Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everybody, welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you here with us this week. So we are very deep in audit season.
Everybody forgets that they've got to do these every year. They've also just got into a habit of doing it at the end of the year. So it would be difficult to change that.
But in any case, it is just it's back to back audits this time of year, back to back pin tests and vulnerability assessments, everybody trying to cram them in and everybody that calls right now asking to set a new one up. The same thing is, can we get it done for 2024? And you're calling right now, depending on the type of audit you're doing, that can be difficult. But we do have a lot of partners, so always ways that we can find solutions for everybody.
But don't wait, if you if you have waited up to now, don't continue to wait. So today I want to get back into the Dirty 13, the top 13 issues that we see when performing audits, typically on the financial side. But in all honesty, it it relates to everybody.
Today, I want to get into some of the misconceptions about when you have an outsourced IT department, an MSP, a managed service provider, and really the areas that it doesn't cover. In no way, in no way whatsoever, is this any type of stab at an IT company a stab at any MSP? It's really more of a discussion to help you understand where they legitimately fit into the business and where your management needs to fit into the business so that honestly you can be more fair with your expectations, perceptions and engagement with your outsourced IT company. And also, if you have an internal IT company, what internal IT company, an internal IT department, what that also looks like, and I think some of the same things apply.
So we'll get into that before we do, please click that subscribe, click that follow wherever you're listening to us at, whether it's Apple podcast, whether it's Spotify, whether it's YouTube. If you haven't seen us on YouTube, have some kind of cool intro and exit videos. I think they look pretty cool, but always you can check us out there, you can leave us comments and.
Definitely, if there's anything that you're wanting to dive into that you're having trouble on the risk compliance business management side, would love to discuss it as a topic. And if you have the time, even have you on to talk about it. So with that said, let's jump into the dirty 13, our misconceptions of what our IT department and more specifically outsourced MSP is taken care of.
So. I think the biggest thing that we see over and over and over again is when a company has an outsourced IT department, much more so than when they have it internally. But when they have an MSP, when they have somebody managing their IT, they believe that that IT company is taking care of everything, security and compliance.
And. That couldn't be further from the truth. Now, while.
Most MSPs are taking care of a lot of the technical controls, malware, password management, encryption, things like that. That's typical, typically only at best a third of the pie. Cause you typically have administrative controls, you have physical controls and technical, and at best IT is taking care of all of the technical side at best.
They can't fully because of how dictates need to come down from management and directions and policies from the top down. They can't really take care of all of that, but we'll say at best they're taking care of like 33.3333333%. So only a third of the pie that administrative side policies, procedures, all of that, the physical side, how you structure the business, your continuity plans, structures, things like that are almost never taken care of by IT. And again, that's not a stab at IT.
They, it's not appropriate for them to take care of those things. It's not where they fit into the business model to take care of the risk management. Uh, the administrative side, which we just write into the biggest thing that they don't take care of is the risk management piece.
Now, a lot of times your IT department, your outsourced IT company will help you complete a security risk assessment. They'll help you identify the different vulnerabilities out there and perhaps at a level of how likely they are, the level of impact they could have on the business. But they're not able to identify the businesses risk appetite.
They're not able to identify those thresholds of what level of risk will we accept? What won't we, what would this really mean to us? As a business, if we were, if we were hit by, by these different vulnerabilities, typically all the IT company can do if they're involved in this at all is identify the vulnerabilities, the, the things that can allow a bad thing essentially to happen, but they can't really take it any farther than that. And that makes sense because risk management is really an executive top management level now. So if nothing else, that's the biggest thing that we see that a lot of companies believe that their IT company is taking care of is the risk management side.
And again, it may be identifying all those technical pieces, but they're not able to put the, those chunks together, the, the, the pieces together to really understand what this would mean for the business, what this would mean for operations for the bottom line. That's just, that's not what they're there to do. The next thing that a lot of, a lot of companies think that their IT company is taking care of is all of the policies and procedures.
And a lot of IT companies, a lot of MSPs especially all of our partners, but a lot of MSPs are getting their policies or procedures in place, they're developing a good internal structure, and that's great for when they're managing their clients, they have a structure, they've got processes in place, they've got policies in place, but those are for that IT company that does not translate to all of the policies and procedures for the business. And in cases where you have an internal department, sometimes this is pushed to the internal department to act as the virtual, they wouldn't be a virtual, they would actually be your, your CISO, chief information security officer, or CTO, chief technology officer, or CIO, chief information officer, your internal department can act as those things and help manage and develop a lot of the policies and procedures, but it still takes involvement from management. So if you have a business and your, your belief is that IT, that your outsourced or internal IT is taking care of all of the policies and procedures, a real quick way to identify if this is actually the case is ask yourself, as top management, have you or has top management been involved in that process? Do you understand the general structure? Do you understand the budgeting? Do you understand the risk involved and the overall general structure of your information security program? If that answer is no, it's very clear that you haven't been involved in the, the policies and procedures side of things.
So at best, what your IT department would have is a lot of procedures, a lot of work instructions that explain how they do things, how they execute, but you're most likely missing the, the top level, the global policies that are really the dictates from the, from management below. So essentially you're missing the core of your information security program. Some of the other big things that we see that a lot of companies think their IT companies are taking care of is proper data retention.
