A System Administrator and an Information Security Administrator were sitting in a room. The question was asked “When you install a new server, what is the first two things you do?”
Both of them answer, “install the latest patches and updates and remove all unnecessary services”. Good answers but the reasoning behind these answers are entirely different.
System Administrator: By applying the latest patches and removing unnecessary services, I make sure that any known problems are fixed and improve the performance of the system by not tying up system resources on things I’m not using.
Information Security Administrator: By applying the latest patches I close known vulnerabilities that could potentially lead to a compromise. By shutting off unnecessary services, I reduce the number of potential openings to my system, again, reducing the potential for compromise.
Why is this difference important as long as the work is getting done?
It’s about a mindset. In mid-sized or large organizations where information security sits underneath the IT umbrella, the differences are usually very apparent. The need to deliver information to customers and staff more often than not trumps the need to secure that information. In an environment where resources compete with each other in the IT organization, when push comes to shove, delivery almost always wins even if it increases the risk.
This is why I believe the information security function has to be independent of IT, much like internal audit is independent of finance. Information security needs to be positioned to provide unfiltered advice and recommendations. When information security is funneled through an information delivery point of view, the message may unintentionally be diminished or lost.
Additionally, the acceptance of risk and the responsibility for consequences should rest with the data owner, not with IT or Information Security. These are recommending bodies that should be working together to develop solutions that clearly describe functionality and risk so that data owners can make informed decisions. The way information is used is a business decision, not a technology decision. Information security leadership requires the ability to identify and clearly communicate risk. Information technology leadership requires the ability to clearly communicate the functional delivery of information. Both need to be able to provide this advice unobstructed by the different missions of these departments.
Both are distinct. Both are important. Being independent allows both functions to leverage their expertise by creating an information-intensive environment that leads to informed decision making. Doesn’t your business deserve at least that much?
Connect with me