Organizations heavily rely on technology to conduct their business operations. However, the increased use of technology comes with an increased risk of cyber attacks and security breaches. As a result, Information Security (Infosec) has become a vital component of any organization’s technology infrastructure. But, combining Infosec with IT operations can lead to disastrous consequences.
Understanding the Difference between Infosec and IT
Before we delve into why separating infosec from IT is important, it’s essential to understand the difference between the two.
IT is responsible for managing and maintaining an organization’s technology infrastructure, including hardware, software, and networks. On the other hand, infosec is responsible for ensuring the confidentiality, integrity, and availability of an organization’s information assets, including sensitive data such as customer information, financial data, and trade secrets.
The Drawbacks of Combining Infosec with IT
Although it may appear beneficial to combine infosec and IT departments for the sake of efficiency, it can actually lead to significant security vulnerabilities. Here are a few reasons why:
Conflicts of Interest
IT departments are primarily focused on maintaining and keeping technology systems running, whereas infosec departments prioritize identifying and mitigating security risks. Combining these departments can create conflicts of interest, where IT may prioritize uptime over security, and infosec may prioritize security over uptime. This can result in decisions that compromise security in the interest of keeping systems running smoothly.
Lack of Independence
Infosec departments need to be independent to effectively identify and mitigate security risks. However, when combined with IT, there may be pressure to downplay or overlook security risks in the interest of keeping systems running smoothly. This can lead to security vulnerabilities that go unnoticed until it’s too late.
Combining infosec and IT departments often means that there are limited resources available to both areas. This can lead to a lack of focus on either area, as staff are pulled in multiple directions. This can lead to security vulnerabilities going unnoticed or being left unaddressed.
The Benefits of Separating Infosec and IT
Separating infosec and IT can provide several benefits for your organization, including:
Clear Roles and Responsibilities
When infosec and IT are separate, each department has clear roles and responsibilities. IT can focus on keeping systems up and running, while infosec can focus on identifying and mitigating security risks. This can prevent conflicts of interest and ensure that security risks are properly addressed.
Separating infosec from IT can lead to improved security, as infosec staff can focus on identifying and mitigating security risks without the pressure to downplay or overlook them in the interest of keeping systems running smoothly. This can help prevent security vulnerabilities from going unnoticed or being left unaddressed.
While separating infosec from IT may seem less efficient on the surface, it can actually lead to increased efficiency in the long run. By having separate departments, each can focus on its specific area of expertise, leading to more effective and efficient operations overall.
In conclusion, combining infosec and IT departments may seem like a good idea for the sake of efficiency, but it can actually lead to significant security vulnerabilities. Separating infosec from IT provides several benefits, including clear roles and responsibilities, improved security, and increased efficiency. By prioritizing information security and separating infosec and IT, organizations can better protect their sensitive data and maintain the integrity of their operations.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.