Outsourcing Cybersecurity Management Makes Sense

Welcome to another episode unraveling IT. Today, we have the CEO, Brian Harmon with us today, and we’ll be talking about why you should be taking a holistic approach to cyber and IT. Brian, thank you for being here with us today. Yeah. Thanks, Lexi. Good to be back. Excellent. Awesome. Well, let’s just go ahead and get right into it. So sometimes we hear, I and cyber security discussed as two different disciplines. It’s like IT is the nuts and bolts of business and technology, and then Cyber security is preventing hackers and data breaches. They are related, but separate disciplines. What’s your perspective? Yeah. Lexi, I mean, it’s a great question because we get it all the time and and talk about it a lot. And the they really aren’t too separate things anymore. They’re still treated that way. It’s definitely a a kind of a legacy mindset around, the use of of cyber technologies being bolted on to IT. But it’s it’s definitely not that way more. Cybersecurity needs to be the foundation that that a business technology environment is really built upon. Gotcha. And people tend to treat them like they two separate things? Yeah. It it’s it’s what we see most often. And and as I, you know, mentioned before, it’s it’s kind of the legacy mindset. And and I think it really comes from the, IT’s kinda always been there for for a lot of these business and then at some point, they said, oh, we need to do some cyber stuff. And so they started adding on a little bit of cyber here in there, or they looked towards an out provider to trying to use some of those cyber capabilities. But but they haven’t addressed the holistic, business technology environment to make cybersecurity really that foundational piece that guides them in all of the IT and technology decisions that they make. Gotcha. And, how does the company end up treating the most two separate things? Yeah. It it’s it’s pretty easy. It and even often in a managed service provider, like ourselves, their viewed is is too things. And so I’ll kind of give you two examples of that. One is in MSP, and the other is in kind of a typical customer that we see And in an MSP, what what happens is that MSP says, oh, man, we need to do the cyber stuff. And and maybe that was five, six years ago. Like, was for us. And then there’s a choice to be made. You have to decide, am I gonna go build this and invest in it? And have it form really the way we deliver our services, or am I going to go and find a third party that that I can say is my security team, but isn’t part of my organization. And and I’d say the vast majority of managed service providers, use another managed service to provide them with those security services. A few of us, Corsgovine One said, we recognize, you know, cyber’s not a bolt on it’s not an add on, it needs to be part of our DNA. And it needs to to really be pervasive in in everything we do, which is why we actually deliver our IT and cyber, while they’re separate disciplines, you know, in in other words, separate skill sets within the team, they’re on the same teams. Internally. And so they’re incentivized around this tight partnership and working together. From a customer perspective, we generally kind of the same pattern, but but it’s a little it’s a little bit different. Very large organizations will say we wanna go this on our own. We’re gonna go hire security analysts. We’re gonna bring in a bunch of tools, and we’re gonna try to have that permeate the culture from the IT side through the rest of the business. That usually doesn’t work real well. You end up with, kind of a bespoke way that the cyber exists. Maybe the executive team’s not on board with all the changes that need to happen. The other way that’s done is that they go hire a third party, an MSSP, so a managed security service provider, and their job is to simply monitor and detect and respond to the security incidents that happen. And so those Those ways of kind of separating IT out, out away from security and saying security is its own thing over here. They’re gonna alert IT when needed. That’s what creates that separation. I think we we all realize what happens anytime time, you know, we we separate things that need to be integrated together. Yeah. So we take a a much different approach and we take a holistic approach, without you know, giving all the secrets. Can you kinda go into I know you said it it’s more integrated. Could you go a little bit more inter into how that integrated? Yeah. So so, you, you know, much like I I alluded to you just a minute ago. When they’re not, integrated. You have an IT team who’s responsible for the business technology being, you know, available. And running end users being able to do the work that they need to. And then you have a cyber team that’s trying to watch everything that’s going on and then tell the team, hey, you can’t do that, or you need to fix this because it happened. And there are two different teams with two different purposes. And because they have two different purposes, whether it’s insourced or outsourced, it ends up creating, you know, kind of a natural, like, lack of ownership. Right? Oh, no. That was them that was supposed to do that. In security is the area that we just can’t afford Right. To have a single misstep. So the way Corsica’s approach that is that we put those teams together. They’re under the same leader. Again, separate disciplines, but they’re they’re delivering these services at the same time because we recognize you can’t have a cyber event and respond to that without having network experts. You can’t have a cyber event that happens in the cloud without having cloud and IT experts. So you need to partner those disciplines together. So they’re on the same team looking for the same outcome, which is a rapid response to a security incident that prevents that from becoming something very expensive. Yeah. And we help them clean up afterwards. Right? Yeah. Yeah. That too. So So, you know, I I tell people a lot that, like, in my own terminology, like, security incidents happen all the time. Right? Somebody tries to log in to one of my personal email. I get the security notification. You know, somebody in, I don’t know, South Africa tried to log in to, you know, one of my personal email accounts. Alright. That’s a security incident. It was prevented because I have multi factor on that. Well, these security incidents happen all the time. Well, we wanna stop them from becoming as an event. An event is once that turns into, you know, a loss of something. It could be a loss of money. It could be a loss of data, personal information, that kind of thing. And so good response and and good handling of a security instant all comes down to what things happen and what order and who’s responsible for the outcome. And that’s what we see when when we see a incident turned into a security event, and we look at that after the fact. It almost always comes down to what we probably the visibility. We just didn’t do the right thing with the visibility that we had. Mhmm. Yeah. I know it’s gonna I was actually gonna go into what can wrong, but I think you pretty much covered, you know, what can go wrong. Well, there’s a lot more that can go wrong. I think those are the the simple things that that can go wrong. But just just by way of example, we worked with the company after an incident had occurred, and they had all the right things in place. It. If you listed it out on a piece of paper, you’d check off all the boxes and be like, wow, they should be in a great spot. Mhmm. They had an MS and they had an MSSP. And the the problem occurred, the MSSP detected it, The MSP got the notification from the MSP, didn’t respond in time. And as a all, that that became an event for this business. And, ended up costing them hundreds of thousands of dollars on something that that they’ve done right. And again, it comes down to this, this, have we made security a part of the way we do technology or security this thing added on to our technology. And you have so much of what we do with businesses and what we encourage them to do, whether they work us or somebody else is you’ve got to go through that exercise to say, we are a technology company. If we use m three sixty five, if we use technology to run our business, like it or not we’re a technology company. And that means we’re also a cybersecurity company. So we have to do the things that are required of us to protect our business, protect our employees, and protect our customers. Gotcha. Thank you for that. That was, those I guess, it was way more, it was way more than I thought it was. I, I guess, I wasn’t aware how deep really gets. And honestly, we’re scratching the surface, I think. Yeah. Yeah. And I think, you know, one of the the natural questions that I have is Okay. Well, Corskka is an outsource provider. How do we prevent that same kind of feel of being a third party rather than being a part of the team when we work with an organization. Because You know, every every business has to ask themselves. Are we gonna partner or are we gonna build our cybersecurity discipline. And the way we’ve structured our offerings are such that we’re partnering with those MSP or with those customers in a way that as the SP. We’re providing the security, but we’re also responsible to to resolve and remediate those things. And we even provide a guarantee you know, around that because that’s how confident we are in our ability to to come in and take ownership of it and take that weight off of shoulders. But it it it goes beyond that because we’re gonna help them build, cybersecurity into, to really the their culture as well. And and it takes that culturally. If the executives aren’t on board, it’s gonna be really tough to get the right cybersecurity in place. Is there a reason why the executives would it be on board? Well, I think usually it comes down to value and and how does it fit in the strategy. And and as technologists, We’re just historically not good at presenting the the business reasons for why these things need to happen. You know, I I think of so many examples that that I’ve been a part of where it’s just viewed as like a necessary evil. We gotta