Episode details:

Director of IT and Security Services at One Step Secure IT, Tim Derrickson, joins host Nabil Hanan on the Agent of Influence podcast to discuss bringing more fun to the traditional fear, uncertainty, doubt (FUD) conversation. He also explores the differences between security versus IT, and the challenges ahead that face the supply chain.

Show notes: 

Can you share your perspective on the typical angle of leaning into fear, uncertainty, and doubt (FUD)? 

Working in cybersecurity can be a paradox at times. Security specialists are initially hired to address specific concerns, create a secure environment, and eliminate fear. However, once the job is done, clients may question the need for ongoing services. To address this, we need to make cybersecurity engaging and enjoyable. Tim proposes the acronym “FUN” to guide this new approach: facts, understanding, nurturing.

To some degree, cybersecurity will always need some level of FUD to demonstrate its gravity, but this can be done by leaning into the facts portion of FUN. Delivering truthful information about the cyber threat landscape, fostering understanding of security measures, and nurturing a collaborative partnership are all positive ways to approach cybersecurity without fear mongering.

“The facts are it is scary out there. The two scariest parts of my day are walking out the door at night when I’m done and walking back in the door in the morning to come to work, because I don’t know what I’m walking into, and I don’t know what I’m leaving behind. The facts will tell you cybersecurity is important.” 

How do people today delineate between security and IT? And what do you think is the right approach in shifting that thinking going forward?

The most important aspect of information technology is to make sure data flows — to make sure data gets from the server to the end user. This is what allows end users to perform their jobs efficiently, and if employees hit blockers, they’re sure to be vocal about it. The distinction comes with compliance required for security. The goal of IT is to get from point A to point B quickly. Security adds a layer of compliance, so their goal is to get from point A to point B safely.

“IT makes sure the data gets there any way possible. Security means we’re going to make it secure. We’re going to make sure it’s encrypted, we’re going to make sure that it’s encrypted at rest, in transit and in use… We’re going to make sure of all these different things to keep the environment safe.”

From a supply chain perspective, are there certain trends you’re foreseeing or you’re expecting to see coming our way?

Everyone is looking at the supply chain because it has blindsided some companies from a security perspective. Identity has become important because if you can protect identity, you can protect everything you log in to. The question becomes, what security steps are enough? More proactivity could come into play by verifying the security of vendors before starting to work with them. This is a typical practice in cybersecurity insurance where providers will be sure companies have security in place to prevent data breaches, but it’s less common for vendor self-assessment.

“As users of products, we now have to stay on top of our vendors to make sure they’re doing what they need to do to keep safe.”

What is the maturity of clients in understanding how to apply pentesting, and what’s their approach to determining when it should happen? 

Compliance requires at least quarterly scans, but vulnerability scans only cover publicly disclosed vulnerabilities. Pentesting provides greater insight because it goes beyond CVEs and into areas that show true weakness. Pentesting often gets grouped into vulnerability tests, and it’s similar, but it’s not the exact same. Once teams understand truly what the purpose of a pentest is and all the work that goes into it, most businesses realize that it’s worth the cost.

“For me, it’s actually extra peace of mind to know that there’s someone else out there who’s looking at our environment — to know that someone’s really looking into it and trying to do the same thing I do to break into their environment, and show them where the hole is.”

Companies today are running a lot of the same technology stack to protect their environments. What are some factors that make an MSP stand out against their peers?

Being a good partner is what sets MSPs apart in cybersecurity. While many companies use similar security measures like firewalls and MDRs, the key lies in understanding the actual risks, staying informed with threat intelligence, and ensuring a truly secure environment. A stellar partnership between the cybersecurity provider and the client is paramount. Transparent and comprehensive communication plays a vital role in implementing effective security measures. 

“It definitely goes back to partnership and making sure your player understands what’s going on, and why you’re doing what you’re doing.” 

After initially serving as vCISO at One Step Secure IT, Tim was recently promoted to Director of IT and Security Services. He was always destined for security after working in a range of roles including systems engineering for healthcare and starting his own computer businesses, which are still running today. As part of his responsibilities, he vetted several security solutions and then pursued certification for CISSP.