Why InfoSec Should Be Separated From IT - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
Why InfoSec Should Be Separated From IT
Newest First  |  Oldest First  |  Threaded View
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/6/2015 | 12:43:06 PM
Re: InfoSec
Brian,

For that to happen you need that level of Foresight and Vision to make it happen.

I don't think everyone in IT Departments has that level of Vision /Thinking in-place.

Rogue Apps are a serious-serious Problem in IT today.

I don't think we are quite ready and willing to deal with them confidently enough even today.

Its difficult to really say which new App will introduce what exactly into our Systems so it pays to be better safe than sorry.

Defense is most definitely the Best form of Offense here.

P.S

Are you familiar with Anamoly Detection Tools/Software?

I am trialling tools from Prelert in my Enterprise currently and the results are fascinating(&beyond stunning).

A Most interesting tool!

 
Wolf6305
50%
50%
Wolf6305,
User Rank: Apprentice
1/5/2015 | 1:00:49 PM
Re: InfoSec
This is an interesting issue.  The main reason info Security should be in a different chain of command than the IT of the organization is that the two organizations have different goals.  The security people are specifically investigating the people and practices of the IT people.  IT people are driven by a budget requirement to get more done with less money, in less time, with fewer people, so in most cases, things they consider uinimportant in relation to that goal are supressed.  Patches and replacement of obsolete software and hardware get put off.  Security projects are often left unfunded, and the person in charge gets bigger bonuses when they get through the year on less money. Having a dedicated security department is a lot like having liability insurance on your car.  If it wasn't against state law to drive without insurance, a lot of people would convince themselves that they were a safe driver and could self-insure.  Insurance is not designed to help when things are going smoothly, and a security department is also intended to be of the most value when something goes wrong. 

Another problem - CIO bonuses are not usually attached to the scarcity of successful hacks.  Those are treated like flash floods - they are acts of God and cannot be predicted, so the CIO is rarely found to be at fault for being prepared for network exploits.  Hard to quantify and expensive whether there is an attack or not.  In the case of a smaller company without the funds to have a dedicated security team, I would suggest hiring a managed security services team (MMS) and have them answer to the CFO, not the CIO. 
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Ninja
1/4/2015 | 7:36:27 PM
Re: InfoSec
Agreed, scale is an important consideration before setting up a specialized department. Another consideration that might be equally important to consider are the benefits that IT or employees are enabling by using IT. They will always be employees that bring rogue applications into the enterprise and IT might find a way to make an old process efficient, the key is that if these enhancements are generating additional revenue of let's say, $5 million, then a specialized security team of 10 members should not be viewed as a cost, but as an important factor that will enable future profits and the going concern of the business.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
1/1/2015 | 8:00:23 AM
Re: InfoSec
jaggibons,

One would have to be daft to think that in a Company of upto 1000 employees[which is what you are referring to here];one will find a Seperate Security Group.

It just is'nt affordable for most Companies to manage a seperate Security Group(with their own CSO,etc) .

This way you would see members of the Security Group reporting to CIO and the CIO getting additional responsibilities as well here.

 
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
12/31/2014 | 11:13:28 AM
Re: InfoSec
I agree, in principle, but I'm not sure it is feasible in a smaller organization with an overall IT presense of less than 15-20 individuals. InfoSec is going to be part of the technology group. There should be security experts, though, rather than just relying on network and security generalists who have a wide variety of responsibilities.
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
12/30/2014 | 2:58:49 PM
Re: InfoSec
I agree, the landscape has gotten to the point where it is really hard to expect one team to be in charge of all things IT, and be able to manage the security of the environment.  Splitting it up into IT Security and IT (let's say generalized here), would be a great way to approach this.  Have one team be focused on building the right networks and tools to enable the organization to function from an IT perspective, and maybe have someone from that team work with the security folks to ensure the right controls are in place.  No matter how you approach it, as long as you have clear lines of communications between the teams you should have a better definition of where job responsibilities lie and will hopefully reduce the number of IT headaches and fingerpointing.
H@mmy
50%
50%
[email protected],
User Rank: Ninja
12/30/2014 | 1:49:21 PM
InfoSec
When major organizations such as banks experience security threats, then may be there is a need to spearate infoSec and IT. Its no more a generalized field now, you need a stronger force such as security experts to protect the system.


2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Commentary
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Commentary
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll