Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Is Your I.T. Team Keeping Your Organization Safe?
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd have what might be an uncomfortable conversation for some, regarding the perils of entrusting your organization’s cybersecurity to your I.T. team or your external I.T. resources.
Curious about the difference between an I.T. and cybersecurity professional? Wondering about companies that offer both, I.T. and cybersecurity services? Need a cost-effective strategy?
Well you’re in luck as all these answers, and more, can be found in this episode of Compliance Unfiltered.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process.Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of compliance unfiltered. I’m Todd Coshow alongside the avocado toast to your compliance brunch, Mr. Adam Goslin. How the heck are you, sir?
I’m good, I can say with absolute clarity that avocado toast is not in my, it is not in my breakfast repertoire, shall we say.
Ah, thus, we need to expand your fruit horizon, sir.
See I’d take a polar opposite approach. I would say that it is my singular job to expand the horizons of those eating avocado toast.
Well today, we’re talking about expanding horizons and specifically we’re talking about the belief that organizations had that their IT staff or their outsourced IT company are actually keeping them safe. I know that you have some strong feelings on this one, so tell us more.
Sure thing, you know, the organizational leaders for a long time have been operating under this delusion that, you know, that’s frankly putting companies at risk. The delusion that because your IT people know how to do IT, that thereby means that they need, they know how to do security and compliance properly. And it is an assumption that I run into all the time. And I would say that an extremely high percentage of the time, it’s invariably a false one.So, you know, and I want to be clear for folks, you know, the IT people, they’re good at IT. They can make IT sing, they can make IT run. A lot of them are fricking amazing, but it does not make them cybersecurity experts. And there’s a number of reasons for that, you know, but they shouldn’t be doing both. And that’s something that really I look at as a, fundamentally, a shortcoming of, you know, kind of a bad assumption that’s coming down from, you know, from on high. It’d be like me saying, hey, I know how to drive a car, but it doesn’t mean that just because I can drive a car, that I can change out a transmission, right? It’s not the same thing. So, you know, and I just, I try to put it to people, to put it to people in a way that they get, that they understand, et cetera. I mean, these folks that are in IT, man, they can do some great things day by day, you know, but, you know, the guiding assumption, because they can spell IT means they can do cyber, not so much, you know. And this is the case whether you’ve got somebody that’s an in-house IT person, outsourced contract IT person, an outsourced IT company, even when you’re leveraging secure compliant hosting, it doesn’t matter. You know, the two are not necessarily synonymous. So, you know, it’s just something that people got to get away from.
That makes sense. Now tell us more about the big bad assumption that companies make.
Well, bottom line, IT people aren’t cybersecurity people. When I talk to stakeholders, leadership, et cetera, almost all of them are going under this false assumption that because they can do IT, they can do cybersecurity. And invariably, time after time, I end up being able to be in a position of kind of proving the leadership wrong. And that assumption, it’s a huge mistake.You’re putting your firm, your company, your organization’s future at risk over this. And in many cases, and the sad part is, there are a lot of people that are in leadership at organizations, they don’t even know that this is an issue. It’s really a big problem with the way that this is set up. Go back historically to cybersecurity, et cetera. It didn’t really start to get its sea legs, if you will, until, I don’t know, 10, 15 years ago, type of thing. It’s been progressively getting more and more exposure. But you go back to before that time. And IT was looked at as the wizards that you can go to with any technical problem. And by golly, they can sit and figure it out. But what a lot of these folks don’t understand, especially in the, we’ll call it the relatively small to mid-sized firms, a single data breach can put these companies out of business within six months.So when IT is going under this assumption they’ve got with IT that they can also do security functions, it puts everybody in an awkward position. The IT people are used to being the go-tos for technology. They don’t want to admit they don’t know things. And yet the leadership of the organizations go, well, they must know this. And so what do you do with that? Does the IT person have to say, you know what? I’m really not the right person for the security side of it. It puts them in a weird position, especially if there’s this baseline expectation out there that they must know how to go in and do these things. So what ends up happening is, in a lot of cases, the false assumption drives the IT people to kind of do the dance and try to cover it. But I look at it as this is the fault of, it’s gotta start with leadership. It’s the fault of leadership for making this bad assumption and permeating it through the organization. If you don’t do that, you open your organization up to a real conversation. It’s not some downfall because they don’t know about security compliance anymore than I would look at you sideways for knowing how to drive a car, but not knowing how to change out the transmission. It just doesn’t make sense to do it that way. But you’ve got different realms with different skill sets coming into play. As an organization, they should be looking at the role of IT and the role of security as separate functions. Look at your cybersecurity or security function as being almost like an internal audit function. It’s a check and a balance system between IT and the security arena. And it’s very similar to, you go to any organization, you say, all right, there’s one person that’s doing your day by day books and accounting, and there’s another function that does oversight, right?
