absolutely not the case you know, I’ve had zero experiences where an internal IT department really had it together and I was wasting my time.

For the service providers, the outsourced IT organizations, I’ll put it to you this way. I’ve had a lot of interactions in this arena as well and from my personal experience I can count on the fingers of one finger the number of outsourced IT organizations that really had their act together when it came to security and compliance. Honestly, I’ve seen a lower level of capability in the service providers that are out there as an average than the internal IT folks. One of the big problems with the outsourced IT providers again you know, they’ve got an incentive just to say yes. And they do their smoke and mirrors BS routine of, you know, oh, we’re doing this and we’re doing that. We’re doing the other thing. And really, it’s just a bunch of tools that they picked up. They can go punch buttons. They aren’t doing anything with the information or data. You know, it’s a fun exercise in smoke and mirrors. And honestly, I’ve found, generally speaking, the internal IT people, I found them to be more open. I found them to be more amenable, you know, to having the dialogue, etc. But again, I go back, you know, the leadership. Leadership plays a pivotal role. It doesn’t matter whether it’s internal IT or the outsourced IT services provider. If leadership doesn’t lay the ground rules, then, you know, things are gonna go sideways. And I’ve seen some organizations with both internal IT folks and with service providers where things have gone very sideways, just because the leadership wasn’t laying it out correctly or pushed back more often than not from the internal IT and from the outsourced IT, you know, IT provider. That’s kind of where it’s really interesting watching this unfold. But if you know what you’re in for, then, you know, then you’re a hell of a lot better arm to go walk into that conversation.

That makes sense. Parting shots and thoughts for the folks this week, Adam. Well, I want to very deliberately just remind leadership that your role in getting your company’s shit together when it comes to security and compliance, you know, your role is astronomically important. It’s gonna be a struggle for some companies. And I’ve literally seen some leaders that I’ve worked with that have had to pull off to the… the side to say, look, you need to change the way you’re doing things, etc, it’s really hard for them. But they need to understand, do not flame your internal IT or your outsourced IT because of the current state. In the vast majority of cases, what I’ve seen is I’ve seen that these people, they literally, they don’t know, or they don’t understand, or they don’t realize how things should be done, what’s supposed to be done, etc. If you’re expecting these people to just magically know how to do all the security and compliance stuff, then the problem really is yours. It is not with the internal team. So don’t flame them when things come up. You’re like, well, geez, why didn’t you know how to do, duh, duh, duh, duh, duh, duh, duh. Don’t do that. Instead. make it a partnership-style conversation, make it collaborative. I have seen some absolute magic come together with internal IT companies and with a even smaller handful of service providers that were open, that were willing to participate, that were willing to learn, that were eager to learn. It’s such a breath of fresh air when everybody’s got their heads in the right space, but the single thing that’s gonna go sideways, that’s going to most dramatically negatively impact how people react is what role leadership takes and what type of a tone that they put forth on this endeavor.

For some organizations they have external, some organizations have external assessors and some just rely on their internal people. And the one thing that I would say to organizations is, the assessors are cool, assessors are awesome people, assessors, yes, they’re to an extent here to help you, but really as an organization, you want your program locked in, you want your ducks in a row before you’re going to that assessment. A lot of organizations will treat their assessors as if it’s their job to shepherd and herd, all the people on their team, etc. It’s not their job to herd the compliance cats at your organization, their job is to come in and do an assessment.
And so that’s where you got to draw the line between what should my expectations be of my assessor. My expectations, TCT goes through an annual, assessment and, you know, man, we have every, everything ready to rock, ready to go. It’s literally hand the stuff into the hands of the assessor. The assessor loves it because everything’s smooth, you know, etc. That’s what every organization’s objective should be, because the more that you’ve got your act together, walking into that assessment, the smoother things go, the better everybody feels, the less stress that you’ve got, the less stress your internal team is feeling. The assessor’s actually happy about it. I mean, assessors are an interesting group. They, it’s funny. You can have everything. Perfect, right? Go walk in the assessor. The assessors almost feel like they gotta find something to make better or they don’t feel like they’ve done their job. That’s what you want your assessor to be in the mind space of is jeez I didn’t really find anything ,like what can I point out as an improvement? So I feel like I’ve you know, kind of put my stamp on this you know that type of thing. So, you know, that’s what that’s what your objective should be with the assessor side you know, and the reality is for organizations you know, you want to make that best-in-class decision to get the checks and balances in place And have some type of an outsourced internal audit function .It’ll go a long way to strengthening your overall program to bringing up the caliber of either your internal IT people or your outsourced IT Firm if they have their head in the right space, It will strengthen your position in from a security and compliance perspective as an organization ,it will better protect you ,your clients, your stakeholders ,your investors, your personnel employees vendors. You know It will go a huge long way to be able to strengthening the overall program. And at the end of the day you know, we got into the space to help people make their compliance management suck less and this would be a good recommendation.

That right there, that’s the good stuff. Well, that’s all the time we have for this episode of compliance unfiltered I’m Todd Coshow and I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less Thanks for watching!

KEEP READING...

You may also like