Why InfoSec Should Be Separated From IT

The case for taking the information security function out from underneath the IT umbrella.

Many organizations have historically lumped together the information security (InfoSec) and information technology (IT) functions. Because antivirus software, firewalls, and proxies were primary tools used in securing the network -- and IT was responsible for adopting and implementing those measures -- InfoSec appeared to be subsumed under the broader IT umbrella. But their roles are different and distinct.

Think of IT as the architect of the house and security as the fire code. To be sure, IT fulfills an important role in securing digital information, but so do other departments, executives, and all employees and other network users. As a result of the threat convergence around IT systems, the InfoSec partnership with IT must accordingly be strong, but it's paramount that InfoSec contribute its unique blend of threat awareness, analytics, risk management, and privacy protection separately from IT if the goals are sufficiency, adequacy, and objectivity in securing the organization's information assets are on balance with its cross-functional risk profile.

New defenses for new threats
The risks financial institutions (FIs) face have multiplied in recent years. Cyber criminals have made rapid advances in establishing efficient marketplaces where data-stealing exploit kits can be bought and stolen data sold. Attackers have also refined their approach to social engineering with very authentic-looking phishing emails and corrupt but believable web links. Add in the increased adoption of online banking, social media sites that facilitate sharing personal information, companies that gather wide swaths of sensitive data for marketing purposes (but then leave it unprotected), and mobile applications that support a large percentage of our communications and transactions, and you have a perfect storm of digital security risk.

Read the rest of this story on Bank Systems & Technology.