Checking Your Own Homework: The Need for Cybersecurity Independence

Managed service providers (MSPs) have become an integral part of the technology and information security management plans for many firms, with the global MSP market expected to grow to approximately $500 billion by 2030. While the number of vendors in this space remains expansive, the last few years have been marked by the consolidation of information technology (IT) and information security (IS) providers, narrowing the options for independent cybersecurity oversight.

For firms seeking efficiency in third-party contracting and due diligence efforts, this consolidation can seem like an easy win. However, the pursuit of efficiency through consolidation can have unintended consequences, diminishing the firms' confidence in the impartiality and independence of guidance from their cybersecurity providers.

The risks of overlapping responsibilities

Without IS and cybersecurity program independence, it is difficult to fully understand and manage the risks that cybersecurity poses. Firms that lack this independence in the cybersecurity function inadvertently create unique risks for their organization, including potential conflicts of interest, shared bias in guidance, and an increased risk of cybersecurity incidents and operational disruption.

1. Potential conflicts of interest: When an IT service provider also handles IS coverage, it becomes challenging for the IS program to fully evaluate the risks arising from the policies and procedures employed by the IT department, creating a conflict of interest. The IT department is responsible for the efficient operation and deployment of technology across the organization. In contrast, the IS program focuses on mitigating cybersecurity risk. Consequently, the mandates of the IS program, by their nature, can slow down business operations. This difference in objectives can put these two functions at cross-purposes, making it more difficult for the cybersecurity program to accurately assess and evaluate the risks undertaken by the IT program.
2. Shared biases: The lack of true independence in combining IT and IS programs into a single vendor or in-house option can introduce biases in the guidance provided to business owners. If the IT function or vendor adopts a stance that certain risks are not significantly important to the firm, the cybersecurity program must be able to validate those assumptions.
   
   Conversely, if the cybersecurity program assumes that certain risks related to technology usage and adoption are too significant to be taken on without independence, the IT program may struggle to push back against that guidance. Shared assumptions about how work is conducted within the organization, how risks manifest externally, or the best methods to mitigate organizational risk, can lead to potentially flawed biases and assumptions infiltrating both workflows, compounding the potential damage caused by these assumptions.
3. Increased cybersecurity risk: Additionally, combining IT and IS vendors into a single program or operational set amplifies the potential impact of cybersecurity disruption. Many service providers in the IT space and managed service security providers in the IS space have become common targets for cyber attackers, and for good reason. Breaching a single MSP can potentially grant an attacker access to the information technology infrastructure of hundreds or thousands of firms. Cyber attackers often exploit third-party service providers to move laterally between systems and target much larger firms.
   
   For instance, a global aerospace company had a significant amount of their data exposed because a vendor failed to patch the Citrix bleed vulnerability. When IT and IS service providers are amalgamated into a single platform, this increases the attractiveness of these targets to cyber attackers. Breaching such a provider now provides access to both IT and IS infrastructures within firms, and a single disruption can impact the operations of both corporate functions.

Beyond these risks, there is a growing focus from regulators like the U.S. Securities and Exchange Commission (SEC), Financial Conduct Authority (FCA), and the European Securities and Market Authority (ESMA) on the need for firms to maintain effective and robust cybersecurity programs. While there may not be specific mandates that IT and IS programs must be separate, there is a clear emphasis on creating, maintaining, and updating robust cybersecurity procedures that are free of potential conflicts, independent in their guidance, and thorough in their scope.

While firms may seek cost savings and efficiency by consolidating IT and IS functions or using a combined service provider, the challenges mean they risk greater regulatory scrutiny or deficiencies.

The value of independence in cybersecurity

Maintaining independence between IT and IS providers, or in-house departments, not only creates a stronger defense for the firm against cyberattacks, but it also allows the functions to maximize the value they provide to the firm. These advantages include:

1. Reducing downside risk: Independence acts as a safeguard against internal and external threats. The ability to assess risks objectively, without being swayed by conflicting interests, minimizes the likelihood of oversight, and enhances the organization's resilience.
2. Adding value to business: Independence is not merely a defensive strategy; it adds value by promoting innovation and efficiency. Unencumbered decision-making allows for the swift adoption of emerging technologies and proactive measures to stay ahead in the digital landscape.
3. Regulatory expectations: Regulatory bodies emphasize the need for robust cybersecurity programs. Independence ensures adherence to compliance requirements, shielding the organization from potential legal repercussions and demonstrating a commitment to cybersecurity best practices.
4. Reputational/Investor confidence: Independence instills confidence among stakeholders, including investors and customers. The assurance of an unbiased and autonomous cybersecurity framework enhances the organization's reputation and builds trust in its ability to safeguard sensitive information.

Independence between IT and IS providers positions firms to ensure they receive the most objective guidance from these two critical functions or service providers. While combining these two functions or service providers may create some efficiency gains for the firm, it creates unnecessary blind spots in cybersecurity risk management, and limits the value both functions can add to the firm.

How we help

We help our clients reduce their cyber risk and strengthen their line of defense against destructive cyberattacks while building and maintaining independence between IT and IS providers, or in-house departments. You can combine cybersecurity services:

• Aponix Protect^TM is a cybersecurity and technology risk solution that helps you build a comprehensive risk management program tailored to your business needs.
• ACA Signature combines cybersecurity with compliance advisory services,  innovative technology and managed services for a scalable solution that can help you gain expert insight, guidance, and support as you navigate emerging challenges.

Reach out to your ACA consultant, or contact us to find out how ACA can help secure your firm against cyber threats and comply with regulatory expectations.