Is your IT provider your greatest IT risk? After all, they have the digital “keys to the kingdom” and hold responsibility for your infrastructure and cybersecurity. You likely have asked how your IT provider is protecting your business, but have you wondered how they protect their own? It comes down to three primary buckets: product, people, and process.
On the eve of yet another compromised IT tool, how much hope can you put into an IT provider protecting you when they and their supply chain are a primary target? With frequent security compromises in the IT industry itself, you are right to wonder what to do about this ongoing problem. Unfortunately, the answer is not simple.
It starts with discussing with your IT provider how they are addressing this problem, not only from a tools perspective but also holistically. It is far more nuanced than picking a “better” tool. It is a living problem, one that changes from day to day. Therefore, IT providers must attack this problem anew each day through continual improvement.
Continuous improvement does not allow picking a tool, sticking with it, doing the same processes, and onboarding new techs in the same old manner. Instead, IT providers need to rethink how they can adopt new methods, change how they do things, reevaluate their people, tools, and processes. This includes allowing input from outside experts in compliance and change management.
Best-of-breed IT providers understand they must continuously review their products, their people, and their service delivery methods. They must divert time and resources toward exploring new tools, processes, and training while ensuring consistency in the customer experience. At the same time, pillars of IT like backups and patching cannot be neglected and must continue with urgency, accuracy, and accountability. And IT providers must do this, despite many customers not appreciating nor sufficiently valuing the effort diverted to these activities.
Critical Questions for a Secure IT Ecosystem
Security involves an ecosystem of partners who take the security of their code and their supply chain seriously with the help of outside auditors and accountability.
Ok, so what does this mean to you? How does this help you? Here are a set of questions you should ask your IT provider that they should be comfortable answering.
- How much of the technology stack comes from a single vendor versus an ecosystem of partners? For example, does your IT provider have all their security eggs in one vendor basket?
- How often does a Red Team test the IT Provider’s technology stack?
- How often is your IT provider validating their own backups and disaster recovery? Not just validating a backup job is complete, but standing up a test environment in a recovery scenario?
- Does the IT provider leverage outside auditors that test the IT controls to protect your data and validate the application of those controls through randomized sampling?
- Have your IT provider describe their security architecture and the frequency of changes actively being made toward continuous improvement, not just for their customers but also for their own security posture.
While the goal of being fully secure is desirable, the reality is that the landscape is constantly changing. As a result, your IT provider needs to continue investing, growing, changing, improving, and adapting as new information comes to light and does so with minimal impact on your business.
IT Security that Evolves
F12 has spent years working on our next offering, solution, platform, whatever you want to call it. We needed to dismantle the old way of thinking and develop an approach that would not be timestamped and cast in stone. We concluded that we must provide IT that evolves with the threat landscape. We can’t sell a firewall or security product and then wait out a three or four-year lifecycle. Nor can we “upsell” security constantly. This old model is not working. Security needs to be “built-in,” and it needs to evolve across our clients simultaneously.
We invite you to learn how we tackle this challenge with F12 Infinite – not a point solution but a living organism that changes as the risk landscape changes, solving for the immediate and poised to withstand the test of time.