That function to leadership in an organization, they’re like, yeah, well, of course, and yet they don’t do the same thing with IT. It just drives me crazy.So when you’re leaving everything in the hands of IT, it also means not only are there different skill sets, et cetera, but it also means that you’re putting all these eggs in a single basket. You’ve got the folks that are actually supposed to be doing the work to make it secure, et cetera, also being the one signing off on, yeah, yeah, it’s secure. So if the person that’s trying to make it secure doesn’t really know what they’re doing when it comes to security, how are they gonna appropriately sign off on, yeah, yeah, we’re doing the right thing? It’s not possible.So now, and when you make these aforementioned bad assumptions and then they come back at some point in the game to haunt your organization, now that people have kind of heard this pod and whatnot, when that rolls out, it’s gonna be like watching a train wreck that you just can’t walk away from, is kind of the reference point because now they’ve been warned, shall we say. Sure.
Now, I guess the next question is, what are the differences between IT and cybersecurity?
Well, you know, they, they, they have overlapping realms of, of expertise and responsibilities, however, kind of different, different tracks, if you will. You know, IT is overseeing your day by day, your technology for managing processing information, you know, within, outside the organization. Um, you know, it’s creating, maintaining, managing the computer and network infrastructure, whether it’s a physical or a virtual one or combination of corporate and being a hosted, hosted solutions, et cetera. That they work to run optimally so that it provides the solutions and computing power that the, that the organization needs where cybersecurity on the other hand is really the protection, you know, of, uh, you know, of these, uh, various systems from both internal and external threats.So, you know, you, you, you just look at the day by day for, you know, for IT and they’re, you know, they are, you know, they’re overseeing things like hardware and software within the environment. And, uh, you know, uh, looking at new solutions for, for doing those things, uh, you know, firewalling and, uh, you know, upgrades and patching and fixes for hardware, software apps, uh, making sure that AV is working and configuring the network and cloud systems and, uh, you know, installing necessary software, migrating systems, protecting sensitive data, you know, defending, you know, kind of network endpoints, you know, all of these are things that would happen within the IT arena, but, you know, you start getting into, you know, some of the, you know, the higher end functions of IT. That’s where it starts to splay into, you know, the realm of cyber. And certainly within the cyber arena, you know, they’re, they’re primarily charged with, uh, you know, in the cybersecurity arena with, uh, you know, protecting, uh, you know, data assets and protecting systems from, you know, from threat and, uh, you know, looking for and, and, and monitoring for emerging risks and, and potential cyber attacks and hunting down, detecting threats to the environment, um, doing penetration testing and, uh, you know, making sure that we are in adherence with, you know, regulatory compliance, et cetera. So, you know, if you look at it this way, if, if the computer and network infrastructure was a house, you know, IT would be in charge of architecting and building and maintaining the structure where, you know, cybersecurity would be in charge of keeping the wrong people out. Um, you know, using the, you know, using the IT teams for cyber, um, you know, it’s like expecting your remodeler to be providing home security. Uh, it’s just not, uh, the, the, the two just don’t wash, if you will.
I will. And, you know, I guess, what are your thoughts in general about day-to-day IT companies that also offer cybersecurity services?
Well, you know, third party IT providers, they’re used to operating in this kind of competitive market that really is cutthroat. And there’s an incentive for these organizations outwardly to present themselves as security experts, you know, so that they can add more line items to the, you know, to the bill, so that they can be the one-stop shopping.One thing that the folks that offer, you know, IT services, you know, it’s been an arena where they’ve really had to kind of watch, you know, mend their fences, you know, watch their perimeter, you know, watch out for somebody else trying to encroach in their territory, you know, and, you know, and whatnot. And so they tend to take on a notion of being kind of a jack of all trades. That said, it is astoundingly rare in my experience that you find a day-by-day IT company that adequately provides the cybersecurity services, you know, I have seen this. Adequately being the operative word there. Yeah, exactly. I mean, hey, anybody can go half-ass it, but, and there’s lots of them that do, but, you know, the reality is that I just, I’ve seen countless instances with client engagements where whoever it was that was doing the day-by-day IT, they weren’t, it ranged from, you know, like I said, in a very few rare cases, you’ll get these, you know, get folks that actually do know what they’re doing. But in most cases, they’re doing the, you know, they’re trying to, you know, they’re trying to do the dance, but failing miserably, you know, and, or in some cases, I’ve seen companies literally flat out lying about their capability, what they’re doing, how they’re doing. I mean, you start scratching below the surface slightly and, you know, and all of a sudden things start to fall apart. It’s kind of a fake it till you make it mentality. It’d be a good way, a good way to put it. I mean, I was, I was helping a company get through a series of different security and compliance engagements. They had this third party that was doing the day-by-day. I started to do, you know, started working with them and I walked with my eyes wide open. I don’t judge out of the gate. I just, I’ve got a backdrop of experience, yes, but I don’t judge before I get going. But that’s that and we got going and I needed to get a sense of the current situation. I interviewed a bunch of people at the, at the client and with their, with their provider. And I wasn’t, I wasn’t expecting a lot of expertise from the internal folks, but I was, I was assured up, down and sideways. Oh, our IT provider, man, they got, they got the, they got things eyes dotted T’s cross. This is going to be the easiest engagement you’ve ever had. Oh, great. I’m looking forward to this and sure enough, you know, go walk in. And even in the initial dialogue, I’m like, not adding up. And, you know, it wasn’t long and they didn’t even know basic, you know, basic cybersecurity, you know, practices. Their idea of central logging was the fact that they had the logs on, on the target system so that you can go in and look at them.
They didn’t even understand the concept of central logging. So, you know, there, there, there really wasn’t, there wasn’t any infrastructure for any central logging, um, dozens and dozens of other core concepts for security and compliance were missing.Um, they didn’t have an update, they didn’t even have an updated and accurate inventory. There wasn’t an hour diagram, you know, the most basic elements of a, you know, of a program weren’t even to be had. So, uh, the, the policy was a mess and, and, and, and, and bottom line, you know, the, the, this experience that I had, it’s not, it’s not someone in a million, you know, thing that happens it’s, it’s quite frankly, the vast majority of them. I mean, if I had to, if I had to look across the variety of day by day IT firms that I’ve had. Oh, pleasure of working with. Deliberate pause, finding the right word. But if I have to think about it, I mean, I can tell you with absolute assurance, I can count on the fingers of less than three fingers, the number that actually had their act together. So it is far more rare than you would think.And the problem for these providers is the minute that you have somebody that actually knows what they’re doing in the security and compliance space, it becomes crystal clear really quick, whether somebody’s walk this walk or they haven’t. And the minute you’re talking with somebody that’s doing the fake it till you make it, then I mean, you see through it like a thin cheese cloth veil type of a deal. They may be able to fool people that aren’t in the space that don’t know what they’re doing, et cetera, but you’re not going to fool somebody that’s been in the space for decades. It’s not happening. So if an organization is relying on that IT company to handle their cyber, my bet is you’re probably rolling the dice there as well.
Now, word has it that cybersecurity professionals are cheap to acquire, right?
