Fresh Thoughts #76: How a Service Provider's Claims Made Me Go on a Diet

Diet Sign

This week some food for thought.

How a Service Provider's Claims Made Me Go on a Diet

One of our customers is changing their managed service provider.
From my first conversation with the old service provider, something felt wrong.
What they claimed didn't make sense.

The last claim I heard from them came during a recent security audit.
"Because we have ISO-27001, by implication, means you have multi-factor authentication enabled on all your accounts."

I am sure the service provider's ISO-27001 certification - completed two years before signing this customer - does not cover the customer's configuration.
The way a service provider works and their customers are entirely different.
The configurations are different.
The scopes are different.

I've talked previously about why deciding a scope is so important. And unsurprisingly, it is the first step of any certification.
What's included?
What's not?

While explaining this to our customer, I searched for an analogy.

It's like having a personal trainer...
Just because a personal trainer has a healthy lifestyle with lots of exercise doesn't mean the client has the same level of health and fitness.
They are two different people.
With two different scopes.

Personal training and security are about doing.
Not about talking and what could be done.
It's reassuring that the service provider has done the necessary work.
But it's meaningless unless that work has been done in the client's business.


You'll know I'm fat if you've met me in person.
High-functioning fat.
My physique doesn't prevent me from doing day-to-day things.
If you need a 100m of new fence installed by hand - I can do that.
Walk for miles, go swimming - yes and yes.
Notwithstanding - I am in the worst shape ever.

This made me look at how we work with new customers.
Their IT works.
Surely it's fine...
...but they have more security holes than a sieve.

Both of us know what we need to do.
We both know the benefits.
We may even talk about doing it...
But it's the action that counts.
Doing - not talking.

So if Fresh Security continues to ask our customers to make changes - to become more secure...
Why aren't I prepared to make changes and lose weight?

Damn it...

I started a little over a week ago.
Starting weight: 133.1 kg (293 lbs)
Weight loss so far: 2.5kg (-1.9%)

Here's to doing.
And incremental improvement.

Oh... and the service provider had not configured MFA.

July 25, 2023
2 Minutes Read

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Related Reads

boundary of a forest to felled trees

Fresh Thoughts #26: How to Right-Size Accountability

Being held accountable but having no control. It's one of the worst feelings I know. Unfortunately, it's all too common in cybersecurity...

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868