[Reading time: 21 seconds]

On LinkedIn earlier this week, Brian Blakley posted about whether an IT service provider / IT MSP should also offer IT security oversight services (sometimes referred to as CISO services).

My thoughts?

  • IT security is not the same as IT service. Being good at one does not mean you are good at the other*.
  • Even if an IT service provider has the relevant security expertise in-house, how can the obvious conflict of interest be avoided?

Where’s the potential conflict?

  1. An effective CISO must regularly check the work of the organisation’s IT service provider.
  2. If the CISO works for the IT service provider, this is an employee checking the quality of their employer’s work, and then reporting their findings back to their employer’s client.
  3. If the CISO discovers serious gaps, there is a significant risk that the CISO will be ‘encouraged’ by the person who pays their wages to downplay the significance of these gaps when reporting back to the client.

What do you think?

I provide independent IT security advice and oversight services…

and I frequently audit the work of IT service providers.

So, I am obviously biased!*

But…

Just because I’m biased…

Doesn’t mean I’m wrong.

 

* If you read through the comments in the post, you can see discussions about the perceived flaws in my argument, and about the inherent value of the Three Lines of Defence. And I have encountered one or two IT MSPs who also provide excellent security oversight. But that’s one or two out of the dozens that I have encountered.