My IT is outsourced – I don’t worry about security

Recently I had a discussion with an executive, and he said he outsourced his IT functions, so I don’t have to worry about it anymore.  Is that right? So i searched for a theoretical talk…


Black hat 2014 had several talks about Cyberspace security – Jason Healy discussed how to save Cyberspace


SEP = Someone Elses Problem.

Jason is discussing general cyber security theory, and its complexity. A discussion about how a “Lehman moment” where a 100 year old company can fail.  In the digital age a similar example would be in a few years a normally dependable cloud company fails – what happens.

Unfortunately  the bad guys are winning, and can access any system or network that they want, and have been able to for 35 years (since 1979)


Of course on the flipside- the general security has been getting better.



But, the Criminals have been winning, and seem to be getting better, there does not seem to be a way for us to stop them.

In fact the problem is  that there are more attack tools that criminals use and create which outstrip our ability to defend.


Will the Chip and Pin white House initiative help this? Or will the bad guys just figure out how to hack the system and get around the chip and pin.

the screenshot vignettes  are from the BlackHat YouTube video below

In my opinion the only way for us to “beat” the attackers is to have a constant defense mentality, and we can only do that with a methodology of testing and reviewing.


Review your Security Policy to help your employees deal with the days that something happens, there should not be any question, let the employee have someplace to look up the answer – do not let them “figure it out”, because if the employee has to do it on their own the answer is not always the right one.

Testing your Network and servers is paramount, as if there is no test, no one is held accountable.

How do you know if your outsourced IT department is doing the job.

photo1-icarousel  Will they act like the Target IT department?  The information was there -in the mountains of data, there was an alarm of the criminal malware, and if the IT department had been able to check and clean the alarm it would have fixed it. Wow – then no 40 million CC#’s hacked and Target hack would not be in our lexicon.


My contention is we are missing a simple piece to get ahead of the criminals so we can have D be greater than O.  Test test test. check your people, the outsourcers, because who is accountable?


Contact me to discuss your testing needs:  Tony Zafiropoulos  314-504-3974 tonyz”@”