have switches. We gotta spend this this money, but there isn’t a, how does this end of the growth of our business? Where are we going? Are are we gonna become an e commerce based company? Are we going to pursue technology in a way that helps us drive more profit. Because then all of a sudden, these these things become more interesting. And, not just in but strategic. And and security has to be strategic. When when we as executives, think about our businesses, risk management is a huge part of what we need to do. We here at Corsica, we we look at those risks as a business and say, what are we going to do to mitigate those risks? And, Cyber security tends to land on there. It’s like, well, we’re gonna get insurance and check that off. But, but it’s a much broader strategy than that. And that’s where folks like Ross, our, our VISAZO and, in our own chief information security officer, really coming to you being part of that decision making process to guide an organization through what do we need to do for cyber security Gotcha. It’s real I mean, it really is integrated in every part of Corsica’s secure. So, what’s the bad news on the non integrated approach and what’s the good news on the non integrated approach? What do companies get out of it, and that they can’t get anywhere else. Yeah. So, I mean, from a from an integrated approach, it it really comes down to the the good thing about it being integrated is you know, that that you’ve got the kind of the classic one throat to choke when it comes to you, you know, who’s responsible. And it and it comes down to ownership. I know for me, I I want to know who’s responsible for what. And when you have a couple of people who are responsible for something, you know, nobody really is. And so the integrated approach means that that we have people who are all mutually incentivized around the same positive outcome for the business. And it’s it’s just the inverse for for non integrated. You’ve got too many holes of who’s really responsible. If we sit down in in that event, I’ve sat in some of these meetings, with a new customer who we acquired because they had a security event and thought they were covered. And, you know, what they wanna know is, well, why? Why did this happen? And when you don’t have that that single, owner of cyber security and and technology together, it’s it’s really hard to get to the bottom of what really happened. Yeah. Reminds me, just thinking about it kind of reminds me of like a relay race, or you’re constantly passing the baton to somebody else. And when it comes to cybersecurity, you really to sprint. And that and I mean, that in more ways than one could you have to act fast. You know, you can’t rely on somebody else to pass it here and then pass it here pass it here. But, if you rely on one, which is us, I think, it will work out a whole lot better, obviously. What’s Let’s say an organization wants an integrated approach, but they wanna do it in house. What does it take to do this well? Yeah. A lot of time and and money and expertise. So, you know, I think I mentioned at the beginning that that some organizations choose do that. They tend to be very large. You know, in order to to have, you know, people actually watching these things twenty four seven, Yeah. You need a security staff alone of of around seven people by the time you handle, time off, and and that kinda then you have to go buy the tools. So you have to buy a stack of tools. You have to integrate those tools together. Very few of them come pre integrated. So you have this ramp up time, and then you have to retain those people because, you know, just like any kind of fast evolving, business or job. A security analyst today is looking to make that next move tomorrow. In So they’re they’re likely not gonna be real happy staying, you know, in that single organization unless it’s very large, you know, I mean, think fortune one hundred companies. I think for most of us that are, you know, in in kind of the the small to midsize space. It it’s just really hard to afford to do that. Now for Corsica, we we do that because we have a huge variety, hundreds of customers that that we provide those services to. So we’re able to build the expertise, provide the twenty four seven coverage and really have tightly integrated tools that are consistent. Gotcha. And How does an integrated approach lay to groundwork for digital transformation? Yeah. So this is a great question. So every business wants to do digital transformation. And and the reality is we’re we’re all doing it. Whether we realize it or not. We’re changing the way we operate. A lot of that happened really rapidly, you know, in twenty twenty as people went home and actually had to start using collaboration tools that they already have. Yeah. But but what we see when innovation happens in a business is innovation opens a window typically in to these systems. And if we haven’t built security into that DNA, you know, how do we operate? How do we expand our technology? Then we’re way more likely to accidentally, you know, expose some word in. I’ll I’ll give you an example. Lexi, the