The old adage “Trust, But Verify” is ingrained in our culture as a common sense rule of thumb. And yet we continue to find in hindsight that this adage is often ignored. In the financial services industry, Bernie Maddoff provided a stunning reminder that verification was more important than trust when it came to fund valuation.
So why would an organization managing millions or even billions of dollars of client funds entrust the security of their IT operations to the internal IT department or IT managed service provider (IT MSP)? At first look it might seem to make perfect sense: the team members are all on staff and if there’s a problem there’s only “one throat to choke.” After all, IT and IT Security are one in the same – right? Wrong!
IT skills are inherently focused on providing IT operations – not security. In fact, IT security, or “cybersecurity” as it has recently been ordained, is a completely different skill set. Moreover, cybersecurity requires real-world, hands-on experience based on years of offensive and defensive-minded activities in which one is forced to think like a criminal. These are not at all the skills or experiences of a skilled IT technician who’s primary focus over the course of their career has been to do everything possible to make IT work seamlessly (and cybersecurity is often not seamless).
Moreover, entrusting cybersecurity to the IT department or IT MSP vendor means that there’s no additional oversight (or verification) on the quality or efficacy of the controls in place (or the ones that SHOULD be in place). And if there’s a data breach or related criminal (think wire fraud) as a result of a security lapse, the culpable IT individuals will not be inclined to self-report or admit fault. Ironically, the individuals responsible for the security lapse are also appointed to investigate the breach – and then the cycle only gets worse.
Net/net – when it comes to the protection of your client data and financial assets, trust but verify by relying on a separation of duties between IT and cybersecurity.
Contact our team for more information.