Perhaps it's time to change your cyber security services provider

Regular rotation as a means of risk reduction is not a new topic, as we already apply it with audit rotations, leadership rotations and password rotations. So why are companies not rotating their cyber security services provider?

With the ever-evolving changes within the cyber security threat landscape, it is of paramount importance that companies get fresh perspectives and insights on the cyber security threats your business faces and the potential opportunities to minimise your risk exposure.

Cyber security is a complex issue to tackle for many organisations, with so many varying approaches, technologies and services providers guiding businesses in one direction or another. For this reason, businesses are often left confused, overwhelmed and many are unsure whether or not their efforts are resulting in measurable risk reduction.

It is important to understand that cyber security is not a destination and, more often than not, requires applied focus on continuous improvement. This is because the attack approaches and defensive techniques are changing regularly. For this reason, companies are encouraged to adopt a resilience mindset with the ability to respond to cyber attacks, rather than the focus being entirely on preventative controls.

In a joint and collaborative effort to combat these cyber threats, companies have partnered with cyber security service providers to assist in their efforts by performing regular security assessments, recommending technologies and advising them on current and emerging threats.

Although these relationships are key to demystifying the risks and navigating the complexity of robust cyber security, it is strongly recommended that companies don't solely rely on the opinions and recommendations of a single service provider for an extended period of time.

Nathan Desfontaines, MD at CyberSec, says: "The absence of a mandatory cyber security service provider rotation has left companies unknowingly exposed to cyber risk. We encourage our clients to utilise the services of another cyber security services provider between our assessments – not because we don't believe they may identify further risk, but rather to ensure an additional perspective is considered."

Although this thinking may challenge the current, normal accepted business practice, businesses are better off for it.

Like with any existing form of rotation within businesses, you may decide to re-engage and utilise the services of a previous service provider and that is perfectly acceptable, as the objective is rotation, not replacement.

This systemic risk may possibly have surfaced as a result of businesses either placing too much reliance on a single cyber security service provider or perhaps the fear of offending the existing service provider by opting to rotate. However, as this concept is not intended as a question of competence of the existing service provider, but rather a means of risk diversification, it should be encouraged rather than avoided.

Desfontaines further stated: "CyberSec has assessed many businesses cyber security risk exposures as a new service provider to the business and identified seriously concerning points of exposure and compromise. This is often as a result of a 'fresh perspective' rather than a question of competence on the part of the previous incumbent. It would therefore be unwise for a business to solely rely on a single cyber security services provider for an extended period of time as it's crucial the 'checker' is also 'checked' regularly."

It is in the organisations' best interests to periodically obtain alternating views of their risk landscape and exposure – not because of a lack of trust in the current service provider, but rather because it is good business practice to never place all your eggs in one basket.