Resources
IT and Cyber Are Two Disciplines. Your Firm Needs Both — Done Right.
Both disciplines are essential, and both deserve respect — each with its own methods, its own accountability, and its own evidence. The risk is not your IT provider. The risk is cyber treated as a feature of IT: configured manually, verified by no one, evidenced nowhere.
By Brian Edelman, Founder & CEO, FCI Cyber · Last updated: July 2026
IT and cybersecurity are two different disciplines. IT’s mission is productivity — uptime, applications, user support. Cyber’s mission is an adversary — enforcement, detection, response, and evidence for regulators and insurers. FCI keeps both disciplines whole through three engagement models: One Provider, Partnership with your IT firm, and Co-Managed with your internal IT team.
Related: Choosing a Cybersecurity Provider · Firm Security · Incident Response · Questions
The Two Disciplines
Two Disciplines, Two Missions
Neither discipline is a subset of the other. Each has its own mission, its own methods, and its own definition of a job well done.
IT’s mission is to keep a firm running and its people productive: uptime, onboarding and offboarding, user accounts and access rights, applications, infrastructure, networks, email, backup, and high-touch day-to-day support. It is demanding, relationship-driven work — and when it is done well, everyone’s job gets easier. A firm with a strong IT partner or internal IT team should keep them.
Cybersecurity’s mission faces an adversary: security controls enforced on every endpoint, detection and response around the clock, forensic preservation when something goes wrong, and evidence ready for regulators and cyber insurers. It is measured not by how smoothly things run, but by what can be proven when someone — an attacker, an examiner, an insurer — puts it to the test.
Excellence in one discipline is not competence in the other — in either direction.
The Record
What the Authorities Say
The demarcation between IT and cyber is not FCI’s opinion. It is what examiners ask for by name, and what the U.S. government and its allies have put in writing.
In client audits FCI has participated in, examiners asked for the names of the firm responsible for each function — IT and cybersecurity. They expect the demarcation to be explicit, contractual, and answerable. The 2022 joint advisory from CISA, the NSA, the FBI, and international partners says the same about provider contracts, which should:
The same 2022 joint advisory describes, factually, what any managed IT provider necessarily holds. Managed service providers:
And it describes why threat actors care — they:
Its prescription is not to distrust the provider. It is to protect the access: apply least privilege to provider accounts and enforce MFA on them — the same way every security framework treats any privileged account, no matter whose it is.
Your firm already performs vendor due diligence on every SaaS platform that touches nonpublic information — because regulators require third-party oversight, and because the data is yours no matter whose servers it sits on. An IT provider holds more than any SaaS platform does: administrator credentials, remote access — and, routinely, time alone on the computers where your client data lives. That makes IT the highest-risk vendor category a firm has, and the one that most deserves the full review. For DFS-licensed companies it is not even optional: 23 NYCRR 500 requires a third-party service provider security policy.
The questions are the same ones you ask every other vendor. Have you reviewed their due diligence package? Can they demonstrate — not attest, demonstrate — that they meet the same regulations you are held to? Ask. In FCI’s experience, most cannot produce the package. FCI hands its own over before being asked: the SOC 2 report, the SecurityScorecard rating, and the enterprise audits it passes every year.
This is not about trusting your IT provider less. It is about recognizing what their access makes them. An IT provider holds administrator credentials, remote access, and the keys to your data — the same access your most privileged employee has, and more. Every security framework says the same thing about that kind of access: protect it, verify it, monitor it, evidence it. Not because the person is suspect — because the access is powerful.
Your IT provider deserves the same protection as your best employee. That is a compliment, not an accusation.
The Principle
Checks and Balances Is a Control, Not an Insult
Finance runs on this principle every day. The trader is not the auditor. The bookkeeper is not the treasurer. Nobody calls that distrust — it is how honest systems stay honest. Separating who operates systems from who verifies and evidences them is the same principle applied to technology: whoever holds the keys should not be the only one watching the keys.
And FCI submits to the same rule it describes. FCI is SOC 2 Type 1 audited annually, holds a 100% SecurityScorecard rating, and is audited by its enterprise clients. It deploys without requiring privileged admin accounts on client computers and does not access or store NPI. It performs an annual Technical Controls Security Assessment of its IT partners at no cost — so the IT firm gets evidence to show its own regulated clients, too. Nobody in this model is asked to be trusted blindly — including FCI.
The separation that matters is not between two companies. It is between two disciplines — each with its own methods, its own accountability, and its own evidence. The risk is not an IT firm; the risk is cyber being treated as a feature of IT: configured manually, verified by no one, evidenced nowhere.
FCI does not ask anyone to take this principle on faith — FCI is built on it. Inside FCI, IT and cyber are two separated divisions: different teams, different access, different tools, different oversight. The IT team supporting a client is never the team watching that client’s security. When FCI delivers IT, our IT division operates under the cyber division’s governance exactly as any IT partner would — enforced settings, tamper protection, monitored and logged access, assessed like anyone else who holds keys. The discipline boundary holds no matter who is on each side of it — including when both sides are FCI.
