💡 EXCLUSIVE Resource: 

GenAI Policy Template

Download Now

What the AI Security & Exposure Benchmark 2026 Reveals About Your Risk 💡

• Ross Filipek
• March 12, 2026
• AI, Cybersecurity

AI is now embedded in the vast majority of enterprises.  

That’s not a projection. That’s today’s reality. 

But universal AI adoption hasn’t been matched with universal control. 

The same benchmark that confirms AI’s rapid integration across enterprise environments also reveals a more sobering truth: most organizations are securing AI with tools, processes, and governance models that were never designed for it. 

The AI Security & Exposure Benchmark 2026, based on a survey of 300 U.S. CISOs at organizations with 3,000+ employees, cuts through the hype to show where enterprise AI security actually stands. It also shows where risk is accumulating the fastest. 

From our work with midmarket and enterprise organizations, these findings aren’t surprising. What is new is the scale. AI now sits at the intersection of data, identity, APIs, and cloud infrastructure, often without the visibility, ownership, or validation traditionally applied to those layers. 

Here’s what the data says, and what it means for security leaders navigating this new reality. 

Key takeaways: 

• 67% of CISOs have limited visibility into their AI ecosystem, and even those with “good” visibility expect Shadow AI to exist. 
• 75% of enterprises rely on legacy security tools (endpoint, cloud, API security) to protect AI systems, rather than purpose-built AI security tooling. 
• 50% of CISOs cite lack of internal expertise as their #1 barrier to securing AI, above budget concerns. 
• At least 75% of enterprises experienced a cyberattack in the past 24 months. 
• 70% of CISOs plan to increase penetration testing budgets in 2026. 

AI is everywhere. Visibility is not. 

Every CISO surveyed reports some level of AI adoption. But adoption and oversight are not the same thing. 

67% of CISOs say they have limited visibility into where and how AI operates across their environment. The remaining 33% report “good” visibility yet still acknowledge Shadow AI is likely present. Not a single CISO reported full visibility with zero Shadow AI. 

In practice, this means AI systems are being deployed faster than security teams can inventory, govern, or test them. Business units embed AI into workflows, connect models to sensitive data, and automate decisions, often without formal approval or centralized oversight. 

This is the essence of Shadow AI: AI used inside an organization without formal governance from IT, security, legal, or leadership. And according to this benchmark, it’s no longer an edge case. It’s the norm. 

The risk isn’t theoretical. When AI systems have access to sensitive data, identity systems, APIs, and cloud infrastructure, without clear governance, enforced ownership, and continuous validation, the blast radius of an undetected compromise becomes exponential. 

You can’t protect what you can’t see. And with AI, unseen exposure compounds quickly. 

Legacy tools are carrying the load. That’s a strategic problem. 

When asked how they’re securing AI, most enterprises report relying on the tools they already have. 

75% of CISOs say they use existing non-AI-specific tools, endpoint security, cloud security, application security, API security, to cover their AI ecosystem. Only 11% use security tools purpose-built for AI systems. 

This mirrors a familiar pattern. Early in cloud adoption, organizations attempted to extend on-premises controls into cloud environments. That approach worked—until it didn’t. The attack surface was fundamentally different, and purpose-built controls eventually became unavoidable. 

AI is following the same trajectory. 

The challenge isn’t just technical. Relying on legacy controls to secure AI is also a governance failure. Traditional tools weren’t designed to answer foundational questions like: 

• Who owns an AI system end-to-end? 
• What data and identities does it have access to? 
• How is its behavior validated over time? 

The good news: 64% of CISOs are actively evaluating dedicated AI security tools. The transition is underway. But until governance and validation catch up, organizations are carrying real, measurable risk. 

The real barrier isn’t budget; it’s expertise.

When CISOs were asked to identify their biggest obstacles to securing AI, the results were telling: 

• 50% cited lack of internal expertise. 
• 48% cited limited visibility into AI usage. 
• 36% cited lack of dedicated AI security tools. 
• 30% cited unclear testing methodologies. 
• Only 17% cited budget constraints. 

Budget isn’t the bottleneck. Capability is. 

Organizations are struggling to assess AI risk, define ownership, implement appropriate controls, and validate AI security in a consistent way. This aligns with broader industry research: the 2025 ISC² Cybersecurity Workforce Study identified AI as the most in-demand skill among security professionals, cited by 41% of respondents. 

In this environment, the question isn’t whether organizations should build AI security expertise. It’s whether they can afford to wait while attackers move faster than internal capability development. 

Fragmented ownership creates predictable gaps 

Another finding should give security leaders pause: 56% of enterprises say AI security is owned across multiple teams as a shared responsibility. 

Shared responsibility sounds reasonable in theory. In practice, it often means no single team has end-to-end accountability. 

AI security spans identity, data, applications, APIs, and cloud infrastructure. When ownership is fragmented across security, IT, and application teams, without clear authority, gaps are inevitable. 

Only 20% of enterprises place AI security fully within the security team. Another 16% assign it to IT or infrastructure. Just 6% rely on third-party providers. 

Without clear ownership, consistent governance and effective response become nearly impossible. 

Breaches are common, even with expanding security stacks 

Here’s the number that should stop executives in their tracks: 

At least 75% of U.S. enterprises experienced an attacker inside their environment in the past 24 months. 

These organizations aren’t under-resourced. On average, they spend $2.48 million annually on cybersecurity. Yet breaches remain common. 

More tools don’t automatically mean better security. In fact, complexity often works against teams, introducing more alerts, more integrations, and less time for meaningful investigation. 

What does correlate with confidence? Validation. 

Organizations that conduct quarterly penetration testing report significantly higher confidence in their AI security posture than those testing annually. Testing doesn’t just find vulnerabilities; it replaces assumptions with evidence. 

Penetration testing is expanding, and AI is driving it 

Security leaders are responding accordingly. 

70% of CISOs plan to increase penetration testing budgets in 2026. AI-driven risk is a major factor. More than half of enterprises already include AI-specific scenarios in their offensive security programs, such as: 

• AI-generated phishing and impersonation attacks 
• Prompt injection and LLM manipulation 
• Abuse of over-permissioned AI identities and services 
• Unauthorized use of public or third-party AI tools 

CISOs aren’t waiting for perfect frameworks. They’re validating exposure in real time, because attackers already are. 

What CISOs can do right now 

Based on the benchmark and our experience, five actions matter most: 

1. Get visibility before you get tools.
   You can’t govern what you can’t see. Start with a comprehensive inventory of AI systems, sanctioned and unsanctioned, and map what they can access across data, identity, APIs, and cloud infrastructure. 
2. Establish clear ownership. 
   Shared responsibility without accountability is a liability. Assign AI security ownership with the authority to enforce controls and drive remediation. 
3. Implement AI governance as your security control plane. 
   Governance isn’t bureaucracy. It defines data boundaries, permissions, approved use cases, and acceptable risk, before AI scales across the organization. 
4. Test your AI attack surface.
   Assumptions don’t hold up against AI-enabled attacks. Incorporate AI-specific scenarios into penetration testing to understand what’s actually exploitable. 
5. Close the skills gap with the right partner.
   If internal expertise isn’t there yet, waiting isn’t a strategy. The threat landscape won’t slow down. 

The bottom line 

AI adoption is no longer optional. But unsecured AI is an open invitation. 

The AI Security & Exposure Benchmark 2026 makes one thing clear: visibility is limited, ownership is fragmented, and legacy tools are stretched beyond their design. Most enterprises have already felt the impact. 

The organizations that succeed with AI won’t be the ones with the most tools. They’ll be the ones with clear ownership, enforced governance, and continuously validated defenses. 

Those organizations won’t just be more secure. They’ll be more confident. And better positioned to unlock everything AI has to offer. 

• About Ross Filipek

Ross Filipek is Corsica Technologies’ CISO. He has more than 20 years’ experience in the managed cyber security services industry as both an engineer and a consultant. In addition to leading Corsica’s efforts to manage cyber risk, he provides vCISO consulting services for many of Corsica’s clients. Ross has achieved recognition as a Cisco Certified Internetwork Expert (CCIE #18994; Security track) and an ISC2 Certified Information Systems Security Professional (CISSP). He has also earned an MBA degree from the University of Notre Dame.

Ready to take your next step?

Contact us today to get the outside perspective you need for the next step on your journey.

Contact Us Now →

Table of Contents

💡 EXCLUSIVE Resource: 

GenAI Policy Template

Download Now

The post What the AI Security & Exposure Benchmark 2026 Reveals About Your Risk 💡 appeared first on Corsica Technologies.

“Picking a partner to assist in building those policies and procedures is huge.”

—Jeff B., IT Manager

See Jeff's Story

CMMC Compliance Consulting: Finding the Right Partner

• Ross Filipek
• March 10, 2026
• Compliance, Manufacturing IT Support

CMMC compliance is now essential for all Department of Defense contractors that will be working with Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI). Whether they’re bidding on new contracts or renewing old ones, contractors must prove compliance to be considered.

Many contractors lack the expertise on staff to understand compliance requirements and implement them—let alone maintain compliance over the long haul. CMMC compliance consultancies, like Corsica Technologies, help bridge this gap with deep expertise and proven processes for assessments, remediation, and continual compliance.

But what does a CMMC consultant do?

How do you find the right consultancy for your organization?

We’ve got all the answers below.

Key takeaways:

• A CMMC compliance consultant is a specialist who helps organizations achieve compliance with the CMMC.
• A CMMC compliance consultant helps with gap assessments, remediation plans, and implementation of required controls.
• A CMMC compliance consultant also helps organizations maintain continuous compliance.
• CMMC compliance consulting typically costs $200 – $400 per hour.

What is a CMMC compliance consultant?

A CMMC compliance consultant is a specialist who helps organizations prepare for, achieve, and maintain compliance with the Cybersecurity Maturity Model Certification (CMMC). This certification is required for companies that contract with the US Department of Defense and work with FCI and/or CUI.

What has changed for CMMC in 2026?

The CMMC Final Rule took effect on November 10, 2025. This means that Department of Defense procurement officers can now include binding CMMC requirements in new contracts. Note that there is no grandfathering or renewing of contracts that previously did not require compliance. All contractors must achieve compliance to renew existing contracts or bid on new ones.

Contractors pursuing Level 2 compliance can self-assess and report their score in the SPRS Portal until roughly November 9, 2026. After that date, Defense procurement officers can require that contractors have passed an audit led by a C3PAO (CMMC Third Party Assessor Organization). This means Level 2 self-assessments will no longer be sufficient to bid on such contracts.

For all DoD contractors, 2026 is a critical year to complete two objectives:

• Achieve CMMC compliance at the Level required by your relationship with DoD
• Establish processes, controls, and resources to maintain compliance on a continual basis

CMMC consulting is essential to achieving both objectives.

What does a CMMC compliance consulting company do for its clients?

A CMMC compliance consultant translates CMMC requirements into practical actions that facilitate compliance for a specific organization. Common responsibilities include:

• Readiness and gap assessments. A CMMC consultant compares an organization’s current systems, controls, and practices against CMMC and NIST SP 800-171 requirements, identifying gaps and risks against the standards of the framework.
• Remediation planning. A CMMC compliance consultant creates the client’s POA&M (Plan of Action and Milestones). This is a formal document that prioritizes fixes, assigns owners, and tracks progress toward compliance.
• Development of documentation. A CMMC compliance consultant drafts and refines documentation related to compliance, including the client’s SSP (System Security Plan), a required document that outlines how the client implements and maintains NIST SP 800-171 cybersecurity controls to safeguard CUI.
• Preparation for assessment. A CMMC consultant helps prepare the client’s stakeholders and systems for audits performed by a C3PAO (CMMC Third Party Assessment Organization).

How is a CMMC consultant different from a C3PAO?

CMMC consultants and C3PAOs (CMMC Third Party Assessment Organizations) perform very different functions in an organization’s compliance journey. In a nutshell:

• A CMMC consultant helps your organization prepare for your audit.
• A C3PAO officially audits and certifies your organization.

The separation of these roles is mandated, as it helps avoid conflicts of interest.

Here’s a chart that breaks it down further.

Aspect	CMMC Consultant	C3PAO
Primary role	Preparation and readiness	Validation and certification
Timing	Before assessment	At certification
Can fix gaps	✅ Yes	❌ No
Can give advice	✅ (pre‑audit only)	❌ Prohibited
Issues certification	❌ No	✅ Yes
Required independence	No	Yes (mandatory)

 

Can a CMMC consultant perform our final certification audit as well as prepare us for the audit?

No. A CMMC consultant can only prepare you for your audit. They cannot also perform the final CMMC certification audit for the same organization. Doing so is explicitly prohibited under CMMC conflict-of-interest rules.

CMMC requires a strict separation of duties between:

• Preparation (consulting and readiness)
• Validation (certification assessment)

This rule exists to ensure assessments remain independent, objective, and credible. An organization cannot audit its own work, directly or indirectly.

What is the hourly rate for a CMMC consultant?

CMMC consultants typically charge $200 – $400 per hour. The exact figure usually depends on the consultancy’s experience and expertise as well as the Level of compliance that the client must achieve.

Here are the factors that can influence the hourly rate:

• CMMC Level (Level 1 vs. Level 2) and alignment to NIST 800‑171 requirements
• Scope and complexity (number of systems, users, and CUI handling)
• Role type (gap analysis, remediation, SSP/POA&M writing, vCISO, assessment coaching)
• Credentials and experience, especially prior assessor or C3PAO-adjacent experience
• Engagement model (hourly vs. fixed‑fee projects or ongoing retainers)

What is the typical cost to achieve Level 1 vs. Level 2 vs. Level 3 CMMC compliance?

The Department of Defense included estimated costs for each Level when the proposed CMMC 2.0 rule was published in the Federal Register on December 26, 2023. Note that these estimated costs cover only assessment, certification, and affirmation—not the implementation of cybersecurity controls. The cost of implementing required controls will depend on the results of a company’s gap assessment.

That said, here are the estimates that the Department of Defense provided in 2023, as reported in DefenseScoop.

CMMC Level	DoD Estimated Cost (Assessment/Affirmation Only)
Level 1 (Self‑assessment)	$4,000–$6,000 annually
Level 2 (Self‑assessment, triennial)	$37,000–$49,000
Level 2 (C3PAO certification)	$105,000–$118,000 (3‑year cycle)
Level 3	Level 2 costs + ~$41,000

 

The takeaway: Get the CMMC consulting you need

CMMC is a complex undertaking, and most DoD contractors don’t have the resources on staff to achieve and maintain compliance. Here at Corsica Technologies, we’ve helped 1,000+ clients solve their problems with technology. Our cybersecurity specialists maintain deep expertise in CMMC compliance. Contact us today, and let’s get started on your CMMC compliance journey.

• About Ross Filipek

Ross Filipek is Corsica Technologies’ CISO. He has more than 20 years’ experience in the managed cyber security services industry as both an engineer and a consultant. In addition to leading Corsica’s efforts to manage cyber risk, he provides vCISO consulting services for many of Corsica’s clients. Ross has achieved recognition as a Cisco Certified Internetwork Expert (CCIE #18994; Security track) and an ISC2 Certified Information Systems Security Professional (CISSP). He has also earned an MBA degree from the University of Notre Dame.

Ready to take your next step?

Contact us today to get the outside perspective you need for the next step on your journey.

Contact Us Now →

Table of Contents

“Picking a partner to assist in building those policies and procedures is huge.”

—Jeff B., IT Manager

See Jeff's story

The post CMMC Compliance Consulting: Finding the Right Partner appeared first on Corsica Technologies.

💡 EXCLUSIVE Report: 

IT Outsourcing Trends

Download Now

Beyond the Hype: How Corsica Technologies is Redefining Managed Services with AI and Strategic Partnership

• Garrett Wiesenberg
• March 5, 2026
• AI, Company News, Partnerships

In a market saturated with managed service providers, what does it take to achieve 105% year-over-year growth in managed services bookings? According to our CEO, Brian Harmison, it’s not about chasing trends—it’s about fundamentally redefining the role of a technology partner. 

