We already have an IT Services provider. Do we need an IT Security provider as well?

If you operate a small to medium sized business or organisation, it’s likely that you’ve outsource your IT Services to an external IT Managed Service Provider (MSP). Your MSP probably takes care of everything IT related, from end-user support, to managing and hosting your infrastructure. You may be wondering, then, whether you even need a separate IT security provider such as a Managed Security Services Provider or (MSSP). In this article, I will highlight some of the key differences between IT Services and IT Security, as well as why you may wish to engage an IT Security provider to compliment your IT Services function.

IT Services and IT Security have different, often competing objectives

Your IT Services department is focused on enabling your business in the most efficient and cost-effective way possible. In other words, IT Services are focused on availability, ease-of-use, and timeliness. In addition, if you engage a third-party provider, such as an MSP, you’re likely billed in 15 minute increments, which may lead to providers taking shortcuts such as using default configurations, not enabling security settings, and not maintaining systems. This isn’t necessarily the fault of IT Services providers, it’s a matter of expectations. It can be hard for an IT Services provider to justify spending hours or days post-implementation hardening systems once they’re already functional.

On the other hand, the objectives of IT Security are typically focused on protecting the confidentiality and integrity of information first and foremost (though, this depends on the asset). This isn’t always front of mind for you or your IT Services provider. Additionally, security is typically at odds with convenience and usability by nature, requiring strong authentication controls and IT usage policies that introduce hurdles for the sake of security. If it’s less convenient for users to log into a system due to multi-factor authentication, it’s going to be less convenient for attackers to break into the system.

To illustrate this, we can have a look at the CIA Triad. IT Services are mostly working to ensure uptime (Availability), where as IT Security providers need to address Confidentiality and Integrity as well.

Much of IT Services is reactive, much of IT Security is proactive

A lot IT Services work is ‘break/fix’, meaning issues are addresses as they arise, like having to reset a forgotten password, reimage a misbehaving computer, or troubleshoot a printer that is no longer working. Most of the remaining work is made up of service requests, like adding a new user and email account, ordering new hardware, or setting up new software applications.

In addition, there is likely a large backlog of projects that your IT Services team are trying to find time to complete, like migrating a customers old on-premise Exchange server to the cloud, on-boarding new customers to the CRM, or upgrading an aging core switch in the datacentre.

At the end of the day, there isn’t much time to take the proactive steps outside of monthly server maintenance checklists. It’s unlikely any of your IT Services technicians are going to take the time to start checking through security logs, researching the latest threat campaigns, or hardening your standard-operating-environment (SOE) image per CIS benchmarks. All of these are important, but they don’t produce any measurable, tangible outcome, especially based on the traditional expectations of the IT Services provider.

IT Security providers introduces security-focused, proactive services, aimed at uplifting your cyber security maturity. These services include:

• Creating a Risk Management program, to help you understand the cyber risks your company faces and how to address them,
• Developing and operating your Patch Management and Vulnerability Management programs, ensuring systems are patched regularly before vulnerabilities can be explotied,
• Increasing your security posture by helping you achieve the ACSC Essential Eight maturity level three,
• Identifying weaknesses in your systems, staff awareness, and business processes by performing a Penetration Test.

IT Services and IT Security personnel have different skillsets

Your IT Support team are experts in Microsoft and Linux systems administration, Azure administration, system deployment, cloud migrations, desktop support, and end-user support. They make sure things are working when they need to be working, so your business runs smoothly. Common industry certifications for IT professionals include MSCA, CCIE, and cloud certifications from Amazon and Microsoft.

IT Security professionals see the world differently. They are always looking for risks, threats, and vulnerabilities in networks, often thinking like an attacker, and are skilled in cyber security related disciplines such as penetration testing, secure coding, security awareness, malware analysis, and incident response. Common industry certifications for security professionals include CISSP, OSCP, and Security+.

Both of these skillsets are necessary in operating and securing your IT environments.

Be aware of MSP’s who have recently rebranded themselves as MSSP’s without first hiring experienced cyber security professionals!

You can’t mark your own homework

You may trust that your IT Services team are doing everything they should be to safeguard your organisation’s IT assets and reputation, however, it’s not possible to validate this without having your network assessed by an independent third-party. Your IT Services team should understands that it would present a clear conflict of interest to assess their own performance, and shouldn’t object to you engaging an IT Security provider to provide a fresh pair of eyes – even if it means they could uncover areas where your IT Services provider need to improve.

A penetration test, red team simulation, or security audit will reveal any vulnerabilities, misconfigurations, and areas of improvement. Your IT Security provider will work with you and your IT Services provider to address any findings and recommendations, resulting in all of us being more secure.