It’s not a strict compliance requirement (tho it sneaks into Separation of Duty under SOX) but generally it’s a bad idea for the Information Security Functions to report to any of the IT management divisions. At best, maybe the head ISO can report to the CTO but anything lower down the line is a bad idea. Why? Well, Here are 6 reasons, many of which are variations on that separation of duty theme.
InfoSec’s primary mission is to keep risk to a manageable level. These are almost most the same but not quite. Unfortunately, the infosec are the people who occasionally need to say no… or at least “slow down.” But when push comes to shove, the IT folks will say “damn the torpedoes, full speed ahead.” Not always a good idea for security.
Sometimes instead of pushing ahead, IT chooses not to do something in order to fulfill a greater business mission. This thing could be upgrading firewalls, patching vulnerable services or fixing broken anti-virus.
2) IT is about sharing information, not restricting access.
For IT, the priority is generally Availability > Integrity > Confidentiality. For Infosec, it’s generally Confidentiality > Integrity > Availability. It'd be nice if both could agree on Integrity and maybe in some organizations these priorities align. But usually if data gets breached, infosec takes the first hit not IT.
3) Part of InfoSec’s job is to keep an eye out for insiders.
And the most dangerous insiders are within the IT group. Sometimes they’re leading the IT group.
One could add that the IT staff generally develops a sense of entitlement around technology they manage. Understandable since they are, by definition, the most knowledgeable and skilled IT workers. Unfortunately, this can lead to staff feeling the rules don’t apply to them and either be accident or design, security problems can develop.
Note that security people can go bad too. That’s why it’s good to separate them from IT and take away their admin privileges.
4) Enterprise risk decisions aren’t usually owned solely by the IT department.
Risk decisions should be made at the executive level. Good infosec professionals are skilled at facilitating the necessary conversations to make sure risks are properly addressed.
Not that IT can’t talk to the executives, but often when they do, they have different priorities in mind… see #1. Delivering up a risk message about a business objective and at the same time, discussing alignment of IT to business objectives can often muddle the message and the decision. A Socratic method with two different viewpoints – IT and infosec, is more conducive to making a better decision.
5) To be effective, Infosec needs to branch out of technology.
Infosec works with many different departments at an operational level while IT works primarily outside of its group in a supportive role. Consider how much infosec has to work with Human Resources, Physical security, Accounting, Legal, Business Development, Software development, and Sales. These are specialized organizational skills that aren’t common in IT.
6) It’s easy for IT folks to think they’ve “solved security” when in fact, they’ve just implemented a control.
IT is used to solving problems so give them a security problem and they’ll quickly engineer a solution. However, security is a lot harder than that. Worse still, many IT folks don’t realize how little they understand how security works.
No comments:
Post a Comment