In a recent interview on the “Business of Tech” podcast, Brian sat down with host Dave Sobel to discuss the strategic vision that’s driving Corsica’s success. The conversation went beyond the typical talking points, offering a clear roadmap for how businesses can leverage technology not just for maintenance, but for true strategic advantage. 

Here’s a look at the key insights from their discussion and what it means for the future of managed services. 

Key takeaways: 

• The future of MSPs lies in becoming strategic partners who solve core business problems, not just IT tickets.
• The “co-managed” services model offers a collaborative way to enhance, not replace, your existing IT department. 
• Operational excellence is the essential foundation for any successful AI and automation strategy. 
• True market differentiation is built on a foundation of deep trust and a commitment to enabling business outcomes. 

The Shift from MSP to Strategic Partner 

For many, the term “managed services” brings to mind basic IT support—help desks, network monitoring, and break-fix solutions. At Corsica Technologies, we see that as the starting point, not the destination. As Brian explained in the interview, our approach is to act as a holistic technology partner, with a heavy focus on data integration, automation, and AI. 

“We’re not just here to manage your technology,” Brian noted. “We’re here to help you leverage it to solve your core business challenges and drive growth.” 

This means going beyond the surface level to understand our clients’ operations, goals, and pain points. It’s a shift from reactive problem-solving to proactive, strategic enablement. 

Introducing the “Co-Managed” Model: A Collaborative Approach 

One of the most significant differentiators Brian discussed is our “co-managed” services model. Unlike traditional outsourcing that often aims to replace a company’s internal IT team, the co-managed model is built on partnership. 

We work alongside a client’s existing IT department, providing specialized skills in areas like cybersecurity, data integration, and AI-driven automation. This creates a collaborative relationship that enhances the capabilities of the internal team, filling critical skill gaps without creating a competitive dynamic. 

This approach allows businesses to retain their institutional knowledge while gaining access to a deep bench of specialized expertise—a powerful combination for innovation and resilience. 

Operational Excellence: The Bedrock of Innovation 

In an era of AI hype, it’s easy to get caught up in the buzz. However, as Brian emphasized, technology is a tool, not a magic wand. The prerequisite for successfully implementing automation and AI is operational excellence. 

“You can’t automate a mess,” Brian stated. “We focus on helping our clients define and refine their processes first. Only then can we effectively apply automation and AI to enhance efficiency and unlock new capabilities.” 

This commitment to a strong foundation is why our recent acquisition of AccountabilIT was so successful. Their deep expertise in Microsoft security and AI, combined with a shared operational model, has allowed us to accelerate our ability to deliver on this promise. 

Building Trust: The Real Differentiator 

Ultimately, Brian believes that our success and differentiation in the market come down to one thing: trust. By focusing on building deep, long-term relationships and acting as a true strategic enabler for our clients, we create a partnership that transcends the typical vendor-client dynamic. 

When your technology partner is invested in your business outcomes, growth becomes a natural byproduct of that shared success. The future of managed services isn’t about simply managing infrastructure; it’s about providing the strategic guidance, technical expertise, and operational support that empower businesses to thrive in a complex digital landscape. 

Ready to partner with a technology enabler that goes beyond traditional IT? Contact us today to learn how we can help you achieve your business goals. 

• About Garrett Wiesenberg

With over a decade of experience in IT, Garrett Wiesenberg brings deep technical expertise and a strong commitment to strategic problem-solving. For the past four years, he has focused on architecting and delivering advanced solutions for managed clients, consistently aligning technology with business outcomes. Garrett’s career has spanned a variety of roles—from service desk technician to senior network engineer—and now, as Vice President of Solution Consulting, he leads with a hands-on, business-focused approach. He holds several industry-recognized certifications, including CCNA Route & Switch, CCNA Security, CCNA Wireless, MCSA: Server 2012 R2, MCSA: O365 Administration, NSE 1–3, and CMNA.

Ready to take your next step?

Contact us today to get the outside perspective you need for the next step on your journey.

Contact Us Now →

Table of Contents

💡 EXCLUSIVE Report: 

IT Outsourcing Trends

Download Now

The post Beyond the Hype: How Corsica Technologies is Redefining Managed Services with AI and Strategic Partnership appeared first on Corsica Technologies.

💡 Need help with OT security? 

Pick our brains!

Schedule a Consultation

Integrating Microsoft D4IoT with SOC Tools and Operations

• John Joyner
• March 3, 2026
• Cybersecurity, Manufacturing IT Support, Microsoft Security

Microsoft Defender for IoT is one of the most powerful tools on the market for securing OT environments. It provides passive, agentless monitoring, which is critical for systems that can’t run traditional security agents.

You can integrate Defender for IoT (D4IoT) with Microsoft Sentinel, the industry-leading cloud-native SIEM (security information and event management) platform. This gives you a single, converged view of OT and IT security in real time.

But how do you actually integrate Sentinel and D4IoT?

How should you configure your integration to provide maximum visibility without false positives?

Can you reduce alert fatigue coming from D4IoT?

These are great questions. We’ve got all the answers below.

Key takeaways:

• Within Microsoft Sentinel, you can integrate D4IoT in a few minutes under Configuration → Data connectors.
• D4IoT does not collect sensitive data related to production or processes. It collects only metadata from networks and devices.
• You can easily configure Sentinel playbooks to run from specific types of D4IoT alerts.
• You can reduce D4IoT alert fatigue through built-in aggregation functionality, Microsoft’s prebuilt packages, custom automation rules, and many other techniques.

What prerequisites are required to integrate D4IoT with Sentinel?

Before you integrate D4IoT with Sentinel, you should have several prerequisites in place. Here’s what you’ll need before starting.

• Read/Write permissions in your Microsoft Sentinel workspace
• Contributor or Owner permissions on the subscription that you’re connecting
• An active D4IoT plan with data streaming enabled

Once you’ve satisfied these prerequisites, you can start the process of integrating D4IoT with Sentinel.

How do I integrate Microsoft Defender for IoT with Microsoft Sentinel for SIEM?

Enabling the D4IoT data connector in Sentinel is straightforward. Here’s what the process looks like in detail.

1. Go to Microsoft Sentinel → Configuration → Data connectors.
2. Search for “Microsoft Defender for IoT.”
3. Click “Open connector page.”
4. Under Configuration, click “Connect” for each subscription for which you want to ingest alerts.

It may take some time for the subscription status to update. After this, Sentinel will receive automatic alerts from D4IoT.

What data is collected from OT devices and sent to the cloud/SIEM?

Defender for IoT collects device and network metadata, not production or process values. The collected information includes:

• Network connection metadata (e.g., IP addresses and ports).
• Device identification details (e.g., device identifiers, device names, operating system versions, and firmware versions).
• OT network communications (e.g., communication patterns, protocol types, behaviors).
• Alert and sensor data, which are retained for 90 days.

There are many types of data that D4IoT does not collect—for example, operational and process-level industrial data. D4IoT is designed as a network-level, agentless security monitor. It focuses on network traffic monitoring and anomaly detection. This means it does not collect data like:

• PLC logic or ladder diagrams
• Setpoints
• Sensor/actuator process values (temperature, pressure, flow, etc.)
• Production recipes
• Proprietary or sensitive manufacturing parameters
• Any industrial intellectual property or operational “process data”

How do I configure D4IoT to trigger playbooks in Sentinel?

Triggering automated Sentinel playbooks from D4IoT alerts is straightforward. Here’s the process you should use.

1. Make sure Defender for IoT alerts are flowing into Sentinel. If they aren’t, use the process outlined above (“How do I integrate Microsoft Defender for IoT with Microsoft Sentinel?”) to connect the two solutions.
2. Create a playbook in Sentinel. Navigate to Automation → Create Playbook. You can configure actions like sending Teams notifications, opening tickets, blocking IPs, isolating endpoints, and triggering OT response actions. Once you’ve designed your workflow, save the playbook.
3. Create an automation rule in Sentinel. Navigate to Automation → Create → Automation rule. Configure the rule conditions appropriately for the problem you’re trying to solve. Add an action for “Run playbook” and select the playbook you just created. Save the automation rule.
4. Validate the new workflow. Once you’ve configured everything, trigger a test Defender for IoT alert. Confirm that Sentinel creates an incident—and that the automation rule fires. Also confirm that the playbook actions are executed as expected.

How can we reduce ‘alert fatigue’ from D4IoT alerts in our SOC dashboard?

Alert fatigue is a real problem for SOC teams. Here at Corsica Technologies, our in-house SOC team handles thousands of alerts every day on behalf of clients. With so many environments under management, we’ve developed a robust approach to reducing alert fatigue and ensuring that our analysts can focus on what matters.

Here’s what that looks like in terms of D4IoT alerts integrated to Sentinel.

1. Use D4IoT’s built-in alert aggregation. D4IoT already performs automatic alert deduplication. This function covers alerts from multiple sensors within the same zone, alerts within a 10-minute window, and alerts with the same type, protocol, status, and devices. D4IoT intelligently merges these signals into a single, unified alert.
2. Deploy Microsoft’s D4IoT package for Sentinel. This content package includes pre-tuned analytics rules, OT-specific workbooks, and SOAR playbooks. The package can reduce alert fatigue by applying OT-aware filtering.
3. Use Microsoft Sentinel AI. In particular, Microsoft’s Fusion AI automatically correlates multiple raw events into fewer, high-quality incidents. This helps eliminate false positives, correlate multi-stage OT attack chains, and properly identify precursor behaviors that haven’t yet turned into full-blown incidents.
4. Enable Microsoft Sentinel Entity Behavior. Microsoft Sentinel integrates with Microsoft Defender for IoT to provide specialized Entity Behavior Analytics (UEBA) for IT/OT/IoT devices, using machine learning to detect anomalies, such as unusual network protocols or unauthorized access. It offers a dedicated IoT device entity page for investigation, displaying device context, risk, and behavioral baselines.
5. Analyze historical data for common false positives. Export all alerts over a given time period and identify recurring patterns of false positives. Consider adjusting alert severity to account for these patterns—especially if they actually represent routine OT traffic phenomena.
6. Use automation rules to auto-close or reassign alerts. You can create an automation rule in Sentinel to take certain low-risk D4IoT alert types and choose an action other than escalation. Common approaches include auto-closing the incident, reassigning it to the OT team, or running an enrichment playbook to gather more information.
7. Consider using workbooks rather than monitoring raw alert feeds. D4IoT comes with out-of-the-box workbooks that visualize high-risk OT alerts and map them to the MITRE ATT&CK framework for ICS. Focusing on these workbooks rather than raw alert feeds can help your SOC team prioritize the most important information coming out of D4IoT.
8. Train SOC analysts to use D4IoT’s context, MITRE mappings, and PCAP downloads. SOC analysts usually aren’t OT experts, which makes it difficult for them to interpret OT alerts. Proper training helps SOC analysts understand which OT alerts truly matter.

The takeaway: Integrate D4IoT to your SOC for robust OT security ops

Microsoft Defender for IoT becomes even more powerful when you integrate it with Microsoft Sentinel. The key is to configure D4IoT and Sentinel correctly in the context of your unique operational processes—and to train your SOC analysts to understand OT alerts and response procedures. If you need help with OT security, talk to us. Corsica Technologies is a long-standing, proven Microsoft Solutions Partner for Security with specializations in Cloud Security, Identity and Access Management, and Threat Protection, and a member of the Microsoft Intelligent Security Association (MISA). We’ve helped 1,000+ customers solve their toughest problems with technology. Contact us today, and let’s secure your OT environment.

• About John Joyner

John is Senior Director of Technology at Corsica Technologies. Awarded Microsoft MVP for 18 years (2007-2026), he is currently dual-awarded in Azure Management and Cloud Security. He is a certified Azure Solutions Architect Expert and Microsoft Cybersecurity Architect Expert. John co-authored the four books in the industry-standard reference series, System Center Operations Manager: Unleashed (Sams publishing). His most recent book ‘Azure Arc-Enabled Kubernetes and Servers’ was published by Apress. Specialties include Microsoft Sentinel/Defender XDR, Security Copilot, Defender for Cloud, Defender for IoT, Azure Monitor, and Azure Arc. He is a retired U.S. Navy Lt. Commander who served as Chief of Network Operations for NATO southern region and national Network Security Officer for the Navy Bureau of Personnel.

Ready to take your next step?

Contact us today to get the outside perspective you need for the next step on your journey.

Contact Us Now →

Table of Contents

💡 Need help with OT security? 

Pick our brains!

Schedule a Consultation

The post Integrating Microsoft D4IoT with SOC Tools and Operations appeared first on Corsica Technologies.

💡Free EDI RFP Template

Download Now

Beyond the Buzzword: What Relationship Management Really Means for Orchestrating Your Supply Chain 

• Peter Rodenhauser
• February 26, 2026
• Data Integration, EDI

In today’s interconnected world, the term “relationship management” is often tossed around, but what does it truly mean in the complex landscape of digital supply chains? It’s more than just contracts and KPIs; it’s about trust, ownership, and the art of keeping promises.  It’s about orchestration, decisioning, and ultimately, value creation.   

In other words, it’s about making relationships stronger.   

To delve into this critical topic, I was joined by Frank Kenney, who leads market strategy and industry solutions at Cleo on a recent podcast episode of Corsica’s Unraveling IT: Expert Tech Talks.  

Frank has seen firsthand how a strategic approach to relationship management can revolutionize not just supply chains, but entire business models. In our conversation, we explored how effective partnerships streamline operations, drive growth, and build resilience in today’s digital-first world.

Key Takeaways: 

• Effective relationship management in the supply chain requires clear expectations and mutual trust, moving beyond punitive measures like chargebacks. 
• True value in partnerships arises when technology enables customized, process-driven solutions that align with the business’s unique needs. 
• Through its supply chain orchestration capabilities, Cleo Integration Cloud (CIC) empowers businesses to gain deep visibility into their operations by tracking volume, value, disposition, and time, turning data into a strategic asset. 
• By leveraging a system of record outside of the ERP, companies can effectively challenge and fight unwarranted chargebacks, protecting their bottom line. 
• As AI becomes more prevalent, robust governance will be critical to protect intellectual property and prevent the reverse-engineering of a company’s “secret sauce”—its supply chain. 

With Cleo Integration Cloud, the engine at the heart is all about business process automation. That's a little different from some of the legacy technologies that are out there, and that's the process. And that's what Cleo captures. And it's the process that gives companies their differentiation. One of the reasons that there's value to be added because two different companies can use CIC and can engage with Corsica, but end up with two totally different outcomes that match their business. Right? And that's where there's true value. Welcome back to Unraveling IT Expert Tech Talks. I'm Peter Rodenhauser, Chief Revenue Officer at Corsica Technologies. And today, we're taking a hard look at what it really means to be a great partner in the digital supply chain era. If you've ever tried to manage business relationship that spans departments, systems, and continents, you know it's not just about contracts and KPIs. It's about trust, ownership, and the art of keeping promises. In today's interconnected world, relationship management isn't just a buzzword. It's the backbone of growth and resilience. Joining me today is Frank Kenney, who leads market strategy and industry solutions at Cleo. Frank's seen firsthand how the right approach to relationship management can transform not just supply chains, but entire business models. So today, we'll uncover how effective relationship management transforms business partnerships, streamlines operations, and drives growth in today's interconnected digital landscape. Whether you're a supply chain professional, a business leader, or someone who's tired of chasing down answers across departments, this episode is for you. Let's jump in. Relationship management, that's a big topic. So, you know, maybe maybe we start there around a definition of, you know, what what does that mean in the realm of supply chain and ecosystem integration? Yeah. I I I think that it's always very helpful to think about any IT terms, and, you know, this is what frustrates me about all of the discussion around AI, but that's another podcast. Right? Whenever you think about any IT term or any IT trend or anything else like that, relationship management or anything, I think it's important to relate it back to the real world, the world that we live in. In any relationship between two individuals, two companies, or whatever, every relationship is based on a set of expectations. I expect you to do this and and carry yourself this way. You expect me to do something and carry myself that way. And in IT, the relationships are also they also have expectations. So you may have a retailer that says, well, I expect things to be on time within an hour of drop off. Right? And you can't come more than an hour before. You can arrive more than an hour after. That kind of thing. Right? And I also expect what you told me you were shipping me, I expect that to be what shipped. So this OTIP on time in full is a perfect example of an expectation that you'll find retailers have from their suppliers. Now there are other types of expectations, expectations on everything from where you're sourcing. Are you sourcing ethically? How are you pricing? Are you you're not gonna take advantage of, you know, some weather event that's happening and gouging it and those types of things. There are also expectations around privacy and the things that you're doing. But in a nutshell, when we talk about relationship management, we talk about the collection of those expectations and ensuring that you meet the collection of those expectations. On one hand, you wanna meet those expectations because a happier partner is a partner that buys more. Right? And that's when you get into things like NPS scores and, you know, how happy are my customers with me. They they buy more. Those things do matter. Those surveys do matter because that tells them where to fit and where they may be slipping. From a very fiscal perspective, the lack of compliance to an expectation, right, or the violation of that expectation usually results in chargebacks, which is a wonderful process in which the money that you owe someone, you can actually lower the amount that you owe someone by charging them a fee because they didn't meet those expectations, chargebacks. And if you think about retail CPG and you think about how tiny those margins are, you don't want too many chargebacks because you lose a good customer and they're paying you just what you spent, so it really hurts the pockets. So the idea of relationship management from an IT perspective starts to become a very top level consideration as it is the representation of the relationship you have with your buyers or your sellers. Yeah. You know, it's interesting you bring up, you know, chargebacks. When I when I first got into the data integration space back in the early two thousands, I was doing implementations for, you know, retail suppliers. I learned about chargebacks very quickly. In in terms of what they mean in the business and and how to avoid them. And, you know, in in the realm of relationship management, you know, I I think in today's world, it's it's one aspect of the relationship. Right? And and that to me is is what I've seen evolve. I mean, you know, in chargebacks, it's a rather draconian way of of managing a vendor. Maybe an important way. You know, I I think some some looked at it as maybe a revenue source or a discount source. But some were truly looking at it as a way to to drive, you know, compliance. And and I think, you know, compliance is a is a big is a big part of this, you know, relationship management as as well. As data integration and and and supply chains have evolved and and become more digital, how are you seeing that change and and evolve relationship management? When I'm tracking compliance to a set of expectations, when I've tracked enough, I can start to establish trends, and I can start to establish, well, what are the habits and what's being done. I can pull efficiency out of that. Right? Or sometimes I don't have to pull efficiency. I can change what my expectations are. So especially in any sophisticated supply chain, I'm going to have multiple suppliers. And there are gonna be some suppliers I use for some things and some suppliers I use in other situations. I think situation that that's currently happening in in in the US is a perfect example of that. You know, we've watched tariffs be very high when it comes to doing business with China, and at the same time, in in other nations and in Asia, those tariffs are lower. So you're buying the same thing, but maybe you'll buy from that partner. And maybe that partner, you can't hold to a higher standard because, you know, maybe the the the port situation or the logistics situation that's happening in country, in places like Vietnam or Laos or or, you know, some of some of the countries that may not be as logistics savvy as, you know, what you're seeing in China. Right? So the expectations change, but you can start to address the fragility of supply chain that that that you can start to achieve agility as things change in the tariff situation and also understand what that impact is gonna be because you've been measuring compliance to a relationship. You've been measuring what are the things typically they do. They can't help it. It's always x amount of time late. They can't help it. It's always ten units short. You can start to establish those things. And I I tend to think, Peter, when you're dealing with expectations, you're not dealing with good or bad. They just are. Because if I know this, then I can have a conversation with the consumer that this is going to occur. So it's not a matter of of of good or bad, and I agree with you, chargebacks, kind of an old way of thinking. Right? Because then compliance becomes a bad dirty word, and and I can't use it to give myself strategic differentiation. I can't use it to really sell myself in a better way or or say I'm a better partner, etcetera. But relationship management and compliance and expectations, again, not good or bad. They're just new data inputs that you can use to get the most out of your supply chain and have the supply chains that you wanna build are predictable, are consistent, are dependable. And to achieve all of that, you need the same thing. You need to understand what's going to happen. You need a good prediction of what's gonna happen, good, better, and different. So relationship management is, I think, another set of data that you can use to improve relationships and and improve the facilitation of commerce. Yeah. I I I couldn't agree more. And I I I wanna get into how the the Cleo platform, Cleo Integration platform really addresses it and powers customers. It's it's more rigid. But, you know, at Corsica, the approach that we've taken and and going to market with is is to help its size organizations manage their data integration environments. And and, of course, we struck a partnership with Cleo about a year ago, and and it's been great. And, you know, something I've I've noticed as as supply chain and the integration has evolved from what I would call a traditional, you know, linear model, right, where where you have, you know, your your supplier, distributor, manufacturer out to the retailer. It's much more network now. It's it's much more dynamic. And, you know, I'm I'm seeing the the management of that dynamic network much more feasible in the the Cleo platform itself for for our customers as we've transitioned over to more legacy traditional EDI, you know, software applications into the Cleo Integration Cloud. So as it relates to to relationship management, can can you talk a little bit about how the Cleo Integration Cloud is is addressing that and and really empowering the customers to take advantage of. Because I'm I'm seeing what we're seeing for our customers, we onboard them, is that their eyes are getting very big and and open to the art of the possible. Yeah. I thank you for that. And and, you know, again, congratulations to both teams for, you know, what has been a successful partnership. At the heart of what we have here at Cleo with Cleo Integration Cloud, the heart, the engine at the heart, is all about business process automation. That's a little different from some of the legacy technologies that are out there. Legacy B2B technologies have always concentrated on doing field level, EDI level transformation. So this is my namespace, and I'm gonna pull from here and put it to here. This is my delivery date, so I'm gonna pull it from this document and put put it to here. And I think that that's okay, and that was very necessary, and maybe they pushed it to some a s two somewhere. And but when you start to think about all aspects of everything from the transformation, if this is here, then do this. Right? That's a microflow. And you start to think about, well, with this purchase order, there needs to be an acknowledgment. So now you have a very explicit process that exists. And after the acknowledgment, there may be some type of status update. And then after that, there may be some type of inventory instruction. Hey. Pull this and and do that. And then after that, there may be some type of load tendering. Alright. Let's get the truck in there. I mean, status update, status update, status update. And then you have delivery and proof of delivery with the BOL. Of course, I'm and I jumped over. There's an advanced shipping notice somewhere. And then that leads to a set of invoices. And and that's the process. Right? And that's what Cleo captures. And it's the process that gives companies their differentiation. And so we have an incredible tool. Corsica has the knowledge, the best practices, and the expertise. So we've just given you a more flexible and more agile tool for you to ask your customers questions that they're not used to being asked about things like, okay. What happens if this doesn't work? Well, we can build an exception for that. Right? And we can build an exception for those exceptions. Oh, what happens when you have to go take a look at, I don't know, a credit score? Well, Corsica can take that transaction, and because it's a set of flows, build another flow that goes out to one of the credit scoring agencies for for logistics, like a carrier for four eleven to find out what the status is. Or it could go to, you know, a Hoover or an Equifax or whatever to find out a credit score of an organization, and then bring that back in and include that in the package that goes to an ERP. So you can customize processes that give your customer uniqueness because of the extensibility of of CIC, and and because CIC is more so focused on the process, right, every aspect of the the process, which includes integrating two points because that's how you build the process out. So I I think that's one of the reasons that we're seeing success and one of the reasons that there's value to be added because two different companies can use CIC and can engage with Corsica, but end up with two totally different outcomes that match their business. Right? And that's where there's true value. What has given us to relationship manager, which is really, really interesting, is because of the way our platform works, we can track volume. We can track how many of these processes, how many of these purchase orders have you taken in and have you done, and there's value to that. And because we have processes that do some transformation, right, we can understand and pick out those processes that represent physical values like units or more important money. So this purchase order is this much, is worth this much. These purchase orders from this partner that came in today have a value of this much attached to them. And that's incredibly helpful when you think about from a sales perspective. That's incredibly helpful when you think about from a handling perspective or when you do have exceptions, you know, how severe is is that exception that you need to handle. So volume and value, but also disposition in terms of did the process execute or did it not execute? And that's incredibly important, especially when you're talking about issue resolution and you talk about operations and where should I start to look for why things didn't happen? And if I can get a disposition before my customer knows that it didn't happen, then I proactively can let them know, and that is incredibly valuable. And then finally, because we can see the time it takes from one event to another event, because we can see that value of time, we can now say, okay, how long should it take? And our technology allows you to go in and customize this is how long it needs to take. And if it takes longer than that, let me know. Execute this process. Right? And if it's not, then it's all green across the board. And the opportunity to move that scale so that you have an expectation of how long that process should execute. And so we're talking about how long does it take from the time a purchase order comes in to the time you send out a shipping notice? How long does it take from the time that you get a load tender that you ship out an acknowledgement? Additionally, if you've got a company that says, I need a carrier check because carrying automotive parts, I need a carrier check that happens every fifteen minutes because ultimately, this part is gonna end up going to a mechanic and that person is sitting in the waiting room, so we need to know where that part is. I need a carrier check every ten minutes. You have the opportunity to see that, hey. It's coming up to eight minutes, and we haven't done this. We need to do that. We need to take action so you can be very proactive. Again, that's all around managing the the relationship. But this idea that we understand volume, we understand value, we understand disposition, and we understand time because we're built on processes is very, very, very useful, and it's something our our customers are finding differentiated and and something that really helps them become indispensable to their customers. That's so awesome to hear because I you know, when we think about cloud platforms and cloud products, you know, so so much has been made. And I think in the initial moves to to the cloud was around, you know, one of the v's that you mentioned, visibility. But, you know, everything you articulating there is about how the Cleo Integration Cloud or or the CIC is driving value. Driving value is something so you know, what historically has been so straightforward as a as a business transaction. Maybe it's purchase rate. It's an invoice. Maybe it's a ship notice. You're talking about, you know, through the platform, packaging up, delivering more value. And the power of that is as a supplier in in the supply chain ecosystem. Now you're not just checking the box saying, sure, manufacturer. I can provide you the these transactions electronically. Not only can I do that, but I can package up, provide more value? You know, as as we close out here, Frank, you know, one one of the things you mentioned are beginning, I wanna bring it back to, you know, vendor score carding and and and chargebacks. As you talk about the power of of the CIC, how is the platform helping, and and relationship management really helping Cleo customers manage and and track that that compliance and and maybe even violations of of some of those support. I would love to tell you a great IT answer that we're feeding information to the service desk and we you know, our customers are proactively able to jump in front of things and and make things happen and keep customers happy. And that is certainly a use case that our customers have found value. But, you know, interestingly, Peter, they found value in very specific ways, sales. So a sales manager that goes into CIC and goes into our relationship manager can very, very quickly see what's the volume and what's the value of things that are currently in the system that may not be processed by the ERP, but that are coming into the system. And, you know, I I expected $10,000 worth of orders, and there's only $5,000, and it's 12 o'clock. Maybe I should get on the phone. Right? Or going back in, and I'm getting a status update, and I'm pulling it back into my TMS, and I can see that this truck is going to be late. And the truck's not supposed to get there tomorrow, but I can see it's gonna be late. So maybe I can call and get an exemption from that violation so that it doesn't cost. And it's very interesting. You and I both know that the finance team only likes to get involved when it comes to signing on, you know, these deals and signing statements of work. Finance team wants to get involved with, hey. We were just told that there is chargebacks for these ten transactions, and there's nothing that we see in the ERP that would reflect that. Let's go back and let's see how long did these processes take. Did we actually break something? And it becomes almost a system of record for what's really happened. Yeah. Peter, the story I like to tell is back when we had landline telephones in our houses, and, you know, this is for the younger people, we used to have to pay for long distance. Right? It used to be really expensive. And I was out on a I went out on a a business trip, I took my family, and I came back, and I had a huge long distance bill. And I called the phone company, and I said, hey. You know, I've got a thousand dollars worth of calls that were made from my house. There was nobody here, and, you know, I I need them taken off. And you hear the clicking, the, you know, the tapping, and she goes, I'm sorry, mister Kenny. I'm showing that those calls did originate in your house. And I said, well, I can assure you no one was in my house, so they did not. And she said to me, sure. I'll give you a second to pull up your records of what happened, and then we can compare it to ours. And I said, I have no record of what happened because it didn't happen, and I have no I I understand what you're talking about. So the fun part about chargebacks that we've seen is that most companies are told that they have chargebacks. They have no way of proving that they didn't have them. And that has been the key use case for suppliers and suppliers of services, like carriers and brokers, suppliers of of products, raw goods. The biggest use case for our product is proving that they are compliant and being able to say to their finance team when the finance team goes and says, hey. This bill and this receipt, this purchase order, this this this invoice is not making sense, or this remittance is not making sense. They're saying we have chargebacks. No. Here is a an absolute independent system that we can rely on. We can fight those things. And that again, I'd love to tell you that it's IT, but it's other folks in the organization. We are giving the suppliers of these services in the supply chain a way to ensure that they're just not blindly being charged by an error because I think you know and you've been in business long enough that chargebacks sometimes are a profit center. Right? You try to get as much as you possibly can get. You know? That's why you're staffed accordingly. We're bringing some of that back into focus, and and that's been some of the rewarding stuff that we've been doing with relationships. Well, that's huge, Frank. I mean, that that's that's so huge because, again, we're winding the clock twenty years ago. Right? And, you know, a a chargeback notice would come in, and and you'd have the finance team come over to the EDI administrator and say, hey. You know, we we we owe this this retailer this amount of money because they're saying we didn't provide, you know, this data. And it would take the EDI administrator, had to be, you know, fluent in parsing and understanding x twelve or any fact, whatever the standard was, be able to read it and be able to say, you know, yeah, your name on on whether or was set. Maybe they have communication lines. What you're talking about, you're talking about empowering that audience, even enabling them to actually go in and and look at the data themselves. So that that's that's absolutely absolutely huge. That's huge. You and and the Cleo team, you know, provide that. It's it's really, really cool. I know I I said I was gonna wrap up with that topic, but no podcast would be complete in in 2025, '26, without talking about what technology topic, Frank? AI. So let's let's talk about, you know, how how is AI going to, in in your opinion, going to impact and change relationship management in in in the supply chain? I think the challenge that that, you know, there there are a couple of things that that are happening with AI because we're seeing it all over the supply chain. There's certainly the usage of AI, the way that Cleo is using it, us quickly resolve tickets and resolve things and provide to our customers. They have full control of the configuration and the operation of our cloud based platform, and and that's incredibly unique. But things happen. Hiccups happen. Certificates don't get refreshed and updated by partners. Right? They get revoked. Someone spills coffee on the SAP server. Right? Those types of things happen, and you get tickets. And you look at this, and it's very technical. And when you can start to use AI to make it human readable, but even more importantly, you a set of solutions that are based on thousands and thousands and thousands of similar situations on how to resolve some of these things in a step by step, very executable way. AI has really just decreased the amount of calls that we're getting into our service center, our help desk, and the the types of calls that we're getting in are the types of calls we should be getting in that are multidimensional, have a lot of different contacts, and and in many cases, have a time constraint because you're dealing with a high priority customer that you have a strong relationship with. So I I love the use of AI for for that. I think that always with supply chain and forecasting and those things, and I think that we've had predictive AI for quite a while, and we've been able to do that. I'm one that I believe there are a lot of other things that we have to start to think about when we think about, especially, agentic AI in the document exchange or the selling and and the buying process. AI is a technology that wants to learn, that wants to consume, that wants to understand. And so today, EDI X12 based inventory request, how much do you have in stock, is a very structured request, and you get a very, very structured answer. An AI agent asking you the same question is going to get more information by asking your one AI agent talking to another AI agent is going to ask much more much more general set of questions to not only understand the stock, but understand maybe some other key attributes And may ask you just as a matter of query as opposed to asking you to you know, because I'm getting ready to send a purchase order. I'm asking you because once a day, I'm supposed to ask you because I wanna track your trend. Right? So I may be asking you multiple times a day. I think that one of the things and this is the same thing that we had to figure out with APIs. One of the things we have to start to think about is governance. So the 2026, when I think about AI, I think about the conversations that customers are gonna have around we need to probably hold on to our data a little bit tighter. We need to ensure that we are governing the rules of engagement in a more consistent way. I think we'll see a lot more MCP type MCP based environments to at least limit and authenticate and control and meter these interactions with AI agents so that we are very well aware that we have someone that is hitting hitting us up fifteen times a day asking for inventory. And it could be a partner that may have the best intentions, or it could be a partner that is modeling out our secret sauce, our supply chain, and monitoring out monitoring out when they can get best pricing because that is how we wanna start to look at generative AI to start to get into that that world. So, you know, as Gartner and the rest of the analyst firms, you know, predict, we're kind of coming to the the trough of disillusionment where that we're going down the end where we're trying to say, well, it won't do everything for us, and it can't make toast. Right? That kind of thing until we start to figure out where we can be productive and get to that productivity, and that takes time. In the supply chain, it's going to rapidly head down, and I think that we're going to see the result of lots of heavy AI uses that are being used in an uncontrolled and ungoverned way, we're gonna see some surprising impacts to supply chains of of maybe folks that we thought had a tighter supply chain and who are their suppliers for different components, different electrical components, different car components, different battery components, all of those things start to become much more public. Or we start to see the clone of those things. You start to be able to go to different marketplaces and get the same product that was sourced with the same with the same materials that made it assembled much, much cheaper so you get a different type of knockoff because of all of the shenanigans that can go into reverse engineering your supply chain. So I think companies need to start to think about, you know, what is truly the value of my product? The value of my product is not only how I build my product, right, how I build a a YETI cup, but it's also the the materials that I use to build it and the pieces of the material and the the composite alloys that I get from the different materials. When you can start to reverse engineer those types of things, then a huge chunk of your differentiation starts to be out there in the wild. So, you know, I think the conversation that we talk about AI is AI and governance, and how do we achieve that? And the genie is already out of the bottle. So not just how do I stop everyone in my company from using ChatGPT and Copilot and Gemini, but now it's how do I stop these agents from my bonafide buyers from doing too much? How do I stop giving them too much? Right? Because I don't want my my secret sauce to accidentally slip out. And that requires us to start to look at our supply chains and how we do business and how we manage relationships as truly being secret sauce. Yeah. It's it's interesting you say that, Frank, because, you know, and and thinking about AI and AI governance, we almost have to go back to data governance, which which most companies have data governance place, not not all, but, you know, most do. But but how we look at data governance is a little bit different. Right? Because who is accessing the data? Well, we as as people, maybe there were some, you know, system accounts. Well, now those system accounts are actually, you know, AI agents, say, that are are not the same as a programmatic. So, you know, going back to that data governance model and making sure that it's like, you're arguing that you know, making sure that that it's tight on to protect that data because once that data is in the hands of the AI agents that are, you know, less controlled, then, you know, then the genie is truly out of the bottle. Right? Yeah. Peter, think about it from this perspective. If Twitter or X and Reddit said no more free API connections because our business model is built around advertisement, and the APIs give too much information with no advertisement. So when you have these two huge social platforms, shut those interfaces down. Well, guess what? More often than not, those are the same interfaces that agentic AI will leverage. And so we hear about X and we hear about Reddit, but I'm gonna ask every supplier that's out there. Right? And we know there are millions of them. All of the APIs that you've opened up and all of the AI initiatives that you have in place, imagine if companies that that don't even realize that their agents are doing it, they're just trying to get some result. Imagine if you're letting your IP slip through there, the way that you make money slipping slip through there. So it happens with APIs and, you know, magnify that times a thousand, and that's the danger of agentic AI. It's not bad, but you know as well as I do, Peter, anything ungoverned is going to be an issue because it is going to impact your money. It's going to impact your revenue and what your value can be because it's gonna diminish it when everybody can do the same thing that you do. Yeah. It's fascinating when you think about through the lens that you just provided, which is through the entire supply chain, which is massive, almost almost infinite in in nature. It's amazing and scary all at the same time. Yeah. Well well, Frank, this has been an awesome conversation. So thank you so much for for taking the time to chat with us today. And Thanks for being a great partner. Thanks for continuing to to be a great partner in in doing this stuff for our joint customers. I I I love the opportunity to reach people that we don't traditionally reach from both sides. So thank you for, this initiative. Really appreciate it. Likewise. Appreciate it. Alright. Thanks, Frank. That's a wrap for today's special episode of Unraveling IT: Expert Tech Talks. Huge thanks and shout out to Frank Kenney from Cleo for sharing his insights and helping us rethink what it means to be a great partner in a digital supply chain era. If there's one thing to take away, it's that relationship management isn't just about technology or tools. It's about strategy, ownership, and building partnerships that last. The companies that get this right aren't just more resilient. They're more innovative, more agile, and better positioned for growth. If you've enjoyed this episode, please subscribe, share it with your team, and leave us a review. It helps more leaders discover the show. And remember, technology moves fast, but great partnerships move faster. I'm Peter Rodenhauser, and this has been Unraveling IT: Expert Tech Talks. See you next time.