The Comparison
Two Disciplines, Two Toolkits — What Changes When Cyber Is a Focus Rather Than a Feature?
Configuring security by hand, device by device, means settings drift and users change them back — in every manually-configured environment FCI has assessed, a percentage of computers were non-compliant. Enforcement has to be automated and tamper-proof, and it has to produce evidence continuously. And when a breach comes, responding before authorities, regulators, and cyber insurers — forensic preservation, notification duties, claim evidence — is not an IT skill set, and it cannot be learned during the breach. None of this criticizes any firm. It describes what changes when cyber is a discipline rather than a feature.
| Dimension | Cyber as an added feature of IT | Cyber as the discipline (FCI) |
|---|---|---|
| Regulatory expertise | Generic, across all industries | Specific to SEC, FINRA, NYDFS, NAIC — since 1995 |
| Deployment & enforcement | Manual, device by device; settings drift | Automated across every endpoint, including BYOD |
| Protection of the controls themselves | Users/admins can disable tools | Tamper-proof; access without requiring privileged admin accounts |
| Monitoring | Business hours, alert forwarding | 24×7 human-led U.S.-based SOC |
| When an incident hits | Escalates to a third party it must find | Response protocol: isolation, forensics, remediation, communication |
| Facing regulators & insurers after a breach | Rarely experienced | Representation through hundreds of breaches; evidence package ready |
| Its own security posture | Rarely audited | SOC 2 Type 1 annually; 100% SecurityScorecard; audited by enterprise clients |
| Internal structure | Same people wear the IT hat and the security hat | Separated divisions: the team operating IT is never the team verifying security |
| Evidence for exams & renewals | Assembled manually, after the request | Produced continuously (FCI Portal) |
Engagement Models
Three Ways Firms Work with FCI — All Three Keep Both Disciplines Whole
There is no one right structure. There is one right principle: IT and cyber each done by people focused on that discipline, with clear roles, mutual verification, and evidence. FCI operates all three models today — some for decades, some formalized as recently as 2026.
For firms that want a single accountable partner. FCI has practiced IT operations for thirty years — for its own environment and for clients who have trusted FCI with both since the beginning — and formalized IT Support Services as an offering in 2026, because clients asked for a single trusted provider to handle both. The order matters: FCI is a cybersecurity company that delivers IT under cyber governance — not an IT company that added cyber. And “one provider” does not mean “one team”: inside FCI, IT and cyber are two separated divisions — different people, different access, different tools, different oversight. The IT team supporting your firm is never the team watching your firm’s security. Your IT is delivered by FCI’s IT division; it is verified, enforced, and evidenced by FCI’s cyber division — the same checks and balances as two vendors, with one contract and one accountability.
| FCI cyber division | FCI IT division |
|---|---|
| Enforcement, monitoring, incident response, forensics, evidence, key escrow, second-level escalation | Users, access rights, applications, infrastructure, backup, first-level support |
For firms that already have an IT provider they like. The IT firm keeps everything that makes it valuable — high-touch user support, applications, infrastructure, productivity, the day-to-day relationship — and FCI carries the cyber discipline: enforcement, monitoring, incident response, regulatory evidence. The mechanics make the respect real: FCI routes IT issues back to the partner, shares asset reports scoped to the endpoints they support, provides second-level cyber support to the IT firm, sends leads to partners, and performs the partner’s annual Technical Controls Security Assessment at no cost — which the IT firm can show its own regulated clients as proof of its posture. This model has been in production since 2018, formalized as a program in 2020.
| FCI | Your IT firm |
|---|---|
| Enforcement, monitoring, incident response, forensics, evidence, second-level cyber support behind the IT firm | Users, access rights, applications, infrastructure, backup, first-level support, remediation from FCI’s reports |
For firms with a small internal IT team. The team keeps what it does best — first-level user support, onboarding and offboarding, access rights, applications, the human relationship with every user — and FCI supplies what a small team cannot build alone: the 24×7 SOC, automated enforcement across every endpoint including BYOD, cloud app management and hardening, mass-vulnerability response, second-level escalation, and the continuous evidence trail. The interlock is explicit: FCI produces the dashboards and reports, the internal team reviews and remediates; the team gives first-level support, FCI answers behind them. FCI’s published position: “The company’s co-managed approach is intended to complement internal teams, not replace them.”
| FCI | Your internal IT team |
|---|---|
| Enforcement, 24×7 monitoring, incident response, forensics, evidence, second-level escalation | Users, onboarding and offboarding, access rights, applications, backup, first-level support, remediation from FCI’s reports |
It was better to partner up with a leader that is 100% dedicated to this arena versus having people in-house with multiple roles… allowed us to position ahead of the competition… with virtually no overhead.
FAQ
Common Questions
See Where Your Firm Stands — Both Disciplines, One Picture
A 30-minute gap analysis shows what is enforced today, what is missing, and what you could prove to an examiner or insurer tomorrow — whichever of the three models fits your firm.