NeuEon Insights / Cybersecurity & Risk Management, Leadership & Team Management

Top 5 Security Truths Every CIO Should Know - Part 2

By Candy Alexander, CISSP, CISM, NeuEon Cyber Risk Leadership Practice Lead & CISO

In Part 1 of our Top 5 Security Truths Every CIO Should Know series, NeuEon’s Cyber Risk Leadership Practice Lead, Candy Alexander, revealed the unconventional truths behind security blame, staffing, and budgeting. Here, in the second installment of our three-part series, we pick up on the third security truth. CIOs will get an in-depth look at the intricate relationship between CIO and service providers. 

Three million. That’s the number we recounted in the first post of this blog series. Globally, it’s the amount of open cybersecurity positions because of the staffing shortage crisis. While we used it before to frame the importance of finding and keeping the right security staff, what if your security team still isn’t robust enough? Or worse, what if your positions are among the three million which remain open?

This reality has shaped the modern model for IT and security. Now, security operations usually involves functions performed by a provider like an MSP or MDR (penetration tests, risk/compliance assessments, and augmenting staff functions). But, much like finding your own in-house candidate, not all providers are created equal.

As an unfortunate response of the talent shortage, there are many organizations claiming to be “security experts” to fill the void, and their pockets. How do CIOs discern which experts and partners to trust? We have your answer. 

3. Engaging Service and Solution Providers You Trust

How do I get beyond the sales hype?

Attend any service and solution providers’ pitch and enjoy playing your very own game of buzzword bingo. We say that in jest, of course. The sales hype can be dizzying, with everyone staking the same claims and promises. While some measure up, choosing the wrong provider could put your organization among the 59% of companies that have experienced a third-party breach.

As trusted partners, and to provide value to the businesses they work with, service and solution providers have access to at least some important systems and data. This interconnectedness, if not properly managed by both parties, translates to providers becoming an overlooked or often unintentional accomplice in criminal activities.

As reported through the US-CERT, MSPs are a prime target for malicious actors, knowing that most MSPs have privileged access to their customer’s environments. Keep in mind, many smaller/local MSPs have not adopted a formalized process for applying security safeguards, rather, they opt to use their customer’s security processes instead. This leads to you assuming they are practicing standard safeguards, and the MSPs assume that you have defined your requirements for security. This overabundance of assumptions without due diligence exposes organizations to tremendous risk.

To mitigate this risk, CIOs need to go beyond the sales pitch, include security requirements/expectations into contracts, and vet all providers (references, years in business, certifications, peer referrals, etc.). Doing so will not only ensure that you choose providers that prioritize their own security, but ones that are true experts and will deliver.

To ensure you are engaging service and solution providers you can trust, follow these guidelines:

  • Do a thorough review when selecting providers. Start off with a search for reviews and press coverage, vet references, and check that certifications are current.
  • Don’t forget to revisit contracts on a bi-quarterly basis. This will ensure you’ve articulated your expectations for their role in protecting the environment. And, that providers demonstrate their fulfillment of expectations through reports and metrics
  • Don’t get stuck with a provider that isn’t best suited for your organization because of auto-renewing contracts. Be sure to give yourself lead time to review successes and failures of the relationship and explore other options if necessary.

More to Come: Regulatory Requirements & Prioritizing

We’re more than halfway through the five things every CIO should know about security. In our third and final blog of the series, we’ll cover more about regulatory requirements and how proper prioritization can lead to happier CIOs.

To get a full view of this entire blog series download the infographic here