IT services firms shoulder undue amount of security risk
A steady stream of major security breaches hasn't persuaded businesses to change their ways. IT services firms, meanwhile, continue to assume an inordinate amount of risk.
Dave Sobel is host of the podcast The Business of Tech and co-host of the podcast Killing IT. In addition, he wrote Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business.
In this video, Sobel asserts that the bulk of security risks are placed on IT services providers. It's a trend that firms must push back on, he says -- namely by requiring vendor partners to put more skin in the game.
Transcript follows below.
Dave Sobel: 'Insanity is doing the same thing over and over again and expecting different results.' This often misattributed quote is on my mind a lot of late, not because I'm trying to figure out its origin -- it's not Einstein -- but because I have been thinking about what to do differently to address security for small and midsized clients.
It's not news that there are breaches or that there is a problem. I've been covering it so much I feel like listeners must be just tired of hearing about incident after incident. It's not news that things are broken. So, how do we change things?
It's clear that the incentive system here is entirely broken. Humans generally behave along the paths where their best interests align. It's why the initial idea of managed services is appealing: As you align the customer's desire for uptime with a provider's incentive, [you] reward uptime with profitability.
In security, it's clear that's not working. For a long time, the incentive was that there would be reputational damage for a breach. But that's not proving to be true.
A lack of consequences and responsibility
Let's take some really big ones, and look at their long-term impact.
Target is a story we talk about all the time in terms of breaches. But, if you look at their stock as a measurement of the value of the organization, well, there you go.
Equifax is another one. Huge breach, right? We constantly talk about it. It's not even a beloved company. Take a look at their stock price.
How about Marriott? Remember that breach? Now, tell me on the stock tracker where that breach happened. You can't even tell. They were not penalized -- at all.
Now, a big recent one: SolarWinds. A massive supply chain breach. It allowed a foreign adversary into major U.S. government agencies. It likely cost the taxpayer millions of dollars.
Here is the former CEO of SolarWinds, Kevin Thompson, when asked in congressional hearings about the SolarWinds update server that was secured with the password, "[solarwinds123]."
[Clip from C-SPAN coverage of House hearing]
Rep. Rashida Tlaib: So, Mr. Thompson, is it true -- and this is something when the committee told me, I was kind of in disbelief -- if all that was going on, then why in 2019, it was said that you could easily access your server by simply using the password 'solarwinds123?'
Kevin Thompson: So, that related to a mistake that an intern made, and they violated our password policies, and they posted that password on their own private GitHub account. As soon as it was identified and brought to the attention of my security team, they took that down.
So, you heard it yourself. That does not sound like someone who takes any personal responsibility for security.
The new SolarWinds CEO said the following at RSA just recently: 'What happened at the congressional hearing where we attributed this to an intern was not appropriate and is not what we're about.'
But the board at SolarWinds doesn't think the breach was a big deal and made sure to pay their executives. CRN reported it. Quoting that article: "All six named executive officers [are] reaping stock awards above $5 million despite the company's stock price falling by nearly 20% last year."
As any manager knows, incentives matter. Thompson's tenure was rewarded. You can say it's not what you're about, but without consequences, it is what you are about. Actions speak louder than words, after all.
Despite all of this, you can't tell me that the stock won't recover. Disclosure: I'm a shareholder. I'm riding it out because I know they won't pay long term.
So, let's say it. The reputational damage? It's just not there. It's what vendors tell you to say to try and sell their security products.
Transference of risk to IT services firms
Security is risk management. The risk comes from managing the systems and the ongoing enforcement of policies. The software vendors aren't taking the risk here, and more importantly, they know where the risk is.
I recently covered the work of the Ransomware Task Force, an initiative from the Institute for Security and Technology, who put forth a shared framework for action.
Action 3.3.3 is particularly relevant to providers: 'Require managed service providers to adopt and provide baseline security measures.'
In detail, the program 'could include' [quoting Action 3.3.3 guidelines]:
- Adherence with a cyber-hygiene program (for example, CIS Controls Implementation Group [1] and the NIST Cybersecurity Framework;
- Mandatory disclosure across the MSP's customer base if there is a ransomware incident involving the MSP's service offering; and
- Forming an MSP-ISAC, an information sharing and analysis center specific to this industry.
The MSP industry in small business is specifically dinged: 'MSPs do not commonly provide extensive security coverage or ransomware mitigations.'
Wondering how they know this? Datto's own CISO [chief information security officer], Ryan Weeks, contributed to the framework as one of more than 60 experts. And he's 100% right! I don't object to him completely calling out his own customer base for not solving the problem. I agree with him.
But you know what? That's easy for a vendor to do because, when the breach comes, Datto isn't paying up. They have no skin in that game. Oh, sure, they might lose a customer or two. But they aren't taking the risk, nor paying the damage.
Ryan's comments entirely place the responsibility for delivering security coverage on MSPs, while Datto itself takes no actual liability for the delivery of those solutions.
Now, this is not a vendor-bashing session. This is a cynical and intentionally harsh view of the outcomes and motivations of the space. This lens helps ensure we are looking for the risks posed in the status quo. Why? Risk transference. This isn't their fault. Why? IT services companies accept this risk transference. You sign up, you buy the dream and they dump all the liability on you. And you take it.
