TechTips

IT vs. Cybersecurity - Do you have a gap in services?

Written by Ryan Smith | September 24, 2025

In anticipation of October’s Cybersecurity Awareness Month, I thought it would be important to get ready by digging into the key differences between IT and Cybersecurity – because we often find there are gaps when we talk to people about their strategies.

I’ve had over a decade worth of experience working with Cybersecurity, IT, and closely related technology providers. And, over that time, it’s been pretty common to see businesses scratching their heads at exactly where the line between responsibilities exist.

It’s not really anyone’s fault, it’s a very blurry line. Sometimes it’s from confusion in marketing and use of buzz words, but it can also be hard to keep track of all of the unique approaches a vendor may offer.

It really matters though, because gaps can be a serious problem and a blind spot that leaves you exposed to threats.

This most recently came up, and inspired this article, because an office I’ve been sharing free resources with for a few months reached out with a hard lesson they learned that’s worth sharing:

  • We’d been looking at their practices and there were some questions about what they were getting, if it was enough, and what ‘good cybersecurity’ looked like for their business.
  • I only recently heard that during the time we were talking, they’d had an attack.
  • One of their copiers was accessed and the threat actor was able to get images of scanned checks.
  • Luckily, a diligent client was one of the first to have their check forged and they called right away, drawing attention to the breach.
  • It turned out that the copier was running on a very old version and was connected to the internet, making it an external-facing vulnerability that was very easy to detect and attack.
  • As they went through the breach investigation with their insurer, they said ‘that’s when it became really clear that their trusted IT provider was in over his head’

I think about this a lot and I’ve seen this situation quite often really, where it’s assumed IT has it covered – but they don’t!

And, I’ve seen it the other way around, where IT has been very vocal that more is needed to be done but the client either isn’t getting it or just doesn’t want to do anything.

So with that in mind, I wanted to help lay out what some of the differences are that you need to look for and be aware of, and give you some things to look into to make sure you’re on the right track.

IT and Cybersecurity Missions

Let’s start with looking at the core missions behind each practice:

  • IT tends to be more focused on keeping systems up and running efficiently
  • Where Cybersecurity tends to be more about identifying and addressing risks, and responding to attacks

Of course, this is highly generalized, but a great example of how this can play out is when you look at how each group might approach a ransomware attack.

  • IT’s response is to get things back up and running quickly. They have the backups, so they wipe everything and start fresh. Ransomware gone!
  • Cybersecurity’s response is to start with an investigation, so they need to capture evidence to make sure they understand what exactly the threat actor did and how they got in, so they can make sure they don’t come back. Getting evidence has to happen before anything can be wiped or restored.

I don’t hear about this happening as much but I ran into several issues in the past where we hit a dead end with a breach investigation because the IT team didn’t realize they destroyed the evidence we needed.

All this being said, some organizations now combine IT and Cybersecurity services to make sure they can cover all of the related missions necessary to manage and protect your business.

But that also brings me to the next area to look at…

Who Watches The Watchman?

The structure that I’ve seen be the most successful is working with 3rd party providers where the IT or Managed Services Provider (MSP) tends to act similar to your general physician. And, where specialists may be needed to provide niche expertise or a second opinion.

That isn’t to say it’s impossible to do both under one vendor, but sometimes that other opinion is really important.

I once went into the ER and was told I had a fractured elbow and was sent to get a second opinion from an orthopedic practice. When the MRI came back, it showed a torn bicep. Probably something really obvious to that specialist but a bit of a big miss for the ER doc.

It’s why they have a referral process to get that other opinion.

And, it’s something to keep in mind when you have IT and Cybersecurity combined under one provider.

Even beyond biases, it can be easy to overlook something or make a mistake. Having an unbiased 3rd party act as quality assurance and bring a unique perspective with their expertise can help you avoid these types of blind spots.

Cybersecurity Goes Beyond IT

There are a few areas that you may find Cybersecurity gets well away from the technical side of things and more into operations and legal matters.

On the operations side of things, your Cybersecurity provider is going to need to know more about how your technology is used than just the technology itself. To understand and address your risk, it takes a deeper dive into the types of data you interact with, the processes around it, and may involve other software not managed by the IT provider.

For the legal side of things, there are requirements around data security, data disposal, data privacy, breach notification, and even those set by 3rd party partners or insurance. Different levels of experience in these areas are going to be needed depending on where you fall here.

Cybersecurity Offerings

One of the biggest areas of confusion I see today happens to come about with common marketing terms that get thrown around.

For an IT provider, you have to be offering ‘cybersecurity’ or your competitors will eat your lunch.

Depending on the vendor, providing ‘cybersecurity’ could mean just offering products like Antivirus/Endpoint Detection and Response (AV/EDR) or Security Operations Center (SOC), and be light on the consulting and guidance around risk mitigation and more proactive strategies.

It’s great if you have a selection of tools to use, but what good is it if the strategy around those tools is missing?

One other area of confusion comes up in the type of ‘monitoring’ being provided.

When vaguely defined, it can be dangerous to assume that ‘everything’ is being monitored.

Make sure that, if your IT team includes ‘monitoring’, that it goes beyond just performance and network monitoring to also provide monitoring around threats and vulnerabilities.

You may need to supplement this with help from a Cybersecurity provider that has experience with vulnerability scanning and other tools that can both identify risks as well as possible misconfigurations or other mistakes that can easily happen.

Do You Have Any Gaps?

Even writing this article is tricky because there’s no set line between IT and Cybersecurity and, as we’ve shared here, it really depends on the providers you have and their experience and offerings.

If you want to make sure you have the right approach in place, there are a few things you can ask about that are Cybersecurity practices all businesses should have in place.

These are the most common areas where I find blind spots in my consultations:

Risk Assessments and Understanding Risk
Are you getting a risk assessment each year? It may be a requirement to do this, and a true risk assessment will include a detailed report with findings that are scored based on “likelihood” and “impact” factors. If you don’t have a report that mentions these key measures, then you may need some help.

Vulnerability Management
Are you getting regular vulnerability scans and reports that show findings based on the Common Vulnerability Exposures List (CVE)? If you don’t find “CVE” anywhere in your regular reports (monthly is ideal), then you may not have the proper resources in place to identify areas of weakness in your environment before they are attacked.

Cybersecurity Program
Do you have Policies & Procedures or other documents that explain your approach to protecting your non-public information and critical systems? If you do, are they based on a common framework that aligns you to recognized best practices and helps you avoid skipping anything important?

Incident Response
Do you have an Incident Response Plan that dictates the roles and responsibilities between your organization’s members and your IT provider? Is this aligned with your insurance policy and structured to help you collect and preserve evidence if something goes wrong?

In the end, everyone is unique, it all comes down to looking more closely at your practices and what your providers offer.

To help people sort through it all, I offer free consultations where we can take a look at your practices and help you identify any major gaps in your approach (or confirm when you’re on the right path already!)

You can set up your free consultation with me here.

If you want help and would like to keep learning, don’t miss our major event for Cybersecurity Awareness Month happening all throughout October.

We have free cyber resources, free phishing simulations, a free Cybersecurity Awareness Month Kit to help you run your own event, and we’re including 19 different live events to help you make some progress on your risks and with your staff.

Check it out here: https://rlsconsulting.co/october/
View full post