Does Cybersecurity/Information Security Belong Within the I.T. Function?

Does Cybersecurity/Information Security Belong Within the I.T. Function?

As someone who started her career in I.T. and spent decades working in I.T., from helpdesk to systems & network administration, to I.T. Security, I have seen firsthand how the relationship between Information Security (InfoSec) and Information Technology (I.T.) has evolved in organizations.

I have been thinking about this relationship lately and concluded that InfoSec should parallel I.T., not exist within it. Here’s why;

1. Independence is crucial: When InfoSec is part of I.T., there's an inherent conflict of interest. I.T. is focused on keeping systems running smoothly and efficiently, while InfoSec needs to challenge and sometimes (not always, but sometimes) disrupt those systems to ensure security. Separating these functions allows InfoSec to maintain an independent perspective and avoid potential pressure to compromise security for convenience or fear of temporary disruption.

2. Different skill sets and priorities: While there's certainly overlap, the skills and mindset required for effective InfoSec are distinct from those needed in I.T. InfoSec professionals need to think like attackers, constantly anticipating new threats and vulnerabilities. They also need to balance security with business needs, which requires a broader perspective than traditional I.T. roles typically provide.

3. Holistic approach to risk: InfoSec isn't just about technology – it encompasses people, processes, and technology. When it's tucked under I.T., there's a risk of focusing too narrowly on technological solutions and missing critical aspects of security that extend beyond the I.T. department.

4. Elevated visibility and authority: InfoSec, as a separate, parallel function, gains more visibility at the executive level, which is crucial for ensuring that security concerns are given appropriate weight in strategic decisions and resource allocation.

5. Checks and balances: Having InfoSec separate from I.T. creates a system of checks and balances. InfoSec can audit and challenge I.T. practices without the awkwardness of essentially policing itself.

6. Compliance and regulatory requirements: Many industries have specific security and privacy regulations. A separate InfoSec function can more effectively ensure compliance across the entire organization, not just within I.T.

7. Bridging the business-IT gap: InfoSec often needs to translate technical risks into business terms. As a separate entity, it can more effectively bridge the gap between I.T. and other business units, ensuring that security is understood and prioritized throughout the organization.

Don't get me wrong – close collaboration between I.T. and InfoSec is essential. We need to work hand-in-hand to implement adequate security measures. However, this collaboration is best achieved when InfoSec has the independence and authority to challenge I.T. practices when necessary.

Organizations that treat InfoSec as a parallel function to I.T. tend to have more robust security postures. They are better equipped to handle the ever-evolving threat landscape and to balance security with other business priorities.

What do you think? Have you seen examples where this approach has worked well (or not so well)?