Redefining Relationship Management: It’s All About Expectations 

At its core, any relationship—whether between individuals or companies—is built on a set of expectations. In the world of IT and supply chains, these expectations are concrete and measurable. As Frank explains, it’s about meeting the agreed-upon standards that keep businesses running smoothly. 

“Every relationship is based on a set of expectations… In a nutshell, when we talk about relationship management, we talk about the collection of those expectations and ensuring that you meet the collection of those expectations.” 

Historically, failure to meet these expectations has often resulted in punitive measures like chargebacks. While these still exist, the conversation is shifting. A modern approach to relationship management views compliance not as a weapon, but as a source of valuable data. It’s not about good or bad; it’s about understanding the reality of your supply chain in real time so you can build predictable, consistent, and dependable systems. 

From Linear Chains to Dynamic Networks: The Role of Technology 

Supply chains no longer reflect the linear, one-to-one relationships of the past. Today, supply chains are dynamic, interconnected networks, replete with data and ripe for orchestration technology. This is where technology plays a crucial rule—especially the Cleo Integration Cloud (CIC). Unlike legacy systems that focus on simple data transformation, CIC is built around business process automation.  The solution moves beyond the friction of siloed systems into the fluidity of real-time decisioning.   

As Frank puts it, this process-oriented approach is what gives the company’s customers their unique differentiation against the competition: 

“With Cleo Integration Cloud, the engine at the heart is all about supply chain orchestration by way of business process automation. That’s a little different from some of the legacy technologies that are out there… and that’s the process. That’s what Cleo captures. And it’s the process that gives companies their differentiation.” 

This flexibility allows a partner like Corsica to ask deeper questions and build customized solutions. It’s not just about mapping fields in an EDI document; it’s about understanding the entire business process and building in exceptions, integrations, and workflows that create true value. Two companies can use the exact same tool and, with the right partner, achieve completely different outcomes tailored to their specific business needs. 

The Four Pillars of Insight: Volume, Value, Disposition, and Time 

The Cleo platform provides unprecedented visibility into the health and performance of your supply chain by tracking four key pillars: 

• Volume: How many transactions are you processing?
• Value: What is the monetary worth of those transactions? 
• Disposition: Did the process execute successfully? 
• Time: How long did it take for the process to complete? 

This data is a goldmine for proactive management and supply chain orchestration. A sales manager can see if order values are tracking as expected. An operations team can get ahead of potential delays before they become critical issues. And, crucially, the finance team has an independent system of record to validate and challenge chargebacks. 

The Secret Weapon Against Unjust Chargebacks 

One of the most powerful use cases for the Cleo platform has been arming suppliers with the data they need to fight back against erroneous chargebacks. For too long, suppliers have been at the mercy of their customers’ systems, with no independent way to verify claims. 

Frank shared a powerful analogy: 

“The fun part about chargebacks that we’ve seen is that most companies are told that they have chargebacks. They have no way of proving that they didn’t have them… Here is an absolute independent system that we can rely on. We can fight those things.” 

This shifts the power dynamic, allowing suppliers to protect their margins and ensure they are not being unfairly penalized. It’s not just an IT tool; it’s a financial safeguard. 

The Future is Here: AI and the Governance Imperative 

No conversation about the future of technology is complete without discussing AI. While AI offers incredible potential for increased efficiency and automation in how supply chain orchestration occurs, it also introduces new risks. As AI agents become more common in procurement and supply chain management, for instance, the need for strong governance becomes paramount. 

Frank offers a word of caution: 

“I think the conversation… is AI and governance. How do we achieve that? The genie is already out of the bottle… How do I stop these agents from my bona fide buyers from doing too much? How do I stop giving them too much? Because I don’t want my secret sauce to accidentally slip out.” 

Your supply chain—how you source, build, and deliver your products—is your “secret sauce.” Without proper governance, you risk exposing this intellectual property to partners and, potentially, competitors. The same data governance principles that apply to human access must be extended to AI agents to protect your competitive advantage.  Orchestration strategies from Corsica and Cleo help you achieve both.  

Building Partnerships That Last 

Ultimately, effective relationship management entails more than just technology. It’s about orchestrating all the elements of your dynamic supply chain and building partnerships based on trust, transparency, and a shared commitment to success. The right technology, like the Cleo Integration Cloud, provides the foundation for these partnerships to flourish, turning data into insight and insight into value. 

If you’re ready to move beyond the buzzwords and build a more resilient, innovative, and profitable supply chain, let’s talk. Corsica Technologies, in partnership with Cleo, has the expertise and the tools to help you unlock the full potential of your business relationships. 

• About Peter Rodenhauser

Peter is Corsica Technologies’ COO, with over 20 years’ of technology experience and a broad range of general industry and business knowledge. Prior to joining Corsica he has held leadership positions at industry leading organizations, most recently at OpenText. His expertise in diverse fields such as data integration, EDI, managed services, and professional services empowers him to make informed recommendations in numerous use cases. He has a strong passion for leading and building dynamic, energetic teams to design and deliver technology solutions with a focus on maximizing revenue and building long-term customer relationships.

Ready to take your next step?

Contact us today to get the outside perspective you need for the next step on your journey.

Contact Us Now →

Table of Contents

💡Free EDI RFP Template

Download Now

The post Beyond the Buzzword: What Relationship Management Really Means for Orchestrating Your Supply Chain  appeared first on Corsica Technologies.

💡 EXCLUSIVE Guide: 

GenAI Policy Template

Download Now

Shadow AI: Mitigating Risks without Stopping Innovation

• Brian Harmison
• February 24, 2026
• AI, Cybersecurity

AI offers powerful business outcomes when it’s implemented properly. But not every company has an AI strategy. Many organizations have no control of AI usage among their staff. Teams who are eager to innovate may use—or even build—AI solutions outside the management and oversight of IT.

When this happens, you’ve got shadow AI on your hands.

So do you have it?

How would you know?

What can you do about it?

We’ve got all the answers in this article.

Key takeaways:

• Shadow AI is the usage of AI inside an organization without official oversight or control.
• Shadow AI increases the risk of technical debt, data security issues, and failing regulatory compliance.
• You can address shadow AI by auditing all business functions currently relying on AI tools, then mapping those functions to capabilities in a secure, compliant tool like Microsoft Copilot.
• Throughout the process of replacing shadow AI tools, it’s important to communicate to your team that you value innovation—you just need to secure your data and centralize your AI practice.

What is shadow AI?

“Shadow AI” is the use of AI technology inside an organization without formal approval, oversight, or governance from IT, security, legal, or leadership teams. In the age of AI, it’s essentially the latest development in “shadow IT,” a phenomenon in which internal users adopt technologies outside official channels managed by IT and other stakeholders.

What are some examples of shadow AI?

Shadow AI takes many forms in the real world. Here are some common types of shadow AI that we help our clients replace with governed AI systems and processes.

• Bespoke agentic AI development. A specific department or business unit often identifies a problem, then goes out to solve it on their own. They enable their team to build an agent, which sounds like a smart approach. However, the organization now has no visibility into this AI practice or its impact on data security, process optimization, or regulatory compliance.
• Uploading sensitive data to public AI tools. Users may turn to public tools like ChatGPT to process internal company data and receive ideas or recommendations. Unfortunately, this represents a data security risk. Some tools may continue to train on user inputs, which means sensitive data from those user inputs can leak out in responses to users outside the organization. This is one of the biggest reasons to choose Microsoft Copilot rather than ChatGPT.
• Offloading important processes and decisions to AI without human review or policy management. For some users, it’s tempting to blaze a trail and use AI in bold new ways both operationally and strategically. While the technology is powerful, centralized visibility and oversight are essential to managing new risks associated with AI.

As you can see, shadow AI easily creates new problems for organizations. Let’s examine some of these problems.

What are the problems associated with shadow AI?

Just like shadow IT, shadow AI is usually created with good intentions. Unfortunately, it fragments the IT environment even further, introducing all kinds of risks and roadblocks down the road.

Here are the biggest problems associated with shadow AI.

• AI as decision-maker. Is AI making decisions, or are your employees using it to inform decisions? There’s a huge difference here. There’s also a huge risk in unchecked decisions made by AI tools.
• Unclear technical ownership. Who maintains a bespoke, internal AI agent?
• Technical debt. Shadow AI introduces systems, data flows, and dependencies outside an organization’s centralized IT practice. It’s often optimized for speed today rather than maintainability tomorrow. Both factors contribute to technical debt.
• Lack of knowledge management. Has IT established centralized knowledge management for the tool, or does IT not even know about it?
• Tribal knowledge is fragile. What will happen when/if Bob from account management leaves the company—and all his knowledge leaves with him?
• Data security risks. Not every AI tool safeguards data that’s inputted in a prompt. Your users may be entering sensitive information in conversations with AI tools, and that information may be ingested by the tool for further training. This is a data security risk.
• Regulatory compliance risks. Where shadow AI threatens data security, it also threatens regulatory compliance. Consider the employee who uploads sensitive data to an AI tool in violation of HIPAA, CMMC, GDPR, or some other regulatory framework.
• Duplicate functionality. Specific departments often engage shadow AI to solve challenges that their sanctioned tools could actually solve—but users just don’t know about the functionality. This can lead to some users leveraging approved tools while others use shadow AI. Lack of uniform processes can create inefficiencies—or worse, conflicting business data.

How do I know if my team is using shadow AI?

While the use of shadow AI isn’t immediately obvious, you can learn to spot some telltale signs. Here are some indications that your team may be using AI outside your organization’s oversight and governance.

• Employees casually mention “I ran it through ChatGPT.”
• AI outputs appear in work with no tooling record.
• Data policies mention software but not AI.
• Your organization offers no clear guidance on what AI tools are allowed.
• You hear of teams experimenting quietly “on the side.”

The best way to find out is to ask directly. Collaborate with department heads to gain a clearer picture of how AI is being used across the organization. Make it clear that no one is being penalized—far from it. Rather, you need to build a picture of risk so you can equip teams with robust AI tools that are also secure and compliant. This is the key to maintaining innovation without introducing unnecessary risks.

 

How can organizations deal with shadow AI?

Organizations can deal with shadow AI by using the following process.

1. Take a full audit of AI systems in use.
2. Build a complete list of the business functions that various teams are executing in shadow AI tools.
3. Map those functions to the capabilities of AI tools that support full integration with your business environment as well as strong data governance. Microsoft Copilot is a great example of a solution that’s built for governance, oversight, and data security, with full integration to tools like Microsoft Intune to prevent exposure of sensitive data.

