Does it make sense to separate IT and security?

22 January 2015

From a leadership standpoint, it might make sense for some organizations to create information security teams that don't operate under the greater IT department.

Initially, it's difficult to see the logic in such a decision. Wouldn't such an operation create a schism between data protection experts and networking specialists, for example? Communication disruptions are some of the biggest concerns associated with separating IT and security, but some professionals believe doing so will work out in the long run.

From a networking perspective
Shon Harris, a contributor to TechTarget, detailed the disparate responsibilities of networking professionals and security experts. While the former's primary focus is to ensure systems are reliable and optimal, the former's aim is to protect information through whichever means is most practical.

Harris further maintained that security professionals should abide by a different chain of command than their counterparts in networking. She outlined the following situation in which a security specialist needs to report to a network administrator:

"Let's say someone in security informs a network administrator that there is an unsafe rule set on the firewall. This traffic setting, though, may have been implemented by the network administrator to support a business need or a user's particular preference. There is a chance then that the administrator may rank the network concerns more of a priority than the security issue and ignore the information."

Security's multi-faceted responsibilities
It's not uncommon to come across content on the Web that asserts the importance of educating the workforce about data security threats, but how often does an IT department have the time required to do so? Some team members with limited resources often think themselves lucky if they can even take the time to audit databases for security flaws or install network protection equipment.

Larger companies would do well to separate IT and InfoSec for this reason. Not only can those in the InfoSec department reserve the time and capital needed to thoroughly assess data infrastructures for threats, but they can also spend time determining whether finance, marketing, sales and other teams are abiding by security best practices.

Don't let them be strangers
Just because the InfoSec and IT departments are operating independently doesn't mean they should be alienated from each other. InformationWeek's Deena Coffman noted that a level of understanding between the two teams is paramount to success. One set of professionals should not believe its responsibilities are more important than the other's.

Leave a Reply

Your email address will not be published. Required fields are marked *