Over the past twelve months, I’ve been working quite closely with a cyber security consultant (Corch from Shogun Cybersecurity), which has fundamentally changed how I think about IT and cyber security in an organisational context. I’ve always been fascinated by the topic of Cybersecurity, and over the last 10 or so years I have absorbed every piece of information I can find.
Recently Corch wrote an article on his blog about his experience providing best in class cyber security services with small businesses clients. His conclusion was that it’s your IT provider who us the root of your cyber security problems, and his article makes really valid points.
But let’s step back for a minute and look at the environment which led to the reality that Corch so vividly described. What are the conditions that led to so many of the small business I meet having shameful cybersecurity?
I think it boils down to four areas;
- IT seen as the same as Cyber Security
- A focus on technology, not business risk
- Skills gap, both from IT and leadership
- A culture of overconfidence
I’ll do my best to describe the differences here.
Cyber ≠ IT
The biggest misconception in cyber security today is that cyber security and IT are the exactly the same thing. Now from the outside, it’s an easy mistake to make. Cyber security relies on IT and spends most of their time working with IT to keep the organisation safe, but the purpose of each is very different.To summarise;
- IT is about helping people get their work done. Great IT brings orders of magnitude higher levels of organisational productivity.
- Cyber Security is about protecting assets. Put bluntly, Cyber Security’s job is to protect the business from IT and it’s users,
I was speaking to someone who said their in house cyber security person’s direct report was the IT manager. I then asked, does your WHS (OSH) manager report to the production manager? No? They report to a risk manager or the CEO? Why? Because the production manager primary role is to increase production, while following the WHS rules set out by the organisation.
What is the point of a WHS manager (or cyber security professional) if their path to the CEO is through the very person who looks bad if serious concerns are raised. Maybe the production manager has a different mindset about risk vs productivity? Do you think this might also be a reason IT providers are not providing you with appropriate data on your cyber risks to?
Technology, not risk
The way Corch and my industry peers talk about cyber security is very different. The thing that stands out most to me is that instead of talking about a list of products and technology controls, Corch speaks broadly about risk. Don’t get me wrong here, Corch is one of the most technically capable people I know, but rather than spending a lot of time evaluating a lot of vendor products, he instead invests the time and energy in establishing the organisational cybersecurity needs.
In contrast, if I have another conversation with an IT provider about what the best antivirus is, or that Dropbox isn’t secure because Microsoft doesn’t own it, I’m probably going to go postal. For most IT providers, security is really “what percentage of my customers buy the correct security stuff from me” rather than any real focus on the people and process part of cyber security. If you need any real evidence of this, just have a look at the unbelievably low adoption of controls like MFA and unique passwords and you can see why 24% of ransomware incidents are caused by an IT provider or vendor (Beazley, 2019).
Character limit hit – read more here
IT Consultant - Uptake Digital
Brenton Johnson is the founder of Uptake Digital, a company specialising in cloud and security in small and midmarket organisations.
Brenton is known for his innovative and strategic approach to IT which enables businesses to do more with less. Brenton is also a co-host on the ‘Need to Know” podcast which offers news and analysis for IT professionals.
In 2015, Brenton earned the Microsoft Silver Competency placing Uptake Digital within the top 5% of Microsoft Partners worldwide for cloud solutions.
When Brenton isn’t working, he is listening to podcasts and spending time with friends and family.