 

As you engage this process, the key is to address shadow AI without sending a message that you don’t want your teams to innovate. There are two aspects of the challenge to consider here:

• The technical side. Which AI tools are your employees using? Do you need to eliminate some of them? If so, which AI tools will you give your team instead?
• The cultural side. You want to reward AI innovation while also communicating what your AI governance policies are—and why. You don’t want to squash innovation.

Real-world tactics to deal with shadow AI

It would be shortsighted to ban AI entirely. In many industries, AI workflows are already essential to keep up in an increasingly efficient marketplace. Rather than banning AI, you should establish clear, practical governance over how the technology is used.

Here are some real-world tactics you can use to achieve this.

1. Create a clear AI use policy. Spell out what tools are approved and how your internal data can or can’t be used. (Check out our FREE AI Governance Policy Template to get started.)
2. Provide safe, sanctioned AI tools. If you’re a Microsoft customer, Copilot is the ideal choice, as it integrates with your Microsoft environment—including respect for your user permissions and data sensitivity.
3. Educate your employees. Explain what shadow AI is, why it’s risky, and how the organization is giving employees the capabilities they need through sanctioned tools.
4. Enable visibility. Monitor AI usage patterns and prevent the propagation of sensitive data with Microsoft Intune.
5. Build fast, easy-to-understand approval paths. This can prevent teams from going rogue due to perceived red tape.

Microsoft tools for AI governance

Microsoft offers several solutions to help organizations govern and manage AI usage among their staff. Here are the top tools that we recommend to our customers.

1. The Copilot Control System. Microsoft offers this framework of integrated controls with every instance of Microsoft 365 Copilot. The solution helps secure data, control the creation of agents, and restrict what external data is accessible to agents.
2. Microsoft 365 Copilot Analytics (Viva Insights). This solution helps organizations see who is using Copilot, how they’re using it, and what impact it’s having on productivity.
3. Microsoft Purview acts as the backbone of Microsoft’s AI governance strategy. It ensures that Copilot and other AI tools respect existing data protection and compliance rules.
4. Microsoft Defender for Cloud Apps and Defender for Cloud. Microsoft Defender can help organizations discover which AI apps employees are using. It can also block or limit risky AI tools and assess AI security posture.
5. Microsoft Entra. This solution allows organizations to control who can use AI—and what data it can access for each user. Entra uses identity-based controls like role-based access, conditional access, time-bound permissions, and more.
6. Microsoft Security Copilot. This solution helps security teams investigate AI-related incidents. It can correlate identity, data, and threat signals, identify misconfigurations, and accelerate the response to AI-driven risks.

How can you decide whether to build or buy an AI tool?

In the vast majority of cases, organizations are better off buying an AI tool rather than building one. Knowledge management becomes an ongoing challenge for any company that relies on an internally built AI solution.

Of course, in some cases, companies may be justified in building an AI tool in-house. It all depends on whether AI is a strategic differentiator for the organization.

Here’s a table to help you determine whether you should build or buy an AI solution.

Decision Factor	Build AI In‑House	Buy an AI Solution
Strategic importance	AI is core to your competitive advantage	AI is a supporting capability
Customization needs	Highly specific workflows or data	Standard or configurable use cases
Speed to value	You can invest time to develop	You need results quickly
Internal expertise	Strong ML, data, and engineering teams	Limited AI or data engineering resources
Data sensitivity	Data must stay fully internal	Vendor meets security/compliance needs
Cost profile	Long‑term investment makes sense	Lower upfront cost preferred
Scalability & maintenance	You have the resources and C-suite commitment to take ownership of maintenance	You want vendor‑managed updates
Risk tolerance	Comfortable with experimentation and iteration	Prefer proven, supported solutions

Here’s a simple rule of thumb that we use with clients:

• Build when AI is a critical differentiator for your business, and you have a strong group of ML and engineering experts in-house.
• Buy when AI is a critical accelerator for your business, and you don’t have in-house capabilities in AI development.

The takeaway: Centralize AI governance; don’t build unless AI is a differentiator

Shadow AI is a real issue for modern organizations, but it doesn’t have to derail innovation or data security. The key is to get a handle on shadow AI and build a plan to replace it with safe, integrated, approved tooling. Here at Corsica Technologies, we’ve helped 1,000+ clients solve their toughest problems with technology. We’re a Microsoft Solutions Partner with certifications in Modern Work, Security, and Azure infrastructure. If you’re ready to get control of AI at your organization, get in touch with us. Let’s take the next step on your journey.

• About Brian Harmison

Brian Harmison is the CEO of Corsica Technologies, a leading IT solutions provider, with over two decades of experience in technology. He has held key leadership positions in renowned technology companies, specializing in IT strategy, cybersecurity, AI strategy, and managed services. His vision has driven Corsica Technologies’ growth and transformation, making it a trusted partner for managed IT solutions and managed cyber security services. Through collaboration, mentorship, and team development, Brian positions Corsica Technologies for continued success and innovation in IT and cybersecurity.

Ready to take your next step?

Contact us today to get the outside perspective you need for the next step on your journey.

Contact Us Now →

Table of Contents

💡 EXCLUSIVE Guide: 

GenAI Policy Template

Download Now

The post Shadow AI: Mitigating Risks without Stopping Innovation appeared first on Corsica Technologies.

💡 Interactive Calculator: 

How Much Should You Pay for Managed Security?

Try the Calculator

M365 Security: 12 Crucial Best Practices

• John Joyner
• February 17, 2026
• Cybersecurity, Microsoft 365, Microsoft Security

In today’s cyberthreat landscape, Microsoft 365 is a prime target for attack.

Factors like environment complexity, misconfigured users, and default security settings can all make M365 vulnerable to exploitation.

So how do you protect your environment? What does it take to secure M365?

The best defense for Microsoft 365 is a layered defense. Here at Corsica Technologies, we are a Microsoft Modern Work Solutions Partner, a Security Solutions Partner with the Identity and Access Management specialization, and a member of MISA (the Microsoft Intelligent Security Association)—so when it comes to Microsoft 365 security, we’ve got answers for even the toughest questions.

Here are the top 12 cybersecurity best practices that we recommend, implement, and manage for customers using Microsoft 365.

Key takeaways:

• Universal MFA is a must for Microsoft 365 security.
• An intelligent approach to users, identity, and access helps secure M365.
• Zero Trust architecture is a crucial pillar of M365 security.
• Consider device-level controls in Microsoft Intune in addition to M365 security controls.
• Make sure your employees are trained to recognize phishing emails.

1. Implement MFA everywhere

MFA is the single most effective control against credential compromise. According to Microsoft’s research, MFA is 99.99% effective at maintaining account security. Clearly, you should implement MFA across the board in M365. Here’s what that coverage looks like.

• All users (excluding break‑glass accounts)
• All privileged and administrative roles
• All remote access scenarios
• Guest and external users

2. Implement conditional access policies

MFA alone isn’t enough to protect M365. You should also implement conditional access policies that block access based on suspicious activity. Properly implemented, these policies account for user risk, sign-in behavior, device compliance, and application sensitivity. Typical policies include:

• Block access from unmanaged devices
• Require compliant or hybrid‑joined devices
• Disallow persistent browser sessions

The free version of Entra ID does not include Conditional Access—it is included in Entra ID P1 and these M365 versions: E3, E5, and Business Premium.

3. Manage privileged access

Some accounts in M365 will always be more sensitive than others. Those with privileged access require additional controls and policies to protect them. Here’s what we recommend for accounts with privileged access.

• Use PIM (privileged identity management) in Microsoft Entra ID
• Enforce JIT (just in time) access
• Separate global admin roles
• Monitor privileged activity logs

Privileged Identity Management (PIM) is not available in the free or Entra ID P1 products, PIM requires Entra ID P2, M365 E5, or the Microsoft Entra ID Governance license.

4. Implement Zero Trust architecture

Securing M365 requires explicit verification, least privilege access, and continuous evaluation, all of which are core tenets of Zero Trust architecture. In the context of M365, key elements include:

• Conditional access policies for risk‑based authentication
• Device compliance enforcement via Intune
• Network‑independent access controls (don’t trust internal networks)

5. Disable legacy authentication protocols

If you implement MFA, you’ll have to disable legacy authentication protocols by default—but it’s worth calling out exactly what’s being disabled. You should block non-HTTPS and outdated protocols, including:

• POP and IMAP without OAuth
• Older Office clients
• Basic authentication endpoints

6. Optimize Defender for Office 365

Microsoft Defender for Office 365 automatically protects a new M365 environment with default security settings. However, default settings may not be adequate in all cases. In particular, make sure Defender for O365 is providing:

• Safe Links (URL rewriting)
• Safe Attachments (sandboxing)
• Anti‑phishing and anti‑spoofing intelligence

Defender for Office 365 can be licensed these ways:

• Microsoft 365 Business Premium: Includes Defender for Office 365 Plan 1.
• Microsoft 365 E3: Includes Defender for Office 365 Plan 1.
• Microsoft 365 E5: Includes Defender for Office 365 Plan 2.
• Microsoft 365 E5 Security Add-on: Includes Defender for Office 365 Plan 2 for organizations with E3 or E3 subscriptions.

7. Strengthen endpoint security with Intune

Microsoft Intune allows you to implement required security policies on managed devices. Proper configuration of Intune is a key component in overall M365 security. You can use Intune to enforce:

• Device compliance policies
• Application control
• Encryption (BitLocker)
• OS update and patch enforcement

8. Train staff to recognize phishing emails

Technological controls are essential to M365 security, but people remain the weakest link. Make sure your users are fully trained to recognize phishing emails. Here are some common phishing strategies that your users should be trained to recognize.

• Urgent requests
• Unexpected refunds and payments
• Spear phishing
• Whaling

Learn more here: 17 Phishing Email Examples.

Proper training here requires up-to-date information on what cybercriminals are doing today. That’s why many companies choose Phishing and Cybersecurity Awareness Training for Employees.

Hot tip: A new Security Copilot credit for M365 E5 customers empowers your organization to deploy the popular Phishing Triage Agent that brings AI power to scale the triage and classification of user‑reported phishing emails.

9. Apply Microsoft’s security baselines

To protect customers, Microsoft regularly updates their security baselines. These recommendations serve as hardened configuration templates for enterprise clients. Recent baselines include:

• Excel File Block expansion (blocks external link files)
• Blocking all non‑HTTPS protocols
• Restricting unsafe automation tools (e.g., legacy OLE components)
• PowerPoint and Excel macro hardening

You can deploy these baselines via Intune, Group Policy, or Office Cloud Policy Service.

10. Implement DLP and sensitivity labels

Data security is challenging in modern environments, but Microsoft has an answer. You can implement DLP (data loss prevention) and other forms of data protection through Microsoft Purview. Here are a few best practices for Purview as it relates to M365.

• Implement DLP to detect and block inappropriate sharing of sensitive data across your M365 environment and applications.
• Use Purview to gain visibility into your entire data landscape.
• Apply sensitivity labels to data, either automatically or manually.
• Implement encryption for sensitive emails and documents.
• Use Purview for governance of Copilot access and data output.

You can license Microsoft Purview through M365 E5 or by adding the Microsoft Purview Suite to M365 E3 or Business Premiums plans.

11. Harden Office applications and disable unsafe features

You can reduce the exploitable surface area in Office applications by following Microsoft’s latest baselines. In particular, you should block:

• Legacy automation interfaces
• Unsafe macros and ActiveX
• External link file refreshes
• Downgrade-prone protocols

12. Choose M365 managed security services

All the measures we’ve discussed so far are powerful.

But sometimes, they’re not enough.  

The final defense is M365 managed security services designed specifically for your environment. Here at Corsica Technologies, our M365 customers enjoy dedicated security monitoring, threat response, and consulting that’s difficult to provide in-house.

Here’s what you can get when you choose Corsica for M365 security services.

• M365 security strategy consulting
• M365 optimization and management
• M365 managed security services
• 24/7 monitoring and threat response for M365
• Enhanced productivity apps

The takeaway: Don’t wait to protect your M365 environment

Modern cybercriminals know M365 far too well. They know where to find loopholes, misconfigurations, and default settings that offer a way in. If you need help locking down M365, contact us. We’re a long-standing and proven Microsoft Solutions Partner for Security with specializations in Cloud Security, Identity and Access Management, and Threat Protection, and a member of the Microsoft Intelligent Security Association (MISA). We’ve helped 1,000+ customers solve their toughest problems with technology. Contact us today, and let’s secure your M365 environment.

• About John Joyner

John is Senior Director of Technology at Corsica Technologies. Awarded Microsoft MVP for 18 years (2007-2026), he is currently dual-awarded in Azure Management and Cloud Security. He is a certified Azure Solutions Architect Expert and Microsoft Cybersecurity Architect Expert. John co-authored the four books in the industry-standard reference series, System Center Operations Manager: Unleashed (Sams publishing). His most recent book ‘Azure Arc-Enabled Kubernetes and Servers’ was published by Apress. Specialties include Microsoft Sentinel/Defender XDR, Security Copilot, Defender for Cloud, Defender for IoT, Azure Monitor, and Azure Arc. He is a retired U.S. Navy Lt. Commander who served as Chief of Network Operations for NATO southern region and national Network Security Officer for the Navy Bureau of Personnel.

Ready to take your next step?

Contact us today to get the outside perspective you need for the next step on your journey.

Contact Us Now →

Table of Contents

💡 Interactive Calculator: 

How Much Should You Pay for Managed Security?

Try the Calculator

The post M365 Security: 12 Crucial Best Practices appeared first on Corsica Technologies.

This is why Microsoft created Defender for IoT (D4IoT). This solution offers passive, agentless monitoring that thoroughly protects these devices.

But what devices can D4IoT support?

How do you set it up?

We’ve got all the answers here.

Key takeaways:

• D4IoT supports numerous types of OT devices, including SCADA systems, BMS, DCS, PLCs, and many more.
• D4IoT supports countless proprietary industrial protocols, including Modbus, DNP3, BACnet, and others.
• D4IoT can discover connected OT devices that you don’t even know about.
• D4IoT can integrate with Microsoft Sentinel, giving you a converged and comprehensive view of OT and IT security.

What types of devices does Defender for IoT actually support?

Defender for IoT is a specialized security solution for OT (operational technology) and industrial systems. It excels at protecting devices that can’t run their own security agents due to limited computing power.

While this list isn’t exhaustive, here are the most common types of OT devices that companies choose to protect with D4IoT.

• SCADA systems (Supervisory Control and Data Acquisition)
• BMS (Building Management Systems)
• DCS devices (Distributed Control Systems)
• PLCs (Programmable Logic Controllers)
• RTUs (Remote Terminal Units)
• HMIs (Human-Machine Interfaces)
• Industrial sensors and meters
• ICS (industrial control systems)

Does D4IoT work for both managed (like Windows) and unmanaged devices (like a thermostat or IP camera)?

D4IoT is designed to protect OT (operational technology) devices that don’t have operating systems. As such, it isn’t the right choice to act as a security agent for laptops, desktops, and servers. Any device with an operating system should use the appropriate version of Microsoft Defender for Endpoint.

That said, note that Windows machines can help D4IoT find devices on the network that require protection by D4IoT. Windows machines can assist here even though D4IoT doesn’t act as their security agent.

Here’s a table with several common types of devices and the security tool that they should use.

Does Defender for IoT support specific industry protocols like Modbus, DNP3, or BACnet?

Yes. One of D4IoT’s strengths is its support for the proprietary protocols found in OT devices. D4IoT supports Modbus, DNP3, BACnet, and many others. In fact, the solution is protocol-agnostic, supporting almost any industrial protocol. Here are the most common protocols that are explicitly supported.

• MODBUS
• DNP3
• BACnet
• Siemens S7
• OPC
• Profinet
• IEC‑104

This broad protocol support is part of what enables D4IoT to provide deep visibility, anomaly detection, and threat monitoring across diverse industrial and operational technology networks.

