Resources

IT and Cyber Are Two Disciplines. Your Firm Needs Both — Done Right.

Both disciplines are essential, and both deserve respect — each with its own methods, its own accountability, and its own evidence. The risk is not your IT provider. The risk is cyber treated as a feature of IT: configured manually, verified by no one, evidenced nowhere.

By Brian Edelman, Founder & CEO, FCI Cyber · Last updated: July 2026

IT and cybersecurity are two different disciplines. IT’s mission is productivity — uptime, applications, user support. Cyber’s mission is an adversary — enforcement, detection, response, and evidence for regulators and insurers. FCI keeps both disciplines whole through three engagement models: One Provider, Partnership with your IT firm, and Co-Managed with your internal IT team.

Related: Choosing a Cybersecurity Provider · Firm Security · Incident Response · Questions

The Two Disciplines

Two Disciplines, Two Missions

Neither discipline is a subset of the other. Each has its own mission, its own methods, and its own definition of a job well done.

IT — the productivity discipline

IT’s mission is to keep a firm running and its people productive: uptime, onboarding and offboarding, user accounts and access rights, applications, infrastructure, networks, email, backup, and high-touch day-to-day support. It is demanding, relationship-driven work — and when it is done well, everyone’s job gets easier. A firm with a strong IT partner or internal IT team should keep them.

Cyber — the adversary discipline

Cybersecurity’s mission faces an adversary: security controls enforced on every endpoint, detection and response around the clock, forensic preservation when something goes wrong, and evidence ready for regulators and cyber insurers. It is measured not by how smoothly things run, but by what can be proven when someone — an attacker, an examiner, an insurer — puts it to the test.

Excellence in one discipline is not competence in the other — in either direction.

The Record

What the Authorities Say

The demarcation between IT and cyber is not FCI’s opinion. It is what examiners ask for by name, and what the U.S. government and its allies have put in writing.

Examiners ask who owns each discipline — by name

In client audits FCI has participated in, examiners asked for the names of the firm responsible for each function — IT and cybersecurity. They expect the demarcation to be explicit, contractual, and answerable. The 2022 joint advisory from CISA, the NSA, the FBI, and international partners says the same about provider contracts, which should:

“Transparently identify ownership of ICT security roles and responsibilities.” — 2022 joint advisory AA22-131A — CISA, NSA, FBI and international partners
Provider access is privileged access — say the authorities

The same 2022 joint advisory describes, factually, what any managed IT provider necessarily holds. Managed service providers:

“Require both trusted network connectivity and privileged access to and from customer systems.” — 2022 joint advisory AA22-131A — CISA, NSA, FBI and international partners

And it describes why threat actors care — they:

“Use a vulnerable MSP as an initial access vector to multiple victim networks.” — 2022 joint advisory AA22-131A — CISA, NSA, FBI and international partners

Its prescription is not to distrust the provider. It is to protect the access: apply least privilege to provider accounts and enforce MFA on them — the same way every security framework treats any privileged account, no matter whose it is.

Protection, not suspicion: treat provider access like your most privileged employee’s access — protected, verified, monitored, and evidenced.
Joint Cybersecurity Advisory AA22-131A (2022)
Your IT provider is a vendor — your highest-risk one. Run the due diligence.

Your firm already performs vendor due diligence on every SaaS platform that touches nonpublic information — because regulators require third-party oversight, and because the data is yours no matter whose servers it sits on. An IT provider holds more than any SaaS platform does: administrator credentials, remote access — and, routinely, time alone on the computers where your client data lives. That makes IT the highest-risk vendor category a firm has, and the one that most deserves the full review. For DFS-licensed companies it is not even optional: 23 NYCRR 500 requires a third-party service provider security policy.

The questions are the same ones you ask every other vendor. Have you reviewed their due diligence package? Can they demonstrate — not attest, demonstrate — that they meet the same regulations you are held to? Ask. In FCI’s experience, most cannot produce the package. FCI hands its own over before being asked: the SOC 2 report, the SecurityScorecard rating, and the enterprise audits it passes every year.

The standard already exists: apply the vendor due diligence you use for your SaaS platforms to the vendor with the most access of all — and expect a complete package back.

This is not about trusting your IT provider less. It is about recognizing what their access makes them. An IT provider holds administrator credentials, remote access, and the keys to your data — the same access your most privileged employee has, and more. Every security framework says the same thing about that kind of access: protect it, verify it, monitor it, evidence it. Not because the person is suspect — because the access is powerful.

Your IT provider deserves the same protection as your best employee. That is a compliment, not an accusation.

The Principle

Checks and Balances Is a Control, Not an Insult

Finance runs on this principle every day. The trader is not the auditor. The bookkeeper is not the treasurer. Nobody calls that distrust — it is how honest systems stay honest. Separating who operates systems from who verifies and evidences them is the same principle applied to technology: whoever holds the keys should not be the only one watching the keys.

And FCI submits to the same rule it describes. FCI is SOC 2 Type 1 audited annually, holds a 100% SecurityScorecard rating, and is audited by its enterprise clients. It deploys without requiring privileged admin accounts on client computers and does not access or store NPI. It performs an annual Technical Controls Security Assessment of its IT partners at no cost — so the IT firm gets evidence to show its own regulated clients, too. Nobody in this model is asked to be trusted blindly — including FCI.

The separation that matters is not between two companies. It is between two disciplines — each with its own methods, its own accountability, and its own evidence. The risk is not an IT firm; the risk is cyber being treated as a feature of IT: configured manually, verified by no one, evidenced nowhere.

FCI does not ask anyone to take this principle on faith — FCI is built on it. Inside FCI, IT and cyber are two separated divisions: different teams, different access, different tools, different oversight. The IT team supporting a client is never the team watching that client’s security. When FCI delivers IT, our IT division operates under the cyber division’s governance exactly as any IT partner would — enforced settings, tamper protection, monitored and logged access, assessed like anyone else who holds keys. The discipline boundary holds no matter who is on each side of it — including when both sides are FCI.

The Comparison

Two Disciplines, Two Toolkits — What Changes When Cyber Is a Focus Rather Than a Feature?

Configuring security by hand, device by device, means settings drift and users change them back — in every manually-configured environment FCI has assessed, a percentage of computers were non-compliant. Enforcement has to be automated and tamper-proof, and it has to produce evidence continuously. And when a breach comes, responding before authorities, regulators, and cyber insurers — forensic preservation, notification duties, claim evidence — is not an IT skill set, and it cannot be learned during the breach. None of this criticizes any firm. It describes what changes when cyber is a discipline rather than a feature.

Dimension Cyber as an added feature of IT Cyber as the discipline (FCI)
Regulatory expertiseGeneric, across all industriesSpecific to SEC, FINRA, NYDFS, NAIC — since 1995
Deployment & enforcementManual, device by device; settings driftAutomated across every endpoint, including BYOD
Protection of the controls themselvesUsers/admins can disable toolsTamper-proof; access without requiring privileged admin accounts
MonitoringBusiness hours, alert forwarding24×7 human-led U.S.-based SOC
When an incident hitsEscalates to a third party it must findResponse protocol: isolation, forensics, remediation, communication
Facing regulators & insurers after a breachRarely experiencedRepresentation through hundreds of breaches; evidence package ready
Its own security postureRarely auditedSOC 2 Type 1 annually; 100% SecurityScorecard; audited by enterprise clients
Internal structureSame people wear the IT hat and the security hatSeparated divisions: the team operating IT is never the team verifying security
Evidence for exams & renewalsAssembled manually, after the requestProduced continuously (FCI Portal)

Engagement Models

Three Ways Firms Work with FCI — All Three Keep Both Disciplines Whole

There is no one right structure. There is one right principle: IT and cyber each done by people focused on that discipline, with clear roles, mutual verification, and evidence. FCI operates all three models today — some for decades, some formalized as recently as 2026.

Model 1
One Provider — two divisions, one accountability

For firms that want a single accountable partner. FCI has practiced IT operations for thirty years — for its own environment and for clients who have trusted FCI with both since the beginning — and formalized IT Support Services as an offering in 2026, because clients asked for a single trusted provider to handle both. The order matters: FCI is a cybersecurity company that delivers IT under cyber governance — not an IT company that added cyber. And “one provider” does not mean “one team”: inside FCI, IT and cyber are two separated divisions — different people, different access, different tools, different oversight. The IT team supporting your firm is never the team watching your firm’s security. Your IT is delivered by FCI’s IT division; it is verified, enforced, and evidenced by FCI’s cyber division — the same checks and balances as two vendors, with one contract and one accountability.

