Why InfoSec Should Be Separated From IT - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Life
Commentary
12/30/2014
01:22 PM
Deena Coffman
Deena Coffman
Commentary
100%
0%

Why InfoSec Should Be Separated From IT

The case for taking the information security function out from underneath the IT umbrella.

Many organizations have historically lumped together the information security (InfoSec) and information technology (IT) functions. Because antivirus software, firewalls, and proxies were primary tools used in securing the network -- and IT was responsible for adopting and implementing those measures -- InfoSec appeared to be subsumed under the broader IT umbrella. But their roles are different and distinct.

Think of IT as the architect of the house and security as the fire code. To be sure, IT fulfills an important role in securing digital information, but so do other departments, executives, and all employees and other network users. As a result of the threat convergence around IT systems, the InfoSec partnership with IT must accordingly be strong, but it's paramount that InfoSec contribute its unique blend of threat awareness, analytics, risk management, and privacy protection separately from IT if the goals are sufficiency, adequacy, and objectivity in securing the organization's information assets are on balance with its cross-functional risk profile.

New defenses for new threats
The risks financial institutions (FIs) face have multiplied in recent years. Cyber criminals have made rapid advances in establishing efficient marketplaces where data-stealing exploit kits can be bought and stolen data sold. Attackers have also refined their approach to social engineering with very authentic-looking phishing emails and corrupt but believable web links. Add in the increased adoption of online banking, social media sites that facilitate sharing personal information, companies that gather wide swaths of sensitive data for marketing purposes (but then leave it unprotected), and mobile applications that support a large percentage of our communications and transactions, and you have a perfect storm of digital security risk.

Read the rest of this story on Bank Systems & Technology.

Deena Coffman is chief executive officer of IDT911 Consulting and has broad experience providing guidance to clients adopting technology or building programs relating to data privacy, data security, and electronic discovery. Prior to joining IDT, she was the chief operating ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/6/2015 | 12:43:06 PM
Re: InfoSec
Brian,

For that to happen you need that level of Foresight and Vision to make it happen.

I don't think everyone in IT Departments has that level of Vision /Thinking in-place.

Rogue Apps are a serious-serious Problem in IT today.

I don't think we are quite ready and willing to deal with them confidently enough even today.

Its difficult to really say which new App will introduce what exactly into our Systems so it pays to be better safe than sorry.

Defense is most definitely the Best form of Offense here.

P.S

Are you familiar with Anamoly Detection Tools/Software?

I am trialling tools from Prelert in my Enterprise currently and the results are fascinating(&beyond stunning).

A Most interesting tool!

 
Wolf6305
50%
50%
Wolf6305,
User Rank: Apprentice
1/5/2015 | 1:00:49 PM
Re: InfoSec
This is an interesting issue.  The main reason info Security should be in a different chain of command than the IT of the organization is that the two organizations have different goals.  The security people are specifically investigating the people and practices of the IT people.  IT people are driven by a budget requirement to get more done with less money, in less time, with fewer people, so in most cases, things they consider uinimportant in relation to that goal are supressed.  Patches and replacement of obsolete software and hardware get put off.  Security projects are often left unfunded, and the person in charge gets bigger bonuses when they get through the year on less money. Having a dedicated security department is a lot like having liability insurance on your car.  If it wasn't against state law to drive without insurance, a lot of people would convince themselves that they were a safe driver and could self-insure.  Insurance is not designed to help when things are going smoothly, and a security department is also intended to be of the most value when something goes wrong. 

Another problem - CIO bonuses are not usually attached to the scarcity of successful hacks.  Those are treated like flash floods - they are acts of God and cannot be predicted, so the CIO is rarely found to be at fault for being prepared for network exploits.  Hard to quantify and expensive whether there is an attack or not.  In the case of a smaller company without the funds to have a dedicated security team, I would suggest hiring a managed security services team (MMS) and have them answer to the CFO, not the CIO. 
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Ninja
1/4/2015 | 7:36:27 PM
Re: InfoSec
Agreed, scale is an important consideration before setting up a specialized department. Another consideration that might be equally important to consider are the benefits that IT or employees are enabling by using IT. They will always be employees that bring rogue applications into the enterprise and IT might find a way to make an old process efficient, the key is that if these enhancements are generating additional revenue of let's say, $5 million, then a specialized security team of 10 members should not be viewed as a cost, but as an important factor that will enable future profits and the going concern of the business.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/1/2015 | 8:00:23 AM
Re: InfoSec
jaggibons,

One would have to be daft to think that in a Company of upto 1000 employees[which is what you are referring to here];one will find a Seperate Security Group.

It just is'nt affordable for most Companies to manage a seperate Security Group(with their own CSO,etc) .

This way you would see members of the Security Group reporting to CIO and the CIO getting additional responsibilities as well here.

 
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
12/31/2014 | 11:13:28 AM
Re: InfoSec
I agree, in principle, but I'm not sure it is feasible in a smaller organization with an overall IT presense of less than 15-20 individuals. InfoSec is going to be part of the technology group. There should be security experts, though, rather than just relying on network and security generalists who have a wide variety of responsibilities.
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
12/30/2014 | 2:58:49 PM
Re: InfoSec
I agree, the landscape has gotten to the point where it is really hard to expect one team to be in charge of all things IT, and be able to manage the security of the environment.  Splitting it up into IT Security and IT (let's say generalized here), would be a great way to approach this.  Have one team be focused on building the right networks and tools to enable the organization to function from an IT perspective, and maybe have someone from that team work with the security folks to ensure the right controls are in place.  No matter how you approach it, as long as you have clear lines of communications between the teams you should have a better definition of where job responsibilities lie and will hopefully reduce the number of IT headaches and fingerpointing.
H@mmy
50%
50%
[email protected],
User Rank: Ninja
12/30/2014 | 1:49:21 PM
InfoSec
When major organizations such as banks experience security threats, then may be there is a need to spearate infoSec and IT. Its no more a generalized field now, you need a stronger force such as security experts to protect the system.
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll