09:30 AM
Deena Coffman
Deena Coffman

The Separation of Information Security & IT

The case for taking the information security function out from underneath the IT umbrella.

Many organizations have historically lumped together the information security ("InfoSec") and information technology ("IT") functions. Because anti-virus software, firewalls and proxies were primary tools used in securing the network -- and IT was responsible for adopting and implementing those measures -- InfoSec appeared to be subsumed under the broader IT umbrella. But their roles are different and distinct.

Think of IT as the architect of the house and security as the fire code. To be sure, IT fulfills an important role in securing digital information, but so do other departments, executives, and all employees and other network users. As a result of the threat convergence around IT systems, the InfoSec partnership with IT must accordingly be strong, but it's paramount that InfoSec contribute its unique blend of threat awareness, analytics, risk management, and privacy protection separately from IT if sufficiency, adequacy, and objectivity in securing the organization’s information assets are on balance with its cross-functional risk profile are the goals.

New defenses for new threats
The risks financial institutions (FIs) face have multiplied in recent years. Cyber criminals have made rapid advances in establishing efficient marketplaces where data-stealing exploit kits can be bought and stolen data sold. Attackers have also refined their approach to social engineering with very authentic-looking phishing emails and corrupt but believable Web links. Add in the increased adoption of online banking, social media sites that facilitate sharing personal information, companies that gather wide swaths of sensitive data for marketing purposes (but then leave it unprotected), and mobile applications that support a large percentage of our communications and transactions, and you have a perfect storm of digital security risk.

[For more from IDT911's Deena Coffman, check out: Managing Vendor Security Risk]

Yes, today's environment is different. Data protection requirements have evolved significantly. Perimeter defense is no longer enough when untrained employees are ushering malware into the corporate network by browsing the Web or clicking a hyperlink or opening an email attachment.  Today's defenses need to cover the perimeter, protect the endpoints, control physical access and thwart social engineering. Because network borders are so porous, FIs also need to monitor activity inside the network for suspicious actions triggered by outside attackers as well as unauthorized actions taken by internal employees. Building an effective defensive strategy for meeting the security needs of this new landscape requires banks to appreciate the distinct differences IT and InfoSec have in both their missions and their approaches.

Redefining roles
The objectives of the IT and InfoSec teams are not the same. Information technology professionals are focused on functionality -- on enabling the organization to achieve its goals. That means finding and deploying technology platforms and other tools that enhance communication, facilitate information sharing and support more efficient processes. Simply put, they select and implement technology that enables work to be done. Performance, ease of use and cost are paramount, which can be at odds with security.

One example of this is the IT help desk, a function that is often measured and compensated on how quickly they resolve questions and how happy their internal customer are, but not on what security they improve. Help desks are helpful enablers of the business. If they take on the role of guardian, their customer satisfaction rating can suffer, putting them at risk professionally. Enabling easy access is IT's focus. Managing access in a way that prioritizes the protection of data privacy is the role of information security.

Defining a new partnership
Though their missions are not the same, the IT and InfoSec functions need to have a strong working relationship. To facilitate the right kind of progress on both teams, both must be able to operate independently from a reporting and operational standpoint, as well as from a budgetary point of view. Remember, too, that neither team takes the place of the other when it comes to participating in various working groups within the organization. Both should have their own, equal presence on the security incident response team and internal steering committees, for example.

A good relationship should be a priority though because it's likely the two teams will be close partners on many projects. As new technologies and software platforms are evaluated by IT, InfoSec may be helpful in identifying weaknesses that require procedural accommodations to maintain the desired level of data protection. When the information security group develops security policies and protocols, IT will have an important role in identifying compatible tools to achieve the goals that are defined in the policies. InfoSec's monitoring and testing obligations will undoubtedly tie in to a number of IT operations.

As the banking industry continues to embrace more robust security practices, further separating and refining these two very distinct roles will be important in balancing appropriate data privacy with efficient operations.  Many financial institutions have already instituted this separation. If yours has not, it is time to consider an organizational update.