Now, the majority of IT companies that we see, the majority of internal IT departments that we see have a good data backup structure. A very good number of them have a good data recovery process and they're testing the backups, they're testing the restores. They're making sure that those, those work well.
Where there's typically the gap, however, is how long that data is retained. If it's being retained appropriately for how long the business needs to keep the data, is the actual technical backup, the technical retention, does that match your policy requirements, your contractual requirements, your regulatory requirements? I said that right. Yeah.
I think it came out. Regulatory, regulatory requirements. We'll just stick to that.
And typically what happens is data backups are being retained for a few years, but not say the full six and a half years since last use that's required for HIPAA. Or if you have certain contract requirements or document specifications that have to be retained as long as a product's in use, you see that a lot on the medical side of things, relating to FDA and medical devices. A lot of times you won't see those fully retained through their entirety.
Backups start, start falling off. So it's very important to, as a business, make sure that the IT department, the IT company, understands how long they're supposed to retain all the data. And that's identified in the policies that you're providing to them, that the business is giving to IT, that management is dictating to IT, that then IT knows how to structure that, and then you can audit to make sure it's being done correctly.
I was going to segue into this as saying it kind of relates, and I think it just relates in the, in the way that it's something IT doesn't typically handle, but privacy request. Privacy request and website data cookie consent management. Definitely the people on the IT side can relate to people believing that all things computers, all things electronic, you must take care of because you understand how to reboot a computer.
You're in IT, you know how to do this. And that's just not the case. There's, there's very different lanes.
IT is one lane. Programming is typically another. There's not sometimes overlap or really good scripters.
Development is another. Website management, privacy management, that's a whole other space. And sometimes, especially certain outsourced IT companies, can handle these things.
Sometimes they do handle these things, but you want to make sure that's actually in the contract. But a big area that's often overlooked because the business believes that IT is handling it is your consent management, your privacy policies, your cookie management, all on your website. And IT believes that, well, we don't do the website.
That's the webmaster. And the webmaster believes that, well, we're just hosting this thing and making changes. We, we're not managing all of the privacy and your client data.
And the business believes that, well, we've got IT or this website company, they're taking care of it. And what ends up happening is we're not properly identifying all of the privacy requirements in our privacy policies. We're not notifying people of the cookies.
We're not giving them the ability to consent or to disable the cookies on our site. And we're not recording those appropriately. So, God forbid, somebody reaches out to us to say, hey, I'd like you to remove my data from your site.
Or I would like to not be tracked while I'm on your site. A lot of companies don't have this capability. They don't have any structure of who's actually managing this, who's doing what.
And so everything falls flat. They get possible legal issues and this can turn into regulatory regulation violations. Because they're not following, say, like CCPA or GDPR or New York state privacy requirements or any of the, any of the other myriad of them that that require you to manage consent.
So that's a long winded way of saying that your IT, your website company is not always, I would say, typically not managing your privacy, your consent requirements. And your, your data privacy officer duties. That's normally not within the IT realm.
The final one that I'll close with, and there's definitely more, but the next one is audits, internal audits. Your IT company is typically doing, IT company or department is typically doing a lot of penetration testing, vulnerability scans. Monitoring many times network operations or security operations center duties.
But that doesn't mean that they're performing audits. And to be honest, they really can't audit their own work. So on the business side, the business needs to find ways, bring in external auditors or have somebody internal to the organization, but separated from IT auditing that they're doing all the things that they're supposed to be doing.
And big things that you're going to audit is, are we doing our risk management processes and the controls that we have applied on the IT side, do those match up to our risk appetite? Do we have all of our policies and procedures in place and is IT following them? Do we have all of our backups in place and does IT retain them as long as we're supposed to? Privacy, do we have somebody managing that and can we actually see who's consented to cookies, who hasn't, can we appropriately manage it? So that's another big area. It's easiest way to say it, it can't be the fox watching the hen house. So this is often something that's overlooked and in smaller companies, you can have a little bit, a little bit of a pass here because it's very difficult, especially in startups that everybody's wearing so many hats.
It's difficult to have that, that real defined separation of duties, that separation of implementer and auditor. It's real hard to break that up, but as much as you can, you should have some sort of oversight to make sure that somebody is checking other people's work, that that is separated in some way. So those are the big things that we see on the IT side of things where businesses think that the IT company is handling it, but they're really not.
And even if they are, they really shouldn't be. And again, just quickly going through them, that's the risk management processes, that's policies and procedures, high level cannot come from IT. Data retention typically is not being fully managed appropriately and all the data privacy officer, privacy requests, privacy management, isn't typically fully managed on the IT side.
And finally, last but not least, is there's typically not an audit program that's validating that IT is doing the things that they're supposed to do. So that is, again, for all of you IT companies out there, for our IT partners that are listening, I am not saying you were doing things wrong. This is more of a business needs to really understand the relationship so they can support you appropriately and so they can position themselves appropriately.
And for you business owners out there, this isn't saying that your IT departments, your IT outsourced companies, your MSPs aren't properly supporting you. It's that there's a spot that they fit, there's a spot that you fit, and it's very important to understand that distinction so that you can both support each other the best way possible, which can ultimately best support the business. Thank you very much for listening.
I can't wait to have you back next week. Goodbye for now.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.