Is security an Information Technology (IT) issue?
The reality is security requires dedicated staff and specialized skills. We constantly have this discussion where IT says, “We can handle this; our IT Director is our security person (and privacy officer and data security officer, and…). We don’t need dedicated security folks.” But the reality is that IT and security look at things differently, and they should have different responsibilities.
IT and Security Have Different Technical Focuses and Goals
IT’s main responsibility is to enable business. That includes keeping systems up and running. If email goes down, someone in IT is going to jump to get it back up. On the other hand, Security wants to make sure business is done securely. Therefore, IT and Security must be a check on each other to enable business security.
IT professionals focus on building systems, getting them up and keeping them running. But Security is looking at the systems and asking if they’re secure, if they can break them, and how the systems can be misused. Those are two different mindsets and skillsets. Many of our security staff liked to take their computers apart when they were kids; they’re curious and want to see if they can make the computer do something it’s not supposed to do. Our security assessors continue to ask the same type of questions during an engagement: “Can I make these systems do things they shouldn’t do?” And then we ask ourselves how to fix that and prevent it from happening.
We often compare Security and IT to the medical field where – if you tear your ACL – you’re not going to go to your general practitioner. Instead, you’re going to go to a specialist who can fix it. IT and Security have some overlap in functionality, but they’re different skill sets with a different mindset and a different focus.
Policy Should Dictate Technology
Security policies should dictate how you are securing your environment – not the other way around. Security should define what those policies are, how you are able to secure data, and how you’re able to operate and define what controls need to be in place. IT, on the other hand, should be responsible for implementing those controls or managing compliance with policies and processes according to those directives.
The separation of security and IT will provide the needed checks and balances to ensure your staff know what they’re doing, what they are supposed to be doing, and when something is not being done correctly. It also ensures your organization knows someone is actively managing the needed security controls, and that you’re doing a regular sanity check with Security.
Security is Ultimately a Shared Responsibility
Everyone in the organization is responsible for some part of security – from the end users not copying or sending data through personal emails to IT patching and building systems securely. Security is a shared responsibility, but it should be driven by security members that have the right background, skills, and experience in those areas of security, risk, and compliance. You must ensure that the teams responsible for IT and those responsible for security are coming together to jointly supply production, operational, and security needs.
One of the examples we encounter a lot is a security (or potential security) issue that IT is investigating. IT cares most about getting that system back up and running, and they’ll do whatever they consider appropriate, necessary, and potentially successful to get that system back up and running. We’ve seen it in Incident Response where IT is just trying to fix a problem, but the reality is that the problem was a security issue. And by bringing that system back online or working on that system, they’ve instead made the damage worse.
How people are looking at the problem is a vital component to success in both IT and Security, which is why it’s critical to ensure that the IT mindset and the security mindset are working together. But they must have different reporting structures to ensure checks and balances so both can meet their goals and strike a balance between production and security needs.
FAQ: How do you recommend the business and IT continuously evaluate operational risk?
The key is for IT and Security to maintain a regular cadence with the business to talk about ongoing business initiatives or new threats to businesses and the environment. Security should also track, measure, monitor, and communicate metrics and KPIs (Key Performance Indicators). Security must be involved if there are major business initiatives like acquisitions, divestiture, or moving into a new facility. All of those have huge implications on the security of the company and the IT environment. That’s why you must have a regular rhythm and communication.
The other aspect is creating a methodology that establishes how you will discuss and work through issues and rank the various risks that the organization faces and continue to update that over time with some type of metric that gives you facts that you can work with and from which to make decisions.
Want to learn more from Tim, Justin, and many more of our security experts? Then RSVP today for the Core BTS Security Conference 2021 on October 12.