How do I onboard industrial OT devices to Defender for IoT?

OT devices are not onboarded the same way as IT endpoints. With limited computational resources and locked-down and proprietary configurations, they can’t run a security agent in the same way that a laptop or server can. D4IoT provides passive monitoring of mirrored traffic, and this design dictates the onboarding process.

Here’s a quick overview of the D4IoT onboarding process for OT devices.

1. Deploy an OT network sensor. D4IoT uses specifically designed OT sensors, which are physical or virtual machines connected to a SPAN port or network TAP. Choose between a VM appliance or a physical appliance, then connect the sensor to your chosen port, power it on, and access the local sensor UI.
2. Onboard the sensor to D4IoT. You’ll register your sensor with your D4IoT environment through your Azure portal. Doing so will trigger asset discovery for connected devices, protocol analysis, alerts, and vulnerability insights.
3. Verify proper device discovery. D4IoT is incredibly good at detecting OT devices on your network, but it’s a good idea to compare its list with your list of known devices (if you have one). Note: You don’t need to touch or configure the OT device itself. Discovery happens passively, which means your devices continue to function with no interruption.
4. Configure sensor settings (optional). As needed, you can configure OT sensors from your Azure portal. You can define VLANs and subnets, specify bandwidth caps, integrate with Active Directory, and more. This is where you can implement standard settings across multiple OT sites that are monitored by the same D4IoT instance.
5. Integrate with Sentinel or other SOC tools (optional). Microsoft makes it easy to integrate D4IoT to Sentinel/Defender XDR, their market-leading SIEM (security information and event management) and SOAR (security orchestration automation & response) solution. You can also integrate with third-party SOC tools. This type of integration gives you a converged canvas for monitoring and protecting both OT and IT networks.

Will Defender for IoT monitor my legacy OT equipment running an old operating system that can’t be patched?

Absolutely. D4IoT is a passive, agentless solution that monitors mirrored traffic to the device. This means D4IoT doesn’t actually run on the device. This design eliminates the need for OS compatibility.

In other words:

• No software is installed on the device
• No OS updates are required
• Devices remain untouched and continue operating normally

As you can see, D4IoT offers a smart approach to protecting devices that can’t be updated.

Can D4IoT provide an inventory of all the OT devices on my network, including those I don’t even know I have?

Yes. D4IoT can find:

• Devices no one documented
• Devices that aren’t centrally managed
• Devices that use obscure or proprietary OT protocols
• Devices that can’t run agents or modern firmware

D4IoT automatically discovers device details and communication patterns directly from network traffic. This means it provides a full inventory of the OT devices on your network, whether they’ve been manually catalogued or not. In fact, this capability is one of the solution’s biggest strengths, as OT networks are notorious for having unknown devices connected to them.

How do I respond to an OT security incident using Defender for IoT?

Unlike IT incidents, OT incidents often involve industrial controllers, HMIs, PLCs, safety systems, and sensitive physical processes. Defender for IoT provides OT‑specific alerting, investigation tools, and integrations with Microsoft Sentinel to facilitate an appropriate response.

Here’s what the process looks like in detail.

1. Review the OT alert. You can open the alert directly from the Alerts page in D4IoT or from a Sentinel incident if you’ve integrated D4IoT with Sentinel.
2. Investigate the OT alert. Examine communication patterns and impacted devices. Understand the scope and timeline of the information and determine whether the activity is malicious or operational. If you’ve integrated D4IoT with Sentinel, you can check in Sentinel for any IT alerts that correlate with these signals to form a larger pattern.
3. Contain the OT threat. Depending on the nature of the threat, you may need to block hostile IP addresses, isolate affected devices, and/or disable compromised accounts if the attack involves identity and access. OT sensors don’t actively block traffic, so you’ll need to use things like firewalls, network segmentation, and Sentinel automation playbooks to contain the threat.
4. Eliminate the threat. Exact actions will depend on the type of threat and the nature of the affected device(s). Common actions include removing malicious configurations from devices and stopping rogue communications. Due to the limitations of OT devices, you may need to coordinate with plant floor operations to eliminate a threat completely.
5. Document and close the incident. Gather and record as much information as possible so you can learn from it. Document what happened, which assets were affected, the root cause, response steps, and takeaways for preventing similar incidents in the future.
6. Harden security measures. Use everything you learned from the incident to identify stronger security measures that may prevent similar incidents. Network segmentation (to include adopting the Purdue model of OT network stratification) and enhanced monitoring are common measures to implement or improve after an incident.

The takeaway: Don’t wait to protect your OT devices

The threats against OT devices are too significant to ignore. Microsoft Defender for IoT can solve these problems, but you need the resources to implement, integrate, and manage the tool. If you need assistance with OT security, Corsica Technologies can help. We’re a long-standing and proven Microsoft Solutions Partner for Security with specializations in Cloud Security, Identity and Access Management, and Threat Protection, and a member of the Microsoft Intelligent Security Association (MISA). We’ve helped 1,000+ clients achieve their goals with technology. Contact us today, and let’s take the next step in your OT journey.

Ready to secure your OT environment?

Reach out to schedule a consultation with our industrial security specialists.

Schedule Now

The post Microsoft Defender for IoT: Use Cases, Devices, and Setup appeared first on Corsica Technologies.

Given their unique protocols, unencrypted connections, and proprietary operating systems, these devices are prime targets for cyberattacks.

Microsoft Defender for IoT offers incredible protection for OT and ICS systems.

But what does it take to deploy D4IoT—and what options do you have?

Here’s everything you need to know.

Key takeaways:

• Defender for IoT should be deployed out-of-band, never inline, to avoid overloading sensitive OT devices.
• D4IoT implementations must use a cloud or hybrid model.
• D4IoT is especially powerful when integrated with Microsoft Sentinel/Defender XDR. In this scenario, your SOC team (or MSP) gets full visibility across IT and OT environments.

How do you deploy Microsoft Defender for IoT?

The deployment process for Defender for IoT is fairly straightforward. Here’s the process we engage with our clients at Corsica Technologies.

1. Plan network visibility. We identify critical network segments and protocols, then decide where to place sensors (SPAN ports or TAPs on managed switches or aggregation points).
2. Install OT network sensors. We deploy sensors out-of-band, never inline, to monitor mirrored traffic without disrupting the devices under management. We also configure SPAN and/or TAP sessions to feed traffic from relevant VLANs or ports. Sensors can be hardware or virtual (supporting Microsoft Hyper-V and VMware ESX). Sensors can be sized from XS (100 devices) to XL (5,000 devices) in five discrete capacity-based specifications.
3. Integrate with security tools. Microsoft recommends a cloud or hybrid model for D4IoT, which opens up several beneficial integration opportunities. Depending on the customer’s needs, we integrate D4IoT with Microsoft Sentinel and/or ticketing systems for integrated security visibility and process flow.

In all implementations, it’s important to start with a visibility assessment before enabling alerting. This ensures that every device requiring protection is actually included in the scope of monitoring.

It’s also important to size sensors correctly for the traffic volume. Historical data is helpful here—or we can assess current network traffic to determine your needs.

What are the main building blocks of Defender for IoT?

Several key components work together to support the functionality of Defender for IoT. Here are the primary building blocks of the solution.

1. Network sensors

• Purpose: Passive monitoring of network traffic for IoT/OT devices.
• Deployment: Connected to SPAN (or MIRROR) ports or network TAPs to capture traffic without impacting operations.
• Functionality: Detects vulnerabilities, anomalies, and threats using deep packet inspection and protocol analysis.

2. Cloud integration (Azure)

• Purpose: Extends monitoring and analytics to the cloud.
• Components:
  • Microsoft Defender for IoT in Azure provides advanced threat intelligence and integration with Azure Security Center, including pro-active scanning of device firmware updates.
  • Azure Sentinel Integration enables SIEM capabilities for incident response and correlation across IT and OT networks.
• Benefits: Scalable analytics, threat intelligence updates, and unified security visibility.

3. Threat intelligence and analytics

• Purpose: Uses Microsoft’s global threat intelligence to detect emerging threats.
• Functionality: Continuous updates to detection engines and threat behavioral models.

4. APIs and integrations

• Purpose: Connects Defender for IoT with third-party tools like SIEM, other SOC tools, and ticketing systems.
• Examples: Splunk, QRadar, ServiceNow.

What data does the OT sensor actually collect?

A D4IoT sensor collects all wire-line data from the device where it’s installed. It monitors the device through deep packet inspection of mirrored traffic. The sensor doesn’t actually interact with the device itself, which keeps it from impacting OT network traffic in any way.

Here’s the data that a D4IoT sensor collects.

1. Device and asset information: The sensor records IP and MAC addresses, device type and vendor, and firmware and OS versions. It also records serial numbers, hardware details, network topology, and device relationships.
2. Network traffic metadata: The sensor gathers data on protocols used (e.g., Modbus, OPC UA, DNP3, BACnet), session details, communication patterns, and any unusual or unauthorized connections.
3. Operational data: The sensor records commands and function actions in OT protocols, process values like sensor readings and actuator states, configuration changes, and authentication attempts, whether successful or failed.
4. Security status indicators: The sensor gathers data on known vulnerabilities (based on device fingerprinting), anomalous behavior, malware signatures, exploit attempts, and policy violations like unauthorized remote access.
5. Security event and alert data: The sensor detects threats (following the MITRE ATT&CK framework for ICS mapping). It also detects suspicious traffic patterns and indicators of potential lateral movement within the OT network.

How does Defender for IoT handle duplicate IP ranges?

Duplicate IP ranges are common in OT environments, as many industrial sites use overlapping private IP spaces. Luckily, Defender for IoT is built to handle duplicate IP ranges without any issues. It does so through site-based segmentation and sensor-level isolation.

Here’s how it works in detail.

Site-based architecture

Each OT sensor is assigned to a specific site in Defender for IoT. Sites act as logical boundaries, so IP addresses are interpreted in the context of their site. This prevents conflicts when multiple sites use the same IP ranges.

Sensor-level isolation

Sensors only monitor traffic within their connected network segment. Duplicate IPs across different sensors do not collide because data is associated with the specific sensor and site.

Device identification beyond IP

Defender for IoT uses multi-factor fingerprinting (for example, MAC address, protocol behavior, and device type) to uniquely identify devices. This ensures accurate asset inventory even when IP addresses overlap.

Management console

When data is aggregated in the cloud or on-prem console, the site context is preserved. Dashboards and alerts always reference the site, avoiding ambiguity.

Can the sensor impact the performance of our OT network?

No. A Defender for IoT sensor doesn’t impact OT network performance.

The sensor engages in passive monitoring only. It uses SPAN ports or network TAPs to receive a copy of the traffic associated with the device. The sensor doesn’t inject packets, modify traffic, or sit inline, so it can’t introduce latency or cause downtime.

To put it another way, D4IoT is an agentless security solution. It doesn’t install software on OT devices. Rather, it analyzes mirrored traffic to and from devices. It doesn’t consume any of the limited computing power of these devices.

How are network sensors actually deployed in production OT networks (SPAN/TAP placement, VLAN coverage, inline vs out-of-band) without disrupting industrial processes?

D4IoT sensors are deployed using an out-of-band architecture model. Sensors never operate inline with traffic. Rather, they operate passively, receiving mirrored traffic from switches through one of two methods:

• SPAN (or MIRROR) ports can be configured on network switches to mirror traffic from selected VLANs or ports.
• Network TAPs can act as dedicated hardware devices for this purpose, copying traffic without introducing latency or failure points.

When it comes to multiple VLAN coverage, SPAN sessions can be configured to mirror traffic from those VLANs. Large environments may need aggregation switches or multiple sensors to cover all network segments. Some network topologies may enable trunking of SPAN ports between switch stacks for additional aggregation.

What is the difference between the OT/ICS sensor, the enterprise IoT (agentless) discovery via Defender for Endpoint, and the embedded device agent options in Defender for IoT?

Between Defender for IoT and Defender for Endpoint, Microsoft offers two different approaches to discover connected devices and secure them across OT and IoT environments.

• An OT/ICS network sensor is a passive, agentless solution that passively monitors OT devices by analyzing mirrored traffic.
• Enterprise IoT Discovery via Defender for Endpoint is an agentless discovery method for IoT devices in IT networks. It uses existing Defender for Endpoint agents on Windows endpoints to scan network traffic and identify unmanaged IoT devices.

Here’s how the two recommended methods compare.

As you can see, the OT/ICS sensor approach is far more comprehensive than the mere device discovery offered by Defender for Endpoint.

How can I monitor traffic from an unmanaged switch, or if I have a ring topology?

Defender for IoT offers great options for dealing with these unique networking scenarios. Here are your options.

Unmanaged switch

If the switch doesn’t support SPAN, you can install a network TAP between the unmanaged switch and its upstream switch or router. This TAP can copy traffic to the D4IoT sensor without affecting operations.

If that approach isn’t a good fit, you can mirror traffic from the upstream managed switch that connects to the unmanaged switch. This gives you visibility into all devices behind the unmanaged switch.

Ring topology

Place the sensor at a central aggregation point or core switch where the ring connects to the broader network. Configure SPAN sessions on that switch to mirror traffic from all ring ports. If the ring uses managed switches, you can SPAN from multiple switches and aggregate feeds into the sensor.

For very large rings, consider multiple sensors or traffic aggregation devices. If you have especially complex topologies, Microsoft recommends network visibility planning to ensure full security coverage for all devices monitored by D4IoT.

Do I have to be an Azure customer to use Microsoft Defender for IoT, or can I deploy it entirely on-premises?

Existing (legacy) on-premises deployments of D4IoT can continue to function. However, note that Microsoft stopped providing support, updates, and bug fixes for on-premises (legacy) consoles on January 1, 2025.

Also note that new sensors produced after 2025 can’t connect to legacy on-premises management consoles.

For new deployments of D4IoT, Microsoft recommends cloud or hybrid architectures. Here’s what that looks like in detail.

Deploying D4IoT in a hybrid, cloud-connected model

If you connect D4IoT to Azure, you gain centralized visibility across multiple sites and advanced threat intelligence updates. In this model, you can also integrate D4IoT with Microsoft Sentinel, Microsoft Defender XDR, and other Azure security services.

This approach is a great fit for organizations that need unified security monitoring, reporting, and threat analysis and response across OT and IT networks.

What has changed after the legacy on‑prem management console was retired in 2025?

Microsoft retired the legacy on-premises management console for D4IoT on January 1, 2025. New sensors produced after that date can’t connect to the legacy on-prem console. Existing sensors can continue connecting to the on-prem console, but the console is now unsupported and will receive no maintenance from Microsoft.

Note that air-gapped deployments continue to function normally. The sensor UI, CLI, and local data processing remain available, and you can manage sensors directly via sensor console, CLI, or third-party APIs such as SIEM integrations.

Here’s a summary of what has changed and what remains the same.

The takeaway: Don’t leave your OT/ICS devices unsecured

OT networks and devices present unique security challenges, but Microsoft Defender for IoT solves these problems. The key is to implement the solution in a way that fits your network and your operations. If you need help with D4IoT, get in touch. Our Microsoft security experts are standing by to build a comprehensive plan to protect your critical equipment.

Ready to solve your OT security challenges?

Reach out to schedule a consultation with our Microsoft D4IoT specialists.

Schedule Now

The post How Do You Deploy Microsoft Defender for IoT? appeared first on Corsica Technologies.

💡 Need help with OT security? 

We offer a 60-day Proof of Concept for Microsoft D4IoT.

Book a Consultation

What Is Microsoft Defender for IoT?

• John Joyner
• January 27, 2026
• Cybersecurity, Manufacturing IT Support

Last updated March 4, 2026.

How secure is the world of OT (operational technology), also known as industrial security?

Here’s a shocking stat. 98% of IoT device traffic is unencrypted.

Yet according to SANS, only 12.6% of organizations have full visibility across the cyber kill chain for industrial control systems.

Clearly, unsecured OT and IoT (internet of things) infrastructure is the biggest risk that many companies face.

Microsoft Defender for IoT solves many of these problems—but it must be configured and managed properly.

Here’s everything you need to know about this incredible tool.

Key takeaways:

• OT and IoT devices require special cybersecurity measures due to their inherent vulnerabilities.
• With limited computing power, OT and IoT devices require a passive monitoring approach, which is fundamentally different from IT security approaches.
• Microsoft Defender for IoT is a great choice for monitoring and protecting these devices.
• Defender for IoT can integrate into Microsoft Sentinel/Defender XDR, providing SOC analysts with comprehensive, real-time, and converged visibility across OT, IoT, and IT environments.

What is Microsoft Defender for IoT?

Microsoft Defender for IoT is a comprehensive security solution designed to protect devices in IoT and OT environments. Also known as D4IoT, the software focuses on safeguarding these devices from the unique cyberthreats that they face.

Here are the functions that D4IoT covers:

• Real-time asset discovery: Through passive network monitoring, D4IoT automatically identifies IoT and OT devices connected to your network.
• Vulnerability management: D4IoT detects vulnerabilities on connected devices as well as misconfigurations and risky behaviors. The tool also prioritizes vulnerabilities according to severity and risk level.
• Continuous monitoring: D4IoT monitors for anomalies, suspicious traffic, and unauthorized connections in real time, using behavioral analytics and threat intelligence designed specifically for IoT and OT environments.
• Integrated security management: D4IoT can integrate with Microsoft Defender XDR, Microsoft Sentinel, and other SOC tools. This gives cybersecurity teams a cohesive view of IT and OT security in real time and in-line access to industry-leading SOAR (Security Orchestration, Automation, and Response) features for real-time OT attack mitigation capability
• IoT device firmware analysis: D4IoT provides a firmware supply chain protection feature that supports Zero Trust initiatives. Uploaded firmware images from device vendors can be scanned for embedded security threats, vulnerabilities, and common weaknesses that may otherwise be undetectable—before the code is downloaded to any production OT devices.

Why do OT devices need special protection?

OT and IoT devices need special protection because they operate differently from traditional IT systems. Many of these devices were designed decades ago, before the advent of modern cybersecurity best practices and frameworks. Additionally, many modern OT devices require a ‘phone home’ capability to vendor clouds, creating an unavoidable IT/OT convergence. Consequently, OT assets pose a unique cybersecurity risk, and they require a dedicated cybersecurity strategy as well as ongoing cybersecurity management.

Here are the main reasons that these devices require their own security practice.

1. OT/IoT devices run on aging systems that are hard to update. Old firmware and legacy operating systems present unique challenges when it comes to patch management. Executing these updates often requires physical access, specialized knowledge, and production downtime. These roadblocks cause organizations to postpone updates, which leads to the accumulation of many security vulnerabilities over the long term.
2. OT/IoT devices don’t have enough computing power to run security agents. OT and IoT devices have limited CPU, memory, and storage capacities. Unlike workstations or servers, they can’t support antivirus software or endpoint detection. They may crash if an external agent scans them. To get around these limitations, these devices require agentless, passive monitoring, a completely different approach than standard IT security.
3. OT/IoT devices come with weak default security and credentials. Hardcoded passwords, default credentials that are searchable online, minimal encryption, and proprietary protocols without authentication make these devices sitting ducks. They require an intentional security strategy to overcome these weaknesses.
4. OT/IoT devices control critical infrastructure. An attack against an OT/IoT device usually has physical consequences. From medical equipment to manufacturing equipment to power distribution systems, these devices manage crucial processes in the real world. Outages can lead to medical emergencies, production halts, safety hazards, and environmental crises. These high-stakes devices are prime targets for hackers who want to hold systems for ransom or disrupt critical processes for their own gain.
5. OT/IoT devices weren’t designed for internet exposure. Original OT networks were isolated and air-gapped, without internet connectivity. Modern digital transformation initiatives have led to massive, complex, interconnected environments, thus exposing OT networks to the internet. Also, consider that even an air-gapped OT network is vulnerable to physical intrusion and merits attack detection sensors.

These are the primary reasons that OT/IoT devices require dedicated protection. They simply weren’t built for the world in which they now operate.

What types of devices does D4IoT protect?

Defender for IoT protects OT (operational technology) and industrial systems. There are many use cases for D4IoT. Here are the most common types of devices that D4IoT protects.

Industrial OT devices

• SCADA systems (Supervisory Control and Data Acquisition)
• BMS (Building Management Systems)
• DCS devices (Distributed Control Systems)
• PLCs (Programmable Logic Controllers)
• RTUs (Remote Terminal Units)
• HMIs (Human-Machine Interfaces)
• Industrial sensors and meters
• ICS (industrial control systems)

A different Microsoft product (Defender for Endpoint), when licensed as part of a Microsoft 365 E5 or E5 Security license, or Microsoft Defender for Endpoint P2, with an extra, standalone Microsoft Defender for IoT – EIoT Device License, protects Enterprise IoT (office automation) products and devices. Like OT/industrial security devices, Enterprise IoT devices can’t host their own security agent and must be monitored in a passive fashion.

This article covers the D4IoT industrial security product, but information is provided on the EIoT product for completeness. Here are the most common types of devices that Defender XDR-based Enterprise IoT protects.

Enterprise IoT devices

• VoIP phones
• Printers
• Scanners
• IP cameras
• CCTV systems
• Smart TVs
• Other connected appliances

How does Defender for IoT bridge the visibility gap in IoT/OT cybersecurity?

Microsoft Defender for IoT bridges the visibility gap between IT, OT, and IoT networks by providing comprehensive, contextual, real-time monitoring and reporting of devices and network behavior. The software achieves this feat without disrupting the operation of critical systems.

Here’s how D4IoT achieves all this in detail.

1. Agentless, passive asset discovery ensures that D4IoT doesn’t impact device operation. D4IoT sensors safely identify every connected device in the environment without the risk of creating downtime.
2. Deep understanding of protocols and network topology allows D4IoT to analyze proprietary protocols and understand communication flows across the entire OT/IoT network.
3. Context-rich device profiles allow D4IoT to understand the purpose of each device, how it operates, and how critical it is.
4. Behavioral analytics for threat detection allow D4IoT to detect unauthorized device activity, abnormal network traffic, and lateral movement across OT/IoT devices.
5. Integration with SOC tools like Microsoft Defender XDR, Microsoft Sentinel, and 3^rd-party tools provide comprehensive threat visibility across OT/IoT and IT environments.
6. Risk-based prioritization and threat modeling empower D4IoT to score risks across devices and networks, identify misconfigurations and vulnerabilities, and model the most probable attack paths to critical assets.

Can D4IoT integrate with Sentinel?

Yes! D4IoT is powerful on its own, but organizations unlock even more value when they integrate D4IoT with Microsoft Sentinel, the company’s flagship SIEM (security information and event management) solution.

Here’s what you get when you integrate the two systems.

• Centralized OT/IoT security monitoring: Alerts generated by D4IoT flow right into Microsoft Sentinel, giving your SOC team full visibility into your IT, OT, and IoT environments.
• Automated investigation and response: You can configure Sentinel playbooks as SOAR mitigations to respond automatically to OT/IoT alerts. For example, these playbooks can notify operators, isolate network segments, or add contextual background to threat intelligence.
• Cross-domain correlation: Sentinel connects the dots between IT endpoints, identity platforms, and cloud workloads, allowing the signal to emerge from the noise.
• Enriched incident investigation and handling: Incident tags, automation rules, watchlists, and the Machine Learning (ML) provided by User and Entity Behavior Analysis (UEBA) accelerate triage with higher fidelity and accuracy.
• Advanced analytics and threat hunting: D4IoT integrated into Sentinel allows you to run KQL (Kustos Query Language) queries on D4IoT data. This empowers your SOC analysts to detect lateral movement as well as anomalies in protocols and device behavior.

What does it take to support D4IoT?

D4IoT is a cross-functional tool within the broader domain of IT and cybersecurity. While setting up D4IoT is fairly easy, you’ll need these resources on staff with bandwidth available to manage it in-house:

• Network engineering team
• OT network management resource
• SOC team
• IT/OT admin and sensor management resource

The workload can become significant, which is why many organizations choose to outsource their OT/IoT cybersecurity. Doing so allows the customer to reduce costs and vendor count—especially if the MSP offers comprehensive managed services, as Corsica Technologies does.

If you choose to outsource, your MSSP (managed security service provider) should bring these roles into the management of your D4IoT instance and all relevant devices:

• IT/OT/IoT network consultant
• Sensor installation and network integration resources
• SOCaaS (SOC as a service) team
• Ongoing vCISO (virtual CISO) consulting

Some organizations choose a hybrid approach, in which internal resources collaborate with an MSSP to cover all the bases. Whichever way you go, a provider like Corsica can help you get the full security coverage you need for these vulnerable devices and environments.

The takeaway: Don’t wait to protect OT

The modern threat environment is evolving too fast for organizations to sit on their hands. Without appropriate protection, OT/IoT devices are prime targets for exploitation. This is why Corsica Technologies brings deep expertise in OT/IoT security to the table. If you’re interested in Microsoft Defender for IoT, contact us today, and let’s take your next step.’

• About John Joyner

John is Senior Director of Technology at Corsica Technologies. Awarded Microsoft MVP for 18 years (2007-2026), he is currently dual-awarded in Azure Management and Cloud Security. He is a certified Azure Solutions Architect Expert and Microsoft Cybersecurity Architect Expert. John co-authored the four books in the industry-standard reference series, System Center Operations Manager: Unleashed (Sams publishing). His most recent book ‘Azure Arc-Enabled Kubernetes and Servers’ was published by Apress. Specialties include Microsoft Sentinel/Defender XDR, Security Copilot, Defender for Cloud, Defender for IoT, Azure Monitor, and Azure Arc. He is a retired U.S. Navy Lt. Commander who served as Chief of Network Operations for NATO southern region and national Network Security Officer for the Navy Bureau of Personnel.

Ready to take your next step?

Contact us today to get the outside perspective you need for the next step on your journey.

Contact Us Now →

Table of Contents

💡 Need help with OT security? 

We offer a 60-day Proof of Concept for Microsoft D4IoT.

Book a Consultation

The post What Is Microsoft Defender for IoT? appeared first on Corsica Technologies.

✓ HIPAA Compliance Checklist

UPDATED for 2026

Download Now

Critical HIPAA Updates for 2026

• Ross Filipek
• January 19, 2026
• Cybersecurity, Healthcare IT Support, HIPAA Compliance

Last updated February 16, 2026.

HIPAA requirements are changing again in 2026. Some requirements have already been finalized with compliance deadlines in 2026. Other changes are on the agenda for HHS to approve in 2026, with compliance deadlines not yet finalized.

If you have a managed service provider for healthcare, your provider can help you understand the changes.

Either way, there’s a lot know.

So what’s definitely changing?

What’s likely to change?

Here’s everything you need to know to achieve and maintain HIPAA compliance in 2026.

Key takeaways:

• Covered entities must publish their new NPPs (Notices of Privacy Practices) by February 16, 2026.
• HHS will significantly overhaul the Security Rule in 2026, with likely changes affecting HIPAA cybersecurity requirements.
• Covered entities should start preparing to meet the new requirements now, as some may create significant changes to operational processes and technology environments.

If you're a leader in the healthcare industry, you know that the landscape of compliance is constantly evolving. But the changes coming to HIPAA in 2026 are some of the most significant we've seen in years. The February 16th deadline for updating your notice of privacy practices is just the beginning. A wave of new requirements is on the horizon, and being unprepared is a risk you can't afford to take. So what's changing? The proposed updates to the HIPAA security rule are focused on strengthening your defenses against modern cyber threats. We're talking about a much higher standard for your security program. This includes mandatory multi factor authentication. It will no longer be optional. Every user accessing your systems will need it. Comprehensive asset inventories. You'll need a complete up to date inventory of every single device on your network, from servers to medical devices and even staff cell phones. Enhanced risk management. The expectation for how you identify, assess, and mitigate risk is becoming far more rigorous. Faster incident response. Your ability to respond to and recover from a breach will be under greater scrutiny than ever before. For many organizations, these new requirements can feel overwhelming. How do you implement these changes while still managing the day to day demands of your practice? The truth is many traditional managed service providers or MSPs aren't equipped to handle this new reality. They often treat cybersecurity as an afterthought, outsourcing it to a third party. They fix problems as they arise, but they don't provide the strategic forward-looking guidance you need to stay ahead of the curve. This leaves you with a fragmented, reactive approach to security and compliance, creating dangerous gaps that put your patients and your practice at risk. At Corsica Technologies, we do things differently. We believe you deserve more than just a vendor. You deserve a true technology partner. We've built our entire service model around providing the comprehensive, holistic support that health care organizations need. Our cybersecurity experts are in house, working side by side with our IT team to provide a unified security posture. Every client receives a dedicated virtual CIO or vCIO to help you build a three-year technology road map. This ensures your technology strategy aligns with your business goals and that you're always prepared for what's next. And we stand by our work with a cybersecurity service guarantee, giving you the peace of mind that if an incident does occur, we have the expertise and resources to manage it from containment to recovery. The 2026 HIPAA updates are a challenge, but they're also an opportunity, an opportunity to build a stronger, more resilient organization. Don't wait until it's too late. Let us help you navigate this transition with confidence. Schedule your complimentary HIPAA 2026 readiness assessment today. Let's build a secure and compliant future for your practice together.

What rules are being added to HIPAA in 2026?

Significant changes are coming to HIPAA in 2026. Some changes will require compliance in calendar year 2026, while others will be finalized in 2026 with compliance dates not yet determined.

Here’s a high-level overview of the 2026 changes to HIPAA.

• New privacy practice requirements (required by 2/16/26)
• Overhauled Security Rule (finalization expected May 2026)
• Mandatory MFA (multifactor authentication)
• Mandatory encryption of ePHI (electronic Protected Health Information)
• Mandatory audits, vulnerability scans, penetration tests, and more

We’ll unpack each of these below.

How are HIPAA privacy notice requirements changing in 2026?

By February 16, 2026, all NPPs (Notices of Privacy Practices) must be revised to explain patients’ rights. These new NPPs must explain to patients how their personal information is protected in compliance with the updated HIPAA Privacy Rule that was finalized in April 2024.

What changes are coming to the HIPAA Security Rule in 2026?

The HIPAA Security Rule has remained largely unchanged since its introduction in 2003, with the last formal update occurring in 2013. HHS released a Notice of Proposed Rulemaking (NPRM) on December 27, 2024 that would significantly revise the Security Rule. The intent is to release a modernized version of the Security Rule that offers better protection for ePHI (electronic protected health information).

HHS plans to finalize the new Security Rule in May 2026. Required compliance dates will likely be set at that time.

These changes have significant implications for the policies, operations, and cybersecurity controls of covered entities. In a nutshell, the new Security Rule will revolutionize HIPAA cybersecurity requirements.

Here are the new requirements that HHS is expected to include in the rule.

1. Removal of “required” vs “addressable” distinctions.

The revised rule would eliminate the longstanding flexibility that allowed entities to treat certain safeguards as “addressable.” Nearly all implementation specifications would become mandatory, with only narrow exceptions remaining.

2. Mandatory written documentation

To improve auditability and enforcement, the revised rule would require entities to maintain comprehensive written documentation of the following information and processes.

• Policies and procedures relating to the HIPAA Security Rule
• Plans relating to the Security Rule
• Analyses and compliance activities

3. Technology asset inventory and network mapping

The revised rule would require organizations to:

• Maintain a technology asset inventory
• Create and update a network map showing how ePHI moves throughout the entity’s systems
• Update both the map and the inventory annually, or when system changes affect ePHI

4. Formal compliance audit every 12 months

The revised rule would require covered entities to conduct a formal compliance audit every twelve months. Business associates (BAs) would be required to share results with all their covered-entity clients. This new requirement will place HIPAA compliance under the microscope for every covered entity.

