Aug 06 2015

IT and Security: One Team or Two?

Stop me if you’ve heard this request before…”we need project X delivered, as soon as possible.”  To the requester, there is no corner not worth cutting. Whether they know it or not, they have a disregard for the processes that are usually in place to make sure things are done by the book. Put plainly, in an IT department, speed has a troubling tendency to trump security or general processes, most especially when the security arm for your firm is under the same umbrella as the IT team.

How do you get around that? What a number of firms are opting to do is separate the two functions, insuring that there is proper oversight. When security and delivery are under the same management, corners are easier to cut. When delivery is one team and needs to present their plans to a stand-alone information security team? Things become inherently more secure.

I have had opportunities to work with organizations that do it both ways. I’ve been in those scenarios where a last-minute deadline trumps all other logical concerns, in spite of you knowing that things may not be deployed as securely as they should. In those instances, you do what you have to do meet the deadline, and double-back afterward to tie up any loose ends, to make sure that you’ve made the deployed system as secure as you require it to be.

Having IT and security together can often lead to less than ideal decisions, just as the exceptions are often made for the executives and other high profile staff, for whom the rules don’t always apply. For all of these examples, it is becoming invaluable, in fact even imperative that the two teams are separate entities. It is entirely possible to make these teams function in lockstep, to achieve the goals and objectives for your organization but in a manner that ensures your business is as protected as it needs to be. I am in just such a scenario now, where my IT team is independent from our Information Security team. We have an exceptional working relationship and we have IT security as a common goal. I still get asked all the time to have something done in an incredibly short turnaround time, and by having the security team as another branch that has to sign off, and as an ally to my team, I have a means to keep things sane.

While the analysts may say you split the teams up to keep a measure of checks and balances, I can recommend it for an entirely a different reason. Call it dividing and conquering, but by having it as two teams as opposed to one, you now have a means to fight the fight on two fronts. If you need to resist, it’s not one manager or director, it can be two. It may seem minor now, but trust me, it’s worth having in your favor when you need it. In this day and age of the constant security threat, can you really have too many allies?