FCI cyber divisionFCI IT division
Enforcement, monitoring, incident response, forensics, evidence, key escrow, second-level escalationUsers, access rights, applications, infrastructure, backup, first-level support
Best for: firms consolidating vendors, firms without internal IT, and legacy relationships.
Model 2
Partnership — your IT firm stays, and stays valuable

For firms that already have an IT provider they like. The IT firm keeps everything that makes it valuable — high-touch user support, applications, infrastructure, productivity, the day-to-day relationship — and FCI carries the cyber discipline: enforcement, monitoring, incident response, regulatory evidence. The mechanics make the respect real: FCI routes IT issues back to the partner, shares asset reports scoped to the endpoints they support, provides second-level cyber support to the IT firm, sends leads to partners, and performs the partner’s annual Technical Controls Security Assessment at no cost — which the IT firm can show its own regulated clients as proof of its posture. This model has been in production since 2018, formalized as a program in 2020.

FCIYour IT firm
Enforcement, monitoring, incident response, forensics, evidence, second-level cyber support behind the IT firmUsers, access rights, applications, infrastructure, backup, first-level support, remediation from FCI’s reports
Best for: firms with a strong external IT relationship; IT firms that want to offer credible cyber without building a security company.
Model 3
Co-Managed — FCI behind your internal IT team

For firms with a small internal IT team. The team keeps what it does best — first-level user support, onboarding and offboarding, access rights, applications, the human relationship with every user — and FCI supplies what a small team cannot build alone: the 24×7 SOC, automated enforcement across every endpoint including BYOD, cloud app management and hardening, mass-vulnerability response, second-level escalation, and the continuous evidence trail. The interlock is explicit: FCI produces the dashboards and reports, the internal team reviews and remediates; the team gives first-level support, FCI answers behind them. FCI’s published position: “The company’s co-managed approach is intended to complement internal teams, not replace them.”

FCIYour internal IT team
Enforcement, 24×7 monitoring, incident response, forensics, evidence, second-level escalationUsers, onboarding and offboarding, access rights, applications, backup, first-level support, remediation from FCI’s reports
Best for: enterprises and firms with 1–5 person IT teams.

It was better to partner up with a leader that is 100% dedicated to this arena versus having people in-house with multiple roles… allowed us to position ahead of the competition… with virtually no overhead.


— Avla IT Solutions, FCI IT Partner

FAQ

Common Questions

Does FCI replace our IT firm or IT team?
No. Two of the three engagement models exist precisely to keep them — Partnership keeps your external IT firm, and Co-Managed keeps your internal IT team. The mechanics are built to make them stronger: FCI routes IT issues back to the partner, shares asset reports scoped to the endpoints they support, provides second-level cyber support behind them, sends leads to partners, and performs the partner’s annual Technical Controls Security Assessment at no cost.
If separation matters so much, how can FCI provide both IT and cyber?
Because at FCI they are two divisions, not one team — separate people, separate access, separate tools, separate oversight. The IT team supporting your firm is never the team watching your firm’s security. The checks and balances don’t disappear with one provider; they move inside, and stay verifiable.
Our IT firm says they handle security. Isn’t that enough?
The question isn’t intent — it’s structure: who verifies the work, who answers regulators and insurers, and where the evidence lives. The 2022 joint advisory from CISA, the NSA, and the FBI adds one more: who watches the privileged access itself. An IT firm can be excellent at its own discipline and still be the wrong sole answer to those questions — whoever holds the keys shouldn’t be the only one watching the keys.
We trust our IT provider completely. Why change anything?
Keep them. Trust isn’t the issue — access is. An IT provider holds administrator credentials, remote access, and the keys to your data, and every security framework requires that kind of privileged access to be protected, verified, and monitored regardless of who holds it. That is protection, not suspicion — and FCI holds itself to the same rule.
What does co-managed look like day to day?
An explicit interlock. FCI produces the dashboards, reports, and enforcement evidence; your internal team reviews and remediates. Your team answers users first; FCI answers behind your team with second-level support and a 24×7 SOC. Enforcement is automated across every endpoint, so nobody spends their day configuring security by hand.

See Where Your Firm Stands — Both Disciplines, One Picture

A 30-minute gap analysis shows what is enforced today, what is missing, and what you could prove to an examiner or insurer tomorrow — whichever of the three models fits your firm.