5. More stringent cybersecurity requirements

The revised rule would introduce tighter requirements for cybersecurity and information security.

• MFA (multifactor authentication) required for all system access, whether remote or onsite.
• Role-based access controls would be required.
• Automatic session timeouts would be required.
• Revocation of system access within one hour of workforce termination would be required.
• Encryption of ePHI in transit and at rest would be required rather than “addressable.”
• A 24-hour incident reporting timeline would now be required.
• A written incident response plan, along with annual incident response testing, would now be required.
• Covered entities would be required to demonstrate the capability to restore critical systems within 72 hours of an incident.
• NIST-aligned security practices would now be required.
• Vulnerability scans would be required every six months.
• Penetration testing would be required once a year.

6. Enhanced requirements to BAAs (business associate agreements)

The revised rule would require more specific language in BAAs (business associate agreements), eliminating the ability of covered entities to use certain types of blanket statements. BAAs would have to specify all of the new cybersecurity requirements, including MFA, data encryption, incident reporting timeline, vulnerability scanning requirements, penetration testing requirements, and so on.

7. Expanded and more detailed risk assessments

The revised rule would require risk assessments to be more detailed, thoroughly documented, conducted every 12 months, and designed to drive actionable security improvements. Aligning with the NIST Cybersecurity Framework may help covered entities achieve compliance more efficiently and consistently.

How can covered entities comply with new HIPAA regulations in 2026?

Covered entities need to first understand how HIPAA is changing, then implement changes to their processes, systems, and cybersecurity controls to achieve and maintain compliance. Here’s an overview of what companies can do to comply with HIPAA in 2026.

1. Meet updated Security Rule requirements (major overhaul)

• Implement mandatory multi‑factor authentication (MFA)
• Encrypt ePHI at rest and in transit
• Maintain detailed asset inventories
• Conduct ongoing, documented risk analyses
• Strengthen logging, monitoring, and incident response
• Update backup and disaster recovery processes

2. Update policies and documentation (required for all Security Rule components)

• Maintain documented policies for every Security Rule standard
• Retire the distinction between “required” and “addressable” safeguards (all become required except limited exceptions)
• Document network maps showing ePHI flows (updated at least annually or after environmental/operational changes)

3. Comply with new reproductive health privacy rules

• Revise Notices of Privacy Practices (NPPs) by Feb 16, 2026
• Require signed attestations for certain PHI disclosures
• Train staff on new routing and review workflows

4. Implement changes to 42 CFR Part 2 (substance use disorder data alignment)

• Update NPPs, consent forms, BAAs, and internal procedures to reflect new disclosure rules
• Identify and segment all SUD-related data across EHRs, billing systems, and third-party tools
• Ensure minimal necessary access and redisclosure restrictions remain in place

5. Prepare for interoperability and access enhancements (emerging)

HIPAA changes in 2026 emphasize operational compliance, which means embedding privacy and security into daily workflows. For covered entities, this will most likely mean:

• Strengthened patient access processes
• Improved cross‑system interoperability
• Documentation to demonstrate real‑world compliance, not just paperwork

6. Plan for shorter breach reporting expectations (if final rule passes)

Proposed changes include 24‑hour breach reporting requirements for business associates. If the final rule passes, covered entities must:

• Update BAAs with new timelines
• Implement rapid‑detection tools
• Establish immediate internal escalation procedures

Clearly, there are many requirements that covered entities must meet. Companies that lack internal staff to execute these initiatives often choose a cybersecurity company with healthcare expertise, such as Corsica Technologies.

What are the best cybersecurity services for healthcare organizations that ensure HIPAA compliance?

The exact answer will depend on what cybersecurity capabilities the organization has on staff—and what functions must be covered by a managed service provider. That said, here are the most common cybersecurity services that Corsica Technologies implements for healthcare providers. Many of these overlap each other.

• HIPAA cybersecurity compliance consulting
• Identity and access management
• MDR (managed detection and response)
• SOCaaS (SOC, i.e. security operations center, as a service)
• DLP (data loss prevention)
• Managed network security
• Managed cloud services, including security
• Zero-trust network design

The takeaway: Get the support you need to comply with HIPAA in 2026

HIPAA compliance is only getting more complex in 2026, which increases the burden on covered entities to achieve and maintain compliance. If you need additional expertise and bandwidth, Corsica Technologies is here to help. Our cybersecurity team maintains deep expertise in HIPAA, and we’ve helped 1,000+ companies achieve their goals with technology. Contact us today, and let’s take your next step.

• About Ross Filipek

Ross Filipek is Corsica Technologies’ CISO. He has more than 20 years’ experience in the managed cyber security services industry as both an engineer and a consultant. In addition to leading Corsica’s efforts to manage cyber risk, he provides vCISO consulting services for many of Corsica’s clients. Ross has achieved recognition as a Cisco Certified Internetwork Expert (CCIE #18994; Security track) and an ISC2 Certified Information Systems Security Professional (CISSP). He has also earned an MBA degree from the University of Notre Dame.

Ready to take your next step?

Contact us today to get the outside perspective you need for the next step on your journey.

Contact Us Now →

Table of Contents

✓ HIPAA Compliance Checklist

UPDATED for 2026

Download Now

The post Critical HIPAA Updates for 2026 appeared first on Corsica Technologies.

This is why many companies turn to IT consulting and managed services for law firms.

But what exactly can IT consultants do for lawyers?

How do you find the right partner?

We’ve got all the answers below.

Key takeaways:

• IT consultancies help law firms stay focused on legal practice rather than getting bogged down in IT challenges.
• The best IT consultancies have deep experience with legal software, workflows, and industry requirements for compliance and security.
• IT consultancies can help law firms integrate their systems, eliminating duplicate effort and data entry errors.

What types of services can law firms get from IT consultants?

The best IT consultancies offer comprehensive services for IT and cybersecurity—and they adapt their offerings to the unique needs of legal firms. At a high level, here are the most popular services that Corsica Technologies’ clients request in the legal field.

• IT and cybersecurity consulting
• Managed IT services
• Managed cybersecurity services
• SOCaaS (SOC, i.e. security operations center, as a service)
• Compliance services (ABA, state laws, NIST, HIPAA, FTC Safeguards Rule, and others)
• Data integration solutions and services
• EDI solutions and services
• AI and business transformation services
• IT procurement services
• HaaS (hardware as a service)
• Business growth consulting
• M&A consulting

As a comprehensive MSP (managed service provider) and IT consultancy, Corsica Technologies offers all these services. Law firms typically bundle several services to achieve cost savings and reduce vendor count.

Why do law firms choose IT consulting?

It’s challenging for law firms to tackle their IT challenges with internal resources. Many firms don’t have internal IT teams, as they need to control costs and maximize profits. Even larger companies with internal IT teams may lack specialized skill or bandwidth. Whether a law firm has IT staff or not, they typically choose IT consulting as the most cost-effective way to get specialized help with technology strategy, challenges, and systems.

Will an IT consultancy understand our specific legal tech stack?

If an IT consultancy has experience in the legal industry, they should be familiar with your tech stack. That includes systems like:

• Clio
• iManage
• NetDocuments
• MyCase
• LEDES EDI systems and integrations

The right IT consultancy can help you maximize your practice management software and streamline your EDI workflows. Look for a consultancy that has experience in the legal industry and deep EDI expertise.

How do IT consultancies align their offerings with a law firm’s unique practice areas and growth plans?

The right IT consultancy will take a detailed approach to understanding your practice areas and growth plans. Here’s the process that we recommend at Corsica Technologies.

1. Understand practice‑area workflows

Consultants analyze how each specialty operates—litigation, corporate, IP, real estate, etc.—and map the tech needs tied to their unique workflows and risk levels.

2. Connect technology to firm growth goals

Top consultancies align their solutions with the firm’s strategic plans, such as office expansion, new practice areas, attorney headcount growth, or improved client experience.

3. Address legal risk, ethics, and compliance

Cybersecurity, confidentiality, conflict management, and regulatory requirements guide system design, ensuring the tech stack meets the ethical demands of legal practice.

4. Improve core legal workflows

Consultants streamline end‑to‑end processes (intake, document drafting, e‑discovery, billing) with tools like DMS, automation, AI research, and practice management platforms.

5. Partner with firm leadership

IT consultants collaborate with managing partners, practice chairs, internal IT, and legal ops to uncover pain points, understand client expectations, and ensure alignment with firm culture.

6. Build a three‑year technology roadmap

IT consultancies like Corsica Technologies deliver three-year plans covering cloud adoption, DMS modernization, cybersecurity maturity, AI strategy, and budget forecasting to support firm‑wide growth.

7. Drive lawyer‑focused change management

Training and adoption programs are customized for busy, risk‑averse attorneys—using practice‑specific examples, super‑users, partner briefings, and white‑glove support.

How do IT consultancies ensure compliance with ABA and FTC safeguards?

Top IT consultancies take process-driven, detail-oriented approach to compliance. Here’s what that typically looks like.

1. Build and maintain a written information security program (WISP)

Consultancies create or refine a law firm’s WISP to align with ABA cybersecurity expectations and the FTC Safeguards Rule, documenting security policies, risk management processes, and compliance measures. Regular reviews and automated compliance tracking keep the program current.

2. Implement safeguards required under the FTC rule

The FTC Safeguards Rule was expanded in 2023 to apply to law firms handling financial‑related personal data. It now requires administrative, technical, and physical protections. IT consultancies help firms:

• Conduct risk assessments
• Implement technical controls
• Maintain security around sensitive and financial information

3. Align technology controls with ABA model rules

Consultancies map compliance to relevant ABA Model Rules, including:

• Rule 1.1 (Competence): Staying informed on technology risks
• Rule 1.6 (Confidentiality): Implementing reasonable measures to prevent unauthorized access
• Rule 5.3: Ensuring third‑party technology vendors meet ethical duties

4. Strengthen access controls and authentication

IT consultancies can establish security controls such as:

• Multi‑factor authentication (MFA)
• Role‑based access
• Session monitoring and anomaly detection

These controls are core to both ABA confidentiality expectations and FTC‑mandated safeguards.

5. Encrypt and protect client and case data

IT providers secure data in transit and at rest. They also audit storage systems and restrict document access to authorized personnel, helping clients meet ABA confidentiality rules and FTC data protection requirements.

6. Provide ongoing cybersecurity training and phishing defense

Consultancies help firms meet “reasonable efforts” obligations by delivering:

• Regular employee security training
• Phishing simulations
• Social‑engineering awareness

These services support ABA duties around competence, supervision, and safeguarding client property.

7. Establish incident response and continuous monitoring

IT consultancies develop incident‑response plans that preserve attorney‑client privilege and comply with FTC expectations for breach readiness. Continuous monitoring and annual penetration testing ensure ongoing compliance and risk mitigation.

How can IT consultancies integrate document management, timekeeping, billing, and CRM so attorneys don’t enter the same data multiple times?

IT consultancies integrate document management, timekeeping, billing, and CRM by building a unified data architecture where all systems share a single source of truth. This is typically done through API‑based integrations, workflow automation platforms (like Microsoft Power Automate), and synchronized matter‑centric data models.

When a new client or matter is created in the CRM or intake system, that information automatically populates the document management system, timekeeping tools, and billing platform. This eliminates the need for attorneys to re‑enter details across multiple applications.

IT consultancies also streamline end‑to‑end legal workflows by connecting these systems through standardized fields, automated provisioning, and smart validation rules. For example, once a matter is opened, the system can auto‑create workspace folders in the DMS, set up timekeeping codes, and generate billing profiles in the accounting system. With everything linked, updates in one system cascade across the others, ensuring consistency and freeing attorneys to focus on billable work instead of administrative tasks.

These streamlined workflows help reduce data entry errors and optimize lawyers’ time—so they can focus on their clients and their cases.

How can we securely enable remote/hybrid work while keeping access to case files fast and reliable?

You can support secure remote work by combining strong identity controls with a cloud‑based, matter‑centric file system that keeps client data protected while ensuring fast access. The foundation is a zero‑trust security model using multi‑factor authentication, conditional access policies, device compliance checks, and encrypted connections (e.g., VPN or secure virtual desktops).

When implemented together, these controls ensure that only verified users on trusted devices can reach sensitive case materials. Layering in a modern cloud DMS—such as iManage Cloud, NetDocuments, or Microsoft SharePoint with legal‑grade controls—provides encrypted storage, geographic redundancy, and role‑based permissions that mirror ethical‑wall requirements.

To keep workflows fast and reliable, IT consultancies deploy optimized cloud infrastructure, including local file caching, content delivery networks, and intelligent synchronization. These features allow attorneys to open large pleadings, exhibits, or discovery sets without lag, even over home internet.

IT consultancies typically pair these technologies with modern collaboration tools (Microsoft Teams, secure portals, digital binders) and monitor performance to ensure smooth, real‑time access. Combined, this approach gives attorneys firm‑grade security everywhere they work—without slowing them down.

Can an IT consultancy serve as our “vendor liaison” so we can focus on our practice?

Absolutely. Look for an IT consultancy that provides ongoing managed services, as Corsica Technologies does. Under the managed services umbrella, “vendor liaison” is usually called “IT procurement services.” The IT consultancy takes full ownership of your relationship with different vendors, including procuring new hardware and software as needed—with the client maintaining final approval control.

Learn more here: IT Procurement Services.

What should we look for in an IT consultancy?

Law firms encounter unique challenges in the world of IT and cybersecurity. Not every IT consultancy has experience in the legal industry, which means law firms must engage in a comprehensive discovery process as they vet potential partners.

Here’s everything you should look for in an IT consultancy.  

1. Deep expertise in the legal industry

Choose an IT consultancy that knows how law firms actually work. The consultancy should have knowledge of matter‑centric workflows, DMS platforms, intake and conflict‑check processes, e‑discovery, ethical walls, and client confidentiality rules. Law firms also benefit from partners who understand ABA Model Rules, state bar expectations, and the security standards of the legal industry.

2. Strong capabilities in cybersecurity and compliance

The IT consultancy should be capable of building and maintaining zero‑trust architectures, implementing MFA and conditional access, encrypting data, and providing incident‑response planning. They should also be fluent in requirements like the FTC Safeguards Rule, data‑residency concerns, and the law firm’s own ethical obligations to protect client information.

3. Proven experience with legal technology systems

Look for a consultancy that has hands‑on experience with tools like iManage, NetDocuments, Intapp, Aderant, Clio, Litify, Relativity, and Microsoft 365. A knowledgeable consultancy can integrate these systems so attorneys avoid duplicate data entry, keeping workflows efficient.

4. Ability to support remote and hybrid work securely

A strong IT partner should deliver cloud‑based DMS access, secure virtual desktops, optimized network performance, and collaborative tools that preserve attorney‑client privilege while enabling flexibility.

5. Strategic planning, not just technical support

The best IT consultancies help firms build long‑term technology roadmaps—covering cloud adoption, AI, cybersecurity maturity, automation, and digital transformation—aligned with the firm’s practice areas and growth plans.

6. Reliable, responsive support

Law firms need fast, knowledgeable support, especially for litigation deadlines and time‑sensitive matters. A consultancy should offer 24/7 monitoring, proactive maintenance, and legal‑focused helpdesk expertise.

7. Strong change management and training capabilities

Attorneys are busy and risk‑averse. This means an IT consultancy should provide tailored training, rollout planning, partner‑level communication, and user‑adoption strategies that fit the culture of a legal environment.

The takeaway: Get the IT consulting perspective you need

Practicing law is more complex than ever in today’s digital ecosystem. The right IT consultancy can help you navigate the waters of technology, making crucial decisions to secure information and reduce waste. Here at Corsica Technologies, we’ve helped 1,000+ companies achieve their goals through technology. Contact us today, and let’s take your next step.

Need an expert perspective on IT for law firms?

Reach out to schedule a consultation with our IT specialists.

Schedule Now

The post IT Consulting for Law Firms: Finding the Right Partner appeared first on Corsica Technologies.