Many organizations have historically lumped together the information security ("InfoSec") and information technology ("IT") functions. Because anti-virus software, firewalls and proxies were primary tools used in securing the network -- and IT was responsible for adopting and implementing those measures -- InfoSec appeared to be subsumed under the broader IT umbrella. But their roles are different and distinct.
Think of IT as the architect of the house and security as the fire code. To be sure, IT fulfills an important role in securing digital information, but so do other departments, executives, and all employees and other network users. As a result of the threat convergence around IT systems, the InfoSec partnership with IT must accordingly be strong, but it's paramount that InfoSec contribute its unique blend of threat awareness, analytics, risk management, and privacy protection separately from IT if sufficiency, adequacy, and objectivity in securing the organization’s information assets are on balance with its cross-functional risk profile are the goals.
New defenses for new threats
The risks financial institutions (FIs) face have multiplied in recent years. Cyber criminals have made rapid advances in establishing efficient marketplaces where data-stealing exploit kits can be bought and stolen data sold. Attackers have also refined their approach to social engineering with very authentic-looking phishing emails and corrupt but believable Web links. Add in the increased adoption of online banking, social media sites that facilitate sharing personal information, companies that gather wide swaths of sensitive data for marketing purposes (but then leave it unprotected), and mobile applications that support a large percentage of our communications and transactions, and you have a perfect storm of digital security risk.
[For more from IDT911's Deena Coffman, check out: Managing Vendor Security Risk]
Yes, today's environment is different. Data protection requirements have evolved significantly. Perimeter defense is no longer enough when untrained employees are ushering malware into the corporate network by browsing the Web or clicking a hyperlink or opening an email attachment. Today's defenses need to cover the perimeter, protect the endpoints, control physical access and thwart social engineering. Because network borders are so porous, FIs also need to monitor activity inside the network for suspicious actions triggered by outside attackers as well as unauthorized actions taken by internal employees. Building an effective defensive strategy for meeting the security needs of this new landscape requires banks to appreciate the distinct differences IT and InfoSec have in both their missions and their approaches.
The objectives of the IT and InfoSec teams are not the same. Information technology professionals are focused on functionality -- on enabling the organization to achieve its goals. That means finding and deploying technology platforms and other tools that enhance communication, facilitate information sharing and support more efficient processes. Simply put, they select and implement technology that enables work to be done. Performance, ease of use and cost are paramount, which can be at odds with security.
One example of this is the IT help desk, a function that is often measured and compensated on how quickly they resolve questions and how happy their internal customer are, but not on what security they improve. Help desks are helpful enablers of the business. If they take on the role of guardian, their customer satisfaction rating can suffer, putting them at risk professionally. Enabling easy access is IT's focus. Managing access in a way that prioritizes the protection of data privacy is the role of information security.
Defining a new partnership
Though their missions are not the same, the IT and InfoSec functions need to have a strong working relationship. To facilitate the right kind of progress on both teams, both must be able to operate independently from a reporting and operational standpoint, as well as from a budgetary point of view. Remember, too, that neither team takes the place of the other when it comes to participating in various working groups within the organization. Both should have their own, equal presence on the security incident response team and internal steering committees, for example.
A good relationship should be a priority though because it's likely the two teams will be close partners on many projects. As new technologies and software platforms are evaluated by IT, InfoSec may be helpful in identifying weaknesses that require procedural accommodations to maintain the desired level of data protection. When the information security group develops security policies and protocols, IT will have an important role in identifying compatible tools to achieve the goals that are defined in the policies. InfoSec's monitoring and testing obligations will undoubtedly tie in to a number of IT operations.
As the banking industry continues to embrace more robust security practices, further separating and refining these two very distinct roles will be important in balancing appropriate data privacy with efficient operations. Many financial institutions have already instituted this separation. If yours has not, it is time to consider an organizational update.
Deena Coffman is chief executive officer of IDT911 Consulting and has broad experience providing guidance to clients adopting technology or building programs relating to data privacy, data security, and electronic discovery. Prior to joining IDT, she was the chief operating ... View Full Bio