5 Reasons You Should Separate IT from InfoSec

This article discusses the different responsibilities between IT and InfoSec, the importance of understanding data ownership, and how to manage the costs of adding InfoSec to your business security planning.

Susan received an email from a vendor requesting that their upcoming invoice be paid to a new account number. Following company policy, she forwarded the request to her supervisor, who forwarded it up the chain to the CFO, who approved it and wired the money.

The email had the correct electronic signatures and the invoice was exactly like the invoices they’d paid in the past. There were no obvious signs that the email was a whale-phishing scam.

By the time the authorities got involved, the money was gone, and the CFO was fired.

Why Your IT Department IS NOT Ultimately Responsible for Data Protection

The data owner is the person(s) responsible for data protection. The data owner is typically the business owner, president, “C” level executive, or persons who have a fiduciary duty to the shareholders.

Most SMB’s Make This Security Mistake

Regarding data and network security, one of the biggest mistakes that most business leaders make is leaving their security to their IT department.

The difference between Information Technology (IT) and Information Security (InfoSec) is simple; IT manages your day-to-day operational needs to keep your business up and running but InfoSec has the expertise to protect the business and data.

Data owners should know the distinction between the two.

InfoSec responsibilities include:

  • managing risk
  • protecting your information and assets/data
  • establishing policies and procedures to help reduce the probability of a data breach
  • managing compliance issues
  • implementing an incident response plan
  • designing a program that protects the confidentiality, integrity, and availability (the CIA triad) of information
  • provide ongoing guidance and consulting
  • working with your IT department to ensure that necessary security measures don’t disrupt worker productivity

Benefits of Separating IT and InfoSec:

  1. Accessibility and convenience versus security and compliance

IT is responsible for making sure the day to day operations of a business is running smoothly when it comes to technology. Workflow, functionality, and sometimes convenience to employees are important to the success of the workday. However, it is not uncommon for an IT engineer to forgo certain security measures if it interferes with worker productivity.

For example, when discussing a recent cloud security breach that happened to  Wyze Labs in late 2019, “The cloud has made expectations of fast delivery a reality, and so the temptation is enormous for engineers to pull down the firewall when they’re on the hook to deliver,” said Dan Ehrlich, a Texas-based computer security consultant who discovered the Wyze breach. Sometimes the engineers fail to lock up again,” (emphasis mine).

InfoSec, on the other hand will have the expertise to measure your company’s level of risk and implement the appropriate security measures that will both protect the company and minimize the impact on the productivity of other departments.

  1. Auditing & Assessments

Expecting a member of your IT team to audit their own department is not a good security practice. It’s always better to have a third-party conduct network security audits and assessments. Your InfoSec team will actively look for security gaps as a measure of improvement (i.e., you’re never 100% secure). And as either a separate department or outsourced vendor will work closely with auditors and assessors to greatly improve business outcomes.

  1. InfoSec is business risk, not IT risk

InfoSec is an opportunity to manage business risk, not just IT risk.

CISOs are now reporting directly to CEOs, as opposed to CIOs as they did in the past. This way, the proper people (the Board of Directors) are directly notified about bigger picture security incidents, such as data breaches and their importance in today’s risk management.

  1. Day to day vs incident response

If an incident does occur, it’s beneficial to have a separate team of InfoSec specialists that can focus on restoring functionality to an organization and follow proper incident response procedures, while the IT department stays focused on the everyday tasks.

  1. Budgeting

In many organizations InfoSec budgeting was covered under the IT department. However, as stated before, the IT department can have very different priorities. Separating the two and giving them separate budgets allows both to focus on their respective fields and keep a business functioning and secure at the same time.

Managing the Cost of InfoSec

Having an in-house InfoSec team for a company with less than 2,000 employees is not cost effective.

Having your IT team direct your security is also not cost-effective since the risks outweigh any potential cost savings. That is, having an additional layer of oversight may help to prevent an accidental breach due to a lack of expertise.

What also drives up costs is buying tools that you may not need or have the expertise to implement properly.

Before you buy tools or bring in additional personnel, hire a Managed Security Services Provider, vCISO, or security consultant to conduct a security posture assessment.

A security assessment is not an audit. Rather, it will highlight what you’re doing well, define areas that need improving, and detail what’s missing in your environment. Then, your consultant will recommend solutions for remediation.

The benefit will help you define your current level of acceptable risk so you can make intelligent budgeting decisions regarding security.

A proper assessment will cost you anywhere from $3,500 to $5,000+ depending on your environment.

At Consilien, we have a team of experts who can perform a detailed assessment to help you make the best security decisions for your organization. Contact us today for a complimentary 30-discovery session.

Photo by Philipp Katzenberger on Unsplash