Here’s a question worth asking your IT provider: who actually checks your security? If the honest answer is “the same team that runs everything else,” you have a gap most businesses never notice — until an auditor, an insurer, or an incident forces the issue.
It’s the IT equivalent of marking your own homework. And in most of the managed IT market, it’s the norm.
How security usually gets sold
In a typical MSP, security is a line item. It’s configured by the same engineers who run your helpdesk, patch your servers and manage your Microsoft 365 — people who are good at keeping things running, but who are also the ones being asked to confirm that what they built is secure. There’s no independent check, no separation of duties, and nothing you could realistically put in front of a board or a tender panel.
That works right up until it doesn’t. The questions that expose it are always the same: Can you prove your controls are actually in place? Who reviewed them? When were they last tested, and by whom? “We’re pretty sure it’s fine” is not an answer a regulated client, an insurer or a defence prime will accept.
Separation of duties isn’t bureaucracy — it’s assurance
In every other part of a serious business, you separate the people who do the work from the people who check it. Finance has auditors. Safety has inspectors. The reason is simple: the team closest to the work is the least likely to spot what it missed. Security is no different. The value isn’t a second opinion for its own sake — it’s that an independent specialist is looking for the gaps the build team has every incentive to overlook.
When your security is delivered and reviewed by a separate specialist firm, three things change. You get genuine independence instead of self-assessment. You get evidence you can hand to an auditor, an insurer or a client, instead of reassurance. And you get a posture that was designed deliberately — not whatever was left after the ticket queue cleared.
How we do it at aknowledge it
We built aknowledge it the opposite way to the bolt-on model. Your day-to-day IT is ours. But your cyber advisory, compliance and SOC/NOC are delivered by Securitribe — an independent security specialist — through its SecureOS methodology. We build and operate your environment to recognised standards like the ASD Essential Eight, SMB1001 and ISO 27001; Securitribe governs the certification and the independent review. Clear lines, no overclaiming, and real assurance behind the claim.
That separation is the product. It’s what lets a council, a law firm or a defence-supply-chain business say — and prove — that their security is run by specialists, not marked by the same team that built it.
Want to see how independent security actually works? Read how we secure you →