You almost, you almost kept a, kept a straight face on that one. I was proud of you.Um, no, you know, it, you know, who do you need to bring in to, to, to fill that gap? Uh, I’m the reality is, is that if you’re looking to get somebody that’s got experience in this space, generally speaking, I mean, you are talking about a freaking re you’re talking about a resource that’s depending on the market. Yeah, I don’t know, 150 to 250 K annually. Um, you know, type, type of a thing somewhere in that ballpark, like these are effing expensive resources. So, um, you know, uh, to that end, you know, the, the one big recommendation that I’d have for organizations, a lot of them will tend to, you know, kind of go to their, uh, you know, go to an assessor and try to get them to hold their hand, et cetera. And, you know, what I would say to that is, is that there’s a couple of competing thoughts there. The assessor, of course, they know what they’re doing, uh, but their job’s to evaluate your organization against your target framework. When they, you know, their job is to come in, do their, do their evaluation, validating, vetting, et cetera, help you work through any, you know, help you help reevaluate any items that had to go through any modifications or changes. Sign on the dotted line, walk away, come back, you know, come back next year. It’s it, their role is not to sit there and hold your hand as you’re trying to figure everything out from day one. You know, and, and don’t get me wrong, the assessors of the world will certainly provision high-level directional guidance, but, you know, their, their role isn’t to become part of your de facto internal operational security team. Um, you know, for, you know, for in a lot of cases, and here’s what a lot of folks will miss for this really, really scrupulous, uh, assessors out there. It would frankly be a conflict of interest for them to be both responsible for the day by day and simultaneously assessing your stance. So, um, you know, my, my recommendation, my suggestion would be, you know, get an organization that provisions security consulting services, a firm that can act as your internal audit function. Um, you know, the, the big difference here is that their job is to help you get from wherever you’re at to wherever you need to be. Um, the coolest part is, is that those consultants, they’re on your side. It look at them as, uh, you know, an outsourced internal audit function, no different than if you went higher, the 150 to 250 K resource, it’s the same type of notion with the consultant. It’s just, they don’t happen to be, you’re not bringing them in at a full-time price tag, um, you know, they’re not going to judge you based on whatever state your organization’s in when they first walked through the door, you know, their job is to get you where you need to be, uh, reduce risk to the organization, prepare you to meet, uh, your, your, any additional security and compliance obligations that come to the organization.
Um, and, uh, depending on, you know, depending on what their, you know, what their role is, what you, what type of a, of a, you know, kind of path you have for your company, they could be doing things like helping responding to security questionnaires and going through external assessments. Um, you know, because the consultant is part of your team, you can be totally honest with them about what’s going on today, what are we doing and how you don’t need to worry about, you know, worry about a skeletons in your closet, you know, the, the, the consultant’s not there to go report you to the assessor, um, they’re here to help you, you know, help you navigate through it, help you get through it.And they don’t care about whatever happened before. They just try, they’re just trying to get your organization in shade. You know, certainly TCT does security compliance consulting, uh, for, uh, many organizations and have for, uh, multiple decades, but, um, you know, we, we also work with different folks in the space, et cetera, um, you know, and whatnot. So we can make referrals to companies, uh, we can also help, you know, help you directly, whatever, but, uh, whatever you decide to do. And I mean this, don’t go in alone, get somebody in to go give you a hand. I, I, I literally, I stepped into this space because I had to go through security and compliance myself, trying to figure it out for the very first time. And, oh my God, do I wish that I’d had somebody like now me, uh, to be able to say, Hey, let me hold you in. Let me walk you through this. Let me get you there. You know, things along those lines, it is, uh, it is by far, you know, the best, safest, most effective way for your company to be able to improve its posture, reduce risk, and navigate the waters of security and compliance, uh, smoothly and effectively.
Now, what is a cost-effective approach to improvements in cybersecurity posture?
So a couple of, a couple of different things. You know, you want to, give me just one, cut it right here Todd, sorry. I lost my spot. Thank you.Okay, let’s do this here. I figured out what happened I was just supposed to talk about the pricey resources and then I was supposed to hand it back to you for this one So just skip this question and let’s just move straight into this one
Okay, sounds good. I’m going to throw another mark and then we’re going to come back in.What often happens in organizations new to the cybersecurity arena in terms of their interaction with IT as issues are discovered?
