ConnectWise CISO Warns MSPs: Rethink Third-Party Risk As AI Accelerates

‘Quality assurance is going to be a big thing. How do you know your tools are being effective? We have to assume that two years from now, a large percentage of attacks will be AI-leveraged. We need to challenge our vendors on how they’re implementing AI in email protection, in SIEM tools, everywhere,’ says ConnectWise CISO Patrick Beggs.

With the rapid expansion of AI tools, MSPs must rethink both third-party risk management and their internal development standards, according to ConnectWise’s CISO.

“This brings to the forefront something I’ve talked about for years, which is third-party risk management,” Patrick Beggs, CISO at the Tampa, Fla.-based vendor, told CRN. “A lot of companies still aren’t doing the right diligence on the applications they bring into their environment. Now add something incredibly smart, powerful and, in the wrong hands, potentially a force multiplier for badness. You can’t skip the fundamentals.”

Beggs said ConnectWise is tightening its own oversight processes while monitoring emerging standards on a daily basis. “We’re also waiting for the U.S. guidance, like the NIST [National Institute of Standards and Technology] and CIS [Center for Internet Security] frameworks for AI. That’s absolutely going to be part of how we evaluate third-party apps and how we build internally,” he said.

[Related: ConnectWise CISO On AI Cyber Threats And Solutions: ‘It’s Like A Digital Arms Race, Terminator-Style’]

Despite the evolution of AI, the CISO said that ConnectWise’s software will not bypass existing secure development practices. It still must go through the same “security gates” in the development life cycle.

And the company is treating public breaches and outages as real-time training opportunities, whether or not ConnectWise is affected. When AWS recently experienced an outage, Beggs said ConnectWise immediately performed an internal impact assessment.

“We’ve used outages as free exercises for years,” he said. “I asked the team, ‘How do you know this is just an IT outage?’ We use events like that for incident response and business redundancy training. And during this most recent outage, our intel teams were working their contacts to make sure it wasn’t something more.”

Asked about lessons learned from the ConnectWise ScreenConnect vulnerability disclosed earlier this year, he said the incident highlighted several internal process improvements.

“Software has vulnerabilities,” he said. “Our product security team is always looking for ways to tighten the bolts, and we found some bolts to tighten. We work with third-party researchers all the time. We want to maintain that openness. That was a good lesson to reinforce.”

And as AI agents begin to appear inside IT management platforms, organizations must treat them with the same scrutiny and discipline as human identities. He urged IT teams to treat them like they would any other user: zero trust, limited entitlements and access to only the data they should have. “They work a lot faster, so you have to understand speed and scale.”

But training AI agents is still an early stage discipline. Still, it’s all about data integrity, “If you give it bad data, it’s going to develop bad habits. That’s just like a person.”

However, he warned that the more immediate danger may come from attackers using AI to amplify attacks, explaining that commoditization of malware is going to “blow up further.”

“AI is going to enable that side of the house much more, at much greater scale,” he said.

He also expects federal policy on AI to accelerate and is closely watching AI security frameworks evolve in real time, namely NIST’s draft guidance.

“It’s evolving so rapidly that guidance has to be agile,” he said. “There has to be flexibility. But the basics are still zero trust, proper entitlements and understanding what data these AI systems can access.”

To keep pace, he said ConnectWise is deepening collaboration with industry peers, even competitors.

“We take competition off the table when it comes to security,” he said. “Their customers could be our customers, and our customers could be theirs. We share what’s important.”

Internally, Beggs is preparing his own teams for what’s coming by automating compliance tasks and Security Operations Center workflows.

For partners, the first step is understanding the guidance already available. He urged partners to learn what’s out there but be aware of the sources. “Beware of shadow guidance. Stick with ISO, NIST and trusted peers.”

And looking ahead, he said his biggest concern is ensuring that defensive tools remain effective as adversaries adopt AI at scale, calling it a cyber arms race.

“Quality assurance is going to be a big thing. How do you know your tools are being effective?” he said. “We have to assume that two years from now, a large percentage of attacks will be AI-leveraged. We need to challenge our vendors on how they’re implementing AI in email protection, in SIEM [security information and event management] tools, everywhere.”