Don't hate the player. Hate the game.
The game is designed to have the risk transferred to the services organizations.
Here's the difference between most IT services companies and these companies that I've described. They are way bigger than you are, with much easier access to capital and far deeper pockets.
Big companies can absorb the payout. Back to Target, back to Equifax, even SolarWinds -- their damages are less than what they compensated their execs in bonuses. They cite $21 million for cleanup.
Now, even when we scale down the ransoms to the sizes of the businesses, you're not necessarily going to go out of business because of a ransomware incident. The problem is that you have assumed the risk, and your margin for error and your cash on hand are just not the same proportions.
There's a very big difference between an SMB paying a ransom of $50,000 and a billion-dollar company paying out several million. The first company may not make payroll. The second will have to leverage their financing to ride out the storm.
Insurance doesn't solve the problem
Now, here's the second set of forces to contend with: Insurance is not the answer. Remember, they are [not] in the business purely of mitigating your risk. They are in the business of mitigating theirs.
[Quoting from 'Cyber Insurance Firms Start Tapping Out as Ransomware Continues to Rise,' an article published on Dark Reading]
Cyber insurance continues to be a popular way to mitigate risk. In the United States, direct cyber insurance premiums increased by 22% in 2020, reaching almost $3 billion, according to credit-rating firm Fitch Ratings. Yet profits for cyber insurance are narrowing as well, with the direct loss ratio -- the fraction of policy revenues paid out for claims -- for standalone policies rising to 73%, the firm stated.
I also recently reported on insurance company Swiss Re's CEO, whose comments offered that he is 'not too surprised at all' about the attacks. He went on to note that the private insurance market is simply not large enough to offer full cyber protection to all the vulnerable organizations.
The insurance companies alone can't handle this payout structure. IT services companies will continue to see premiums go up, and I suspect coverage go down. Insurance companies will assume less risk, meaning more risk will transfer back to the IT provider unless something changes.
So, [here is] the situation: You're a small IT services company facing an army of well-financed criminals. You don't have the funds to take on the risk, and yet you want to deliver services. And security isn't optional. You can't rely on the insurance coverage, either, because, ultimately, you are the one taking the risk. Your customers are demanding it, paying for it, and you put it in your contracts.
Vendors should take more responsibility
So, what to do?
Remember, you're in the risk mitigation game. Security is all about risk mitigation.
So, find vendor partners that will share the risk.
Let me give you an example. Did you know SentinelOne has a warranty? Now, don't get me wrong: [There are] lots of T&Cs [terms and conditions] to this one, and I'm not sure it offers a giant big green check mark that says you're always covered or makes sure the user knows their coverage is good. But this is a great type of offering.
I'm not endorsing the technical product. I'm saying I like this approach and want to see more vendors that sell security products put their money where their mouth is. This is certainly a huge step in the right direction. Just like UPS [uninterruptible power supply] vendors will cover damages if your equipment burns out when protected by their power units, security vendors could share the risk.
If a vendor is selling you a security product, it needs to come with some risk assumption of its own. If they're so confident it will work, they have the resources to share your risk. Make them. You don't get what you don't ask for.
Like SentinelOne, there are ways the product will directly bring a liability shield or insurance coverage. If a vendor is selling you security, they should be backing it up. They make a ton of promises. It should come with coverage.
Vendors, a point for you: Here's your big opportunity, with your deep pockets and your product development capabilities. When you put statements such as 'You are safe' in your product, if you aren't actually backing that up with financial protection, is a customer really safe?
Now, if a vendor won't commit at this level, they should have some actual skin in the game internally. Ask them how their team is compensated and if their executives have compensation tied to security -- specifically, their own breaches and not just the security officer.
You should be asking the company how their incentive is tied to yours. Ask that question of the executive team. If they aren't tied to their own software being secure, in a world of zero-trust security architectures, you should consider them compromised and know they aren't there to help you.
It is easy for vendors to ignore me. They don't need me to sell products. But they need you. They need IT services companies to put their time and energy into assuming some risk for the clients they want to sell their security product to.
One of my most popular videos I've ever done was 'If I was starting an MSP today.' Let me tell you this: If I was starting an MSP today, there is no way I'd be taking this risk on myself. Absolutely not. This is an extinction event [and can] ruin your financial life in the same way that a catastrophic medical event can ruin you in the U.S. without proper insurance because the amounts really matter despite their small absolute size. In a small company, the margin for error is just too low, and I can't absorb not paying my people or the damages I'd be incurring even at the smaller numbers.
I'd want those vendors, with their giant piles of cash, to be committing resources to backing up their products with commitments. And, if they weren't doing that, well, they aren't really my partner, are they?
If you, the IT services company, keep taking on the risk, squeezed between the criminals and the vendors who have no skin in the game and the insurance companies looking to pay less and less, who do you think is going to be writing that large check?
About the author
Dave Sobel is host of the podcast The Business of Tech, co-host of the podcast Killing IT and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade and has worked for vendors such as Level Platforms, GFI, LOGICnow and SolarWinds, leading community, event, marketing and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro's 20/20 Visionaries and MSPmentor 250.
