Owning the Risk: Why Cyber Trust Starts With the People Managing Your Tech

Robb Reck, Chief Information, Trust and Security Officer at Pax8, spoke with TechNadu about cybersecurity in centralized digital ecosystems and the impact of AI on identity and compliance. 

Reck brings extensive experience from his leadership roles shaping trust frameworks across the MSP ecosystem. He shares his perspective on how organizations can build resilience through secure-by-design principles and where many still lag behind. 

He emphasizes that while centralization and AI adoption drive innovation, they also heighten the stakes for identity, data, and vendor management in modern marketplaces.

Reck notes that maintaining transparency and fundamental cyber hygiene will be critical as MSPs evolve into strategic risk advisors in the AI era.

Vishwa: When services are centralized in a “marketplace of the future,” what new cybersecurity risks emerge, and what safeguards are most important?

Robb: Centralization introduces efficiencies, but also concentration risks. A breach in a centralized marketplace can cascade across multiple services and partners. The most critical safeguards include zero-trust architecture, continuous monitoring, and vendor risk management. 

At Pax8, we’ve embedded these principles into our Marketplace design, ensuring that every integration is vetted and every transaction is secure.

Broadly speaking, our collective IT community, including managed service providers (MSPs), still lacks basic cyber hygiene, so this remains of the utmost importance. MFA, patching, and the like need to improve and will continue to be how threat actors win. 

When we think about Marketplace services, supply chain risk should be considered. We do that by understanding where our tools come from, how they are assembled, and ensuring that we’re comfortable with the providers in our chain.

We are committed to continuously improving our own security practices so that we support partner security maturity in their own practices.

Vishwa: As AI becomes embedded in core business operations, where do you see the most immediate cyber risks — data privacy, supply chain, or identity security?

Robb: All three are critical, but identity security is the most immediate. AI systems require broad access to company data and systems, making identity compromise a high-value target. 

As a result, strong identity and data governance and AI-specific access controls are essential to embracing this new technology in the safest way possible.

Vishwa: Small and medium-sized businesses (SMBs) are rapidly adopting AI but often lack mature security programs. What blind spots do you see most often, and how can they be addressed?

Robb: Cyber hygiene continues to be critical for organizations of all sizes, but especially for the SMB. Nothing else matters if basic controls haven’t been covered, and the tech community as a whole is ineffective at this right now. 

In their 2024 Digital Defense report, Microsoft states that less than half of Entra accounts have strong authentication, which is a systemic and dangerous issue. 

In terms of new controls, data governance again comes to the forefront, preventing even accidental insider threats and incidental external exposure of data through poorly managed external AI interfaces (like customer service bits).

Vishwa: Managed Service Providers (MSPs) are shifting from infrastructure management to decision support. How does this change increase their responsibility for securing customer data and preventing insider or supply chain risks?

Robb: An organization in charge of the tech MUST also be responsible for security. The responsibility remains largely unchanged, but the stakes are higher and the threat landscape is now more complicated. 

Managed service providers (MSPs) need to have business leadership conversations and drive risk-managed, smart business decisions. This will include vendor evaluations for supply chain risk, but will also require data management and policy-related conversations to manage and mitigate risk. 

Vishwa: Security and compliance with AI remain challenging for SMBs. What role can service providers play in reducing exposure to regulatory and data risks?

Robb: AI is still a challenge for all of us. It's new and emerging, and that can make it scary. Think of the early days of cloud computing, when professionals not having full access to the computers on which their core processes ran. 

The same mindset applies; we need to understand our regulations and how AI impacts our ability to comply. Then boundaries should be drawn around where we do and don't implement AI, and determine if we implement in phases that allow management without slowing innovation. 

Equally important, MSPs need to know when to step out and encourage clients to seek legal counsel. Partnering with counsel will become an activity for MSPs to offer comprehensive risk management solutions. 

Vishwa: Making AI tools broadly available democratizes innovation. How can we prevent this from also democratizing vulnerabilities?

Robb: Democratization must come with guardrails. We believe in “secure-by-design” AI – tools that are intuitive but also enforce best practices. That includes sandboxed environments, usage monitoring, and built-in anomaly detection. Innovation should be accessible, but not reckless.

Citizen development, in which non-traditional developers are creating business solutions, isn't new, but up until this point has been largely unattainable for most users. AI flips this on its head (think using Claude Code to write a micro app for a specific task). 

Citizen development programs should encourage this innovation, but implement guidelines to include proper access controls, standards that must be met, and clear definitions around what is in bounds (tools, datasets, dev environments, testing requirements, etc.). 

Having identity and data governance in place before this is essential to move quickly and safely. 

Vishwa: For Cybersecurity Awareness Month, what message would you emphasize to businesses and service providers about maintaining trust and resilience in an AI-driven era?

Robb: Trust is earned through transparency and resilience. In an AI-driven era, that means knowing how your tools work, where your data goes, and how you’ll recover when things go wrong. 

It starts with ensuring that both the MSP and their customers have basic cyber hygiene in place. Those basics will allow both companies to lean into new technologies while managing their risk, and take advantage of the momentum that AI is going to provide for early movers. 

Evolving from the "tech guy" to a strategic advisor that leaders call when they need advice is where technology providers want to be.