the classic example is, you know, I’m I’m the CEO of the company. I want some new dashboards, and I want them in Power BI. Well, in order to do that, we might go and open up some APIs to different systems that we use and start funneling this data into Power BI. It’s very easy in the process of getting that done and and proving to the executive team that, hey, we can do this and look at all this visibility that we can accidentally expose our information to, to third parties or to the internet, not even realize it. Having a security posture in in security It’s kind of part of our DNA in the way we operate means that that we have the right checks and balances in place so that as we make these innovations, we’re making them in a way that is careful, thoughtful, and secure. Gotcha. And so just to round it out, and, you know, and on a good note, if I don’t know what I’m doing, if I’m a business owner and I’m like, you know, all this sounds like a lot, but I don’t really know to start. What questions do I need to be asking? Who do I need to be asking these questions to? Yeah. You, you know, like, that’s a that’s a great question. And it’s super practical. And it’s what, you know, we as technologists oftentimes are the worst at, which is, you know, taking all this stuff that we talk about and saying, you know, what are what are three or four things that I could go do or ask that are gonna either help me sleep better at night or or maybe not. And and the the first is, you know, if you’re in a in a position of leadership over an IT team or or make those decisions budget, maybe it’s a CFO controller, someone like that. Go ask the IT team or copy the incident response plan. When we have a security incident, what is, what is our documented procedure for how we handle that? Because what I can tell you from experience is it’s not documented and it’s not rehearsed, it won’t happen. It’s like anything. Right? We get in the heat of the moment. If we haven’t been trained, who knows how we’re gonna respond? It’s the it’s the reason first responders and others, that that are in high, you know, high pressure, high intensity situations go through training because it needs to be something that that is a natural response to an unnatural situation. And so the incident response plan is is the first piece of that. And and don’t ask, you know, don’t give them the opportunity to go right just say, Hey, can you print off our incident response planning and come to my office? I’d like to understand how we do that. And then ask some questions around that. When’s the last time we used it? How confident are you in it and and make it safe for them to be honest about, well, we don’t have That’s okay. Like, that’s easy to fix. These things are easy problems to solve, and we can solve them really quickly, but you can’t solve you don’t know you have. The next is, is who’s responsible for remediating these incidents. So incident response plans in general are about containment. Right? How do we stop the bleeding? How do we triage and contain this thing? Well, the next question is, well, what happens then? Let’s say it’s it’s we can’t email. Let’s say it’s we have ransomware and, you know, we can’t process orders. Who’s gonna remediate those things. Have we thought through the the plan for the worst happens? We follow the instant response plan. It’s not contained the way it needs to be. Well, then who’s gonna clean it up? How are we gonna respond to that? And then The the next one is is really practical, and and is probably the one that’s gonna get the kind of the hardest. Response, which is, you know, can can you tell me what security incidents have happened in the last sixty days? And if you run a business of more than thirty people and it’s, I don’t know, or zero, well, probably not the truth. Yeah. Security incidents happen every single day. The question is, do you know it or not? And, you know, the the classic stat is sixty percent of businesses have been compromised and don’t know that they have been. And and I would venture say it’s it’s even higher than that. And then what are we doing to protect our new technology efforts? Maybe you have a new ERP system going in. Maybe you’re moving to some SaaS, maybe it’s a it’s a move to AWS or or Azure. And you you you should ask you know, what is our plan for protecting these things? Who’s responsible for that? Where’s that expertise coming from? And that’s that’s more of the future proofing of where are we going? But it all back to, you know, do you have somebody that you can ask? And if you don’t have those experts on your team, find a course to find someone like us who can bring that expertise to be part of your team. Yeah. Well, thank you for that. Thank you for, chatting with us today. Well, chatting with me today, about why, you know, cyber and IT need to have a holistic approach and, you know, why it needs to be integrated and why it needs to be the foundation of your business. Thank you so much for being here with us today. And Yeah. My pleasure. And thank you so much for tuning in to unraveling IT, and we’ll see you next time.