A Dangerous Disconnect: Why Separating IT and Cybersecurity Makes Financial Services a Target

By Travis DeForge, Director of Offensive Cybersecurity, Abacus Group 

Across the financial services sector, the belief that managed service providers (MSPs) and managed security services providers (MSSPs) should be separated remains a common but misguided logic. Firms might believe that they benefit from working with specialists in particular areas, or that IT and cybersecurity functions must be separate to avoid conflicts of interest, but neither claim stands up to serious scrutiny. In reality, splitting them creates greater complexity, delayed responses, and leaves dangerous gaps in an organization’s security posture.  

As explained in our previous blog, there is no regulation in place today that states financial services firms must have separate IT and cybersecurity providers. It is a manufactured perception, not one that has arisen from a genuine security need. The truth is, while regulators frequently demand robust cybersecurity hygiene, none have mandated third-party independence as a compliance requirement.

Rising Risk of the Multi-Provider Model

Beyond the regulatory argument, firms that have opted for a multi-provider approach to IT and cybersecurity are in fact increasing the threats they face. The more partners and external entities that have access to a firm’s data, the greater the points of vulnerability for the firm and the greater the loss of visibility they will have over their cyber environment. These issues are particularly significant given that financial services firms often engage with as many as six or seven providers, and it takes just one point of failure for the impact to spiral through the chain.

There is also a wide range of risks to be considered if the primary MSP does not directly integrate with the cyber strategy or environment. The lack of visibility and therefore collaboration that results can lead to delays in incident response, as separate providers will have more difficulty coordinating resources seamlessly. More broadly, aligning multiple providers on security strategies on which they all agree can prove complex.  

With the multi-provider model, vendor rotation is often high, as firms frequently seek to ‘freshen up’ their cyber approach and replace partners before they have had a chance to build up expertise. Even when they are retained for an extended period, independent third-party cybersecurity vendors may t lack the necessary contextual insight or day-to-day familiarity with a firm’s systems and processes that a unified provider would bring.  This can also prevent vendors from building in-depth knowledge and understanding of their clients’ estate, therefore impacting the level of service they can deliver.

Why A Unified Approach Works

Ultimately, financial services firms require real-time coordination between IT and security to ensure they remain safe and secure, and separating the two functions significantly undermines this. 

Opting for a combined MSP and MSSP is the best way for firms to achieve an enhanced cybersecurity approach. With the number of threats escalating and attacks launched by cyber-criminals becoming increasingly sophisticated, firms need to rapidly evolve their own cybersecurity approaches to keep pace. 

A single provider with experience and expertise in both spheres is best equipped to tackle these challenges. Their in-depth familiarity with each client’s IT and security landscape allows them both to pinpoint threats rapidly and apply the necessary level of expertise to neutralize them. 

To find out more about the unified provider model and how Abacus Group’s specialist MSP and MSSP services can help your business achieve enhanced operational efficiency and more robust cybersecurity, download our new eBook.