Deena Coffman is chief executive officer of IDT911 Consulting and has broad experience providing guidance to clients adopting technology or building programs relating to data privacy, data security, and electronic discovery. Prior to joining IDT, she was the chief operating ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/25/2015 | 8:53:34 PM
Cybersecurity Boardroom Workshop 2015
President Barack Obama focused on a number of new cyber security proposals that will encourage greater information sharing between the government and corporations. How boards of directors and CXOs can build the proper foundation to address today's IT security challenges is the topic of Cybersecurity Boardroom Workshop 2015, 2-day seminar well-known cybersecurity expert Edgar Perez will conduct in financial centers Dubai, Hong Kong, Seoul, Singapore, London and New York City. This is the first seminar developed for leaders for whom cybersecurity preparedness is a relatively new yet critically important area to be intelligently conversant about.
User Rank: Apprentice
1/6/2015 | 10:59:30 AM
Re: Bridging the gaps
Thanks for your comments.  I completely agree that responsibility extends beyond IT and should include executive level management up to and including the board.  I do find this to be a two-front battle – one is in engaging executives that do not have an appetite for technological detail and the other in getting IT to open communication lines that have hardened over time.   This article was meant for an IT audience and needed to be focused as such; a broader conversation could have explored some of the ideas you mention.  I appreciate and share your perspective. 
User Rank: Apprentice
1/1/2015 | 5:46:30 PM
Good attempt, but missing the mark
Deena Coffman's analysis that the responsibility for IT security should be taken away from IT departments and moved somewhere else is certainly very helpful. Today's mainstream IT security is broken beyond repair, however typical IT departments still try to conceal that ugly fact and are therefore not very likely to fix that huge problem.

But finding a new scapegoat in the form of some Information Security department which is not reporting to IT won't help much either - most likely it will just result in buying more addon products and hiring more experts without solving the underlying problem. Rather, the bank's top management now need to accept ownership of the IT security misery themselves. Why ? Because the bank's core business is so much depending on IT - much more than in any other industry.

The next step is to do a honest root cause analysis on why, for heaven's sake, today's mainstream IT is so vulnerable. The outcome is quite likely to reveal that today's mainstream IT is built on vulnerable hardware and software platforms - it is built on PC technology (initially designed for single user systems) and on a networking architecture that was initially designed for closed user groups that could trust each other. 

True - since many years a huge amount of work was and is done, and huge amounts of money are spent each year trying to retrofit security into an environment that wasn't meant to be secure from day one. Looking at the poor shape of security in mainstream IT today, most people will readily agree that the success of those attempts has been rather limited so far.

Top bankers are likely to understand that it takes a lot of effort and money to create a much more robust and secure IT infrastructure. They are also likely to understand the ugly risks of not doing so.

Now they need to take a bold decision to move away from vulnerable IT infrastructures - and yes, there are better alternatives around, and their IT department can find those when being ordered to do so. Top management also need to tell their beancounters about that new priority.

The outcome will be a much more robust IT for banking and payment purposes which is not so easy to manipulate for the average hacker. Security by obscurity ? To some part yes - but there is nothing wrong about that approach, in the real world it is usually found to work quite well. And fortunately it will turn out that operation and administration of that new IT is much less costly than for today's mainstream IT.  
User Rank: Author
12/30/2014 | 1:32:14 PM
Re: Bridging the gaps
I agree that cybersecurity poses a challenge to both students and institutions. Earning the education and credentials necessary to get a job in cybersecurity costs students a lot of time and money, and schools have to keep up with the constant changes in the field. Given that the field is pretty new, it's not terribly surprising that there is little coordination among the schools, businesses and accrediting institutions involved in educating and hiring cybersecurity professionals. Hopefully we'll begin to see more collaboration among them in 2015.
User Rank: Apprentice
12/29/2014 | 3:54:46 PM
Bridging the gaps
I couldn't agree more, though I feel that the issue stems from under or undeveloped cybersecurity curricula and failed coordination between academic institutions, hiring organizations, and accrediting institutions. Cybersecurity is a fairly new field and the combination of information security and physical security leaves some broad gaps and very heavy biases among "qualified" cybersecurity professors. Many physical security practitioners who moved laterally into the cybersecurity field may be more focused on biometrics, mantraps, and concertina wire. IT professionals who evolved into Cybersecurity practitioners may fail to see the value in physical deterrence and mitigation. There has to be an even balance and folks must stop referring to physical security as something separate from cybersecurity.

Many academic institutions are racing to develop new curricula to keep up with the expanding demand for cybersecurity practitioners. The increase in job market demand leads to increases in students and ultimately, student revenue and tuition fees. The problem here is that a student may spend thousands of dollars and anywhere from two to eight years studying cybersecurity. Although, without the proper certifications, which are required by many employers, the student will still be hard-pressed to find a job, post-graduation, that pays a reasonable salary.  There has to be a way to bridge this gap, not only between academic institutions and the organizations that hire their graduates, but also between academic institutions and accrediting organizations, such as CompTIA and ISC2. Common nomenclature and standardized curricula are vital to a healthy and qualified cybersecurity workforce.

Great article!!
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.