OEM or TPSM: Who Has Better Cybersecurity Protection?

It’s time to debunk the myths about TPSM cybersecurity.

Cybersecurity is at the top of the list of concerns of companies contemplating the move to a third-party software maintenance (TPSM) provider.

It’s understandable.

The threat of data breaches and major IT outages has now surpassed natural catastrophes, supply chain issues, and even pandemic outbreaks as the number one risk to businesses, and many misconceptions are floating around the ethosphere about OEM versus TPSM regarding cybersecurity protection.

The real question is do TPSM providers have the resources available for the level of protection necessary for today’s cybersecurity climate?

The answer is yes.

Let’s separate fact from fiction. Here are three of the most common myths about OEM and TPSM cybersecurity offerings.

Myth #1: You need the latest version and patch for software to be secure.

FACT: TPSM can support you in achieving your desired security posture, no matter which version you are running.

A patch is one element of a vulnerability management program, but there are many other effective ways to mitigate a security risk posed by product vulnerability.

Patches from OEMs are typically focused on addressing vulnerabilities within a product. They are often designed to be deployed to the mass market, as it makes little financial sense for them to be tailored to individual customers. Additionally, it is often assumed that each customer has deployed the product in its entirety, straight out of the box, and that no customization has been implemented. If there is custom code that the OEM is not aware of, implementing a security patch could unintentionally break the system.

TPSM providers handle support regardless of version number, custom code, or configuration. They can use more tailored, targeted ways to address vulnerabilities in legacy IBM products to not only mitigate the likelihood of identified vulnerabilities from being exploited, but also to reduce the chances of unknown, yet-to-be-identified vulnerabilities from being exploited. This security philosophy is comprised of three parts:

  1. Contextual. Analyzing the business, regulatory, technical, threat, and operational environment provides the appropriate mitigating actions for each circumstance to a level of risk deemed acceptable by the customer. This is a continuous process and is never static.
  2. Risk-based. Numerous mitigation actions to reduce the likelihood of an identified vulnerability being exploited are provided until the customer is content that their desired level of risk has been achieved.
  3. Defense-in-depth. Mitigation actions are applied across the customer’s environment in layers to secure the supported product, enhance the overall security posture of its environment.

Myth #2: We need to stay with the OEM to retain access to vulnerability information.

FACT: Not true.

OEMs aren’t the only ones who monitor and analyze security vulnerabilities. TPSM providers often have teams of security professionals with global cybersecurity and engineering experience who analyze available threat and vulnerability information. In fact, many have worked within the fields of government, military, finance, and national infrastructure.

Their processes are designed to understand presented risk and requirements through intelligence-driven, risk-based, technical actions. These specialized teams focus on understanding what vulnerabilities might be present and how to reduce the likelihood of exploitation.

Although an effective security program can reduce the likelihood of companies being compromised, nothing is foolproof. Risk can never be zero. Breaches can still occur. This was the case with a major vulnerability in 2021, Apache Log4j, an open-source change logging API that is bundled with many software products. Called the largest, most critical vulnerability of the last decade, Log4j (also known as Log4jShell) at one point was predicted to have had 10 million attempts to exploit it per hour in the United States only.

Understanding the risk Log4J posed to our customers, Origina proactively engaged with our customers and broader software and security community with developed actions to reduce the likelihood of exploitation. Origina’s response took an average of three days. The team worked around the clock to support its customers.

OEMs aren’t the only ones who monitor and analyze security vulnerabilities.

Myth #3: You need OEM support to remain regulatory compliant.

FACT: Many regulations accept evidenced compensating controls and workarounds as long as the technical risk mitigation actions meet the intent and rigor of the original requirement and provide a similar level of defense.

Since the regulatory and threat landscape is always evolving, remaining compliant is a task that never ends.

Today, there is a growing focus on cyber resiliency, which the U.S. National Institute of Standards and Technology defines as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”

In September 2022, the E.U. proposed its Cyber Resilience Act, which introduces common cybersecurity rules for manufacturers and developers of products with digital elements, covering both hardware and software to “ensure manufacturers remain responsible for cybersecurity throughout a product’s lifecycle.”

TPSM cybersecurity supports organizations in responding to regulation changes.

Bottom line: Patch/fix/update response is only a part of an effective security and vulnerability management program.

The software OEM patch/fix/update approach alone may not be sufficient to protect your environment. Configuration and human behaviors should also be considered.

A great security example of a situation where a fully updated product is not enough is the man in the middle attack, juice jacking.

Juice jacking enables a malicious actor to capture sensitive data, including passwords, files, contacts, texts, and voicemails, from a mobile device when you are charging at a public UBS charging station.

Not only is there the potential for company data to be stolen from an employee’s phone as a result of human behavior, but there is also the risk of malware being placed onto the device to enable the infliction of further damage.

Companies require a security risk management program that can respond quickly to new intelligence and quickly leverages existing resources and security solutions. TPSM providers aim to support their customers in achieving this.

Is your legacy estate really protected? Ad graphic to download Origina Securing Legacy Estates guide.


Gain insight into industry-only news, access to webinars, tips and tricks, blog posts, podcasts, and guides, surrounding topics like cybersecurity, reducing software support and maintenance costs and much more, all delivered to your inbox each month.