Well, you know, the, you know, a lot of the times I’ll, I’ll get the, I’ll get the question. Um, you know, I’ll get the question of, uh, you know, yo, so what happens as we’re, as we’re tripping through this stuff, you know, once the leadership recognizes that it’s not appropriate to just depend on it, um, then you’re going to need to, uh, you’ll need to get started with doing an initial gap assessment of the organization. Uh, and I will absolutely guarantee there’s, this is the first time that a consultant’s coming in to assess your existing stances are, they are going to find all kinds of gaps and holes that you never knew that you had. Uh, and there’s going to be a lot of items that need to go through, get buttoned up, fixed. Some of them may be larger, some are going to be smaller, but they’re going to trip across a bunch of stuff. And when that happens, it’s going to be tempting to, for leadership. And I’ve seen, unfortunately I’ve seen this at organizations where they want to point fingers at it for dropping the ball and well, why weren’t you doing this? And it seemed obvious you should have been doing such and such. And why didn’t everybody notice it and fix it and da, da, da, da, da. Please don’t do that.Um, remember your it folks, they aren’t experts in cybersecurity and they’ve been doing their absolute best until this point. Um, I, I said earlier, the fault isn’t with your it. The fault is leadership has a bad assumption. So don’t flame your it people on your bad assumptions, you know, it’s, it doesn’t make sense. Uh, you know, if the, if leadership is throwing the it personnel under the bus over findings or making some insinuation, they aren’t doing their jobs. Well, yeah, you’re, all you’re doing is just flaming a good resource, but quite frankly, doesn’t deserve that heat. Uh, it, my experiences most of the time, it’s not that the it people don’t care. It’s just, that’s not their specialty. It’s not, and it’s your bad assumption. So don’t burn them on it. Um, you’re gonna lose good people who have given blood, sweat, tears to your organization. Um, the way that I look at it is it’s critical that the it staff are well supported within their realms of expertise. They’re, you gotta remember they’re not security expert and they, and they, and they shouldn’t be, um, you know, there’s, there are two different career paths, two different sets of skills, backgrounds, knowledge, you know, and your it people, you know, shouldn’t have been thrown into this realm of taking on all the security stuff to begin with. Um, you know, you’ve gotta, you’ve gotta make sure that you keep that in mind. So, you know, as you’re bringing on those security experts, it is unbelievably important, make sure that you’re kind of affirming the work of your it folks that you’re being supportive as you’re going through the process that you’re communicating, you know, through the, you know, through the experience and making sure that they know that the it folks know that you’ve got their back.
Um, you know, make sure that, you know, uh, that I, that you have a leadership that’s going to kind of walk that walk, uh, as you’re, as you’re going down that path, it’s going to be, it’s going to be unbelievably important and, you know, it’s really not the fault of those poor, poor it folks. What I, what I would say is that by and large, when I have an organization where this, where it occurs, that you don’t, where the leadership gets it, they understand their bad assumption, they are, are turning that, uh, you know, turning toward being supportive of it, using this as a learning experience attack. It is a very supportive environment.It is an environment where quite frankly, the it people will learn. They will adapt, they will adopt in it. Everyone will be better as you go through that process, but I just, I’ve seen, I’ve seen way too many, uh, organizations shoot themselves in the foot by tripping over that one.
Hm, parting shots and thoughts for the folks this week, Adam.
Sure thing. So I get the dynamics that are involved with a cybersecurity program, and everybody’s trying to make ends meet in the most cost-effective way that they can. A lot of folks will have a notion of, hey, if we can just kill two birds with one stone, then why wouldn’t you? Why wouldn’t you just have the IT people taking care of the security stuff? The problem with this scenario, there’s a lack of clarity, there’s a lack of truth, there’s that bad assumption that all come together for a perfect storm for organizations to increase the risk to their organization, and in some cases, significantly.You don’t want to play around with the viability of your company, relying on ill-equipped IT personnel to take care of security. It opens your organizations up to all sorts of holes in your protective armor. It’s not just one weak point that could get missed by an attacker. There’s a lot of different weak points throughout an environment under that scenario that are going to expose your company to attacks. So you want to be supportive of your poor IT folks. Give them a break. If you can get leadership to have light bulbs that are going on, that would be fantabulous. If you can get yourself a cybersecurity consultant that can kind of be a partner to leadership, be a partner to your existing IT staff, even your existing IT company. As I’ve done these engagements over the decades, some of the most fun engagements that I’ve been involved in is where the organization had its head on right, they’re no longer making the bad assumption that either the IT personnel or the outsourced IT company is in a good place, they understand that this isn’t a threat, and they understand that it’s part of the solution. It’s been a really fun engagement because you’re watching the light bulbs going on, you’re watching this company going from where they were to making a continuous, steady stream of improvements, and that’s really where it’s time to get a hell of a lot of fun going on. It’s just a really, really good time when you see the light bulbs going on like that.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
