The IT department faces an enormous range of management issues, of which IT security is one significant aspect. For 2006, security is no longer the most pressing of the IT issues; it does, however, remain a major consideration.
Security affects many aspects of IT – operational, complexity and risks of IT systems and measurement of value, to name just a few examples. Furthermore, the addition of compliance and corporate image into the mix makes the security issues facing the IT department quite extensive.
The selection and implementation of IT security solutions can be an onerous task, alongside the maintenance of these systems. If an organisation had a separate IT security department, this department would be solely responsible for not only the selection and maintenance of IT security solutions, but also for approving the new solutions requested by the IT department and the rest of the business. In this way, all security aspects of a solution are thoroughly tested before implementation (or purchase), thus reducing the risk to the organisation. This responsibility is taken away from the IT department, leaving it to concentrate on fulfilling the organisation's objectives.
However, separating IT security from the IT department can become a company political hot potato if not handled carefully. It requires the IT department to manage the relationship with the IT security department – perhaps this is not something it is willing to do, or able to take on for whatever reason. And if there are no issues with IT security in an organisation, then is it necessary to create a separate IT security department? The fact is that if all IT security aspects are being handled adequately and sufficiently in advance, without any breaches, it is unlikely to be necessary to create a separate department.
In order to determine if separation of IT security from the IT department is appropriate, it is first important to be aware of the IT and business drivers that influence security. The IT drivers include internal and external threats; these threats are not diminishing over time but are getting worse, and the internal aspect (both malicious and otherwise) continues to be the worse of the two. Other IT drivers include service commitments; do the security aspects of a system slow down the responses to unacceptable levels within Service Level Agreements (SLAs)? Other examples include IT complexity, business complexity, auditability, patch management – the list goes on.
The business drivers that influence IT security include accuracy and consistency – ensuring that all business data is processed accurately and consistently without any opportunity for it to be breached. SLAs have already been mentioned as IT drivers, but of course they are also applicable as business drivers, to ensure that the organisation is able to conduct its day-to-day work without fear of security breach. Other business drivers include the protection of the organisation's image – for the likes of Amazon and eBay, this is crucial. Even for companies with a strong high-street presence, such as Argos, security breaches can severely affect brand image.
Compliance is a major driver for IT security, ensuring that key factors are managed, with examples including the control of access to systems and the creation of an audit trail. When all these factors have been reviewed, the extent to which security is ingrained in the culture of the IT department should be fairly clear. If IT security...
Talkback
Liability and purchases are two things underestimated.
With increased and realistic liability enforced those that call the shots either won't make the same mistake twice or won't be around to do the same thing wrong three times in a row.
Another thing is to give more purchasing (decision) powers to those that actually have to maintain, secure, budget for, etc whatever someone else in the organization wants. More often then not lots of organizations are faced with hotshots that "introduce" something "significant" (totally clueless of overall details that matter) by means of: here's something new, purchased and delivered already, that promises to fullfill all my dreams of today, now make that a reality even if that's impossible with the resources and time not provided for.
As for seperating IT security from more normal IT department activities. Given the usual interaction level and mutual understanding between, say, LAN/WAN, Server, Desktop, ServiceDesk, Management, Mainframe, Development, etc guys introducing yet another specialized department is likely to mess up things and create additional kingdoms and internal conflicts even more.
In short, organizations are well advised to ensure that everyone in their IT staff has multi discipline understanding about things that matter. That won't happen overnight but the fact is that most organizations are better off with a bunch of guys that have working experience and understanding concerning plenty of specialities working within one big happy IT family then when compared with seperated, highly specialized, IT departments cooperating together.
Even shorter, if security is that important then security should be part of the first initial thoughts of something new up to and including the entire life cycle of everything (who says that security stops and starts within IT anyway?).
Good security starts at the very beginning. Even before the initial designs. Introducing good security afterwards is only a sales man dream because it can't be done. You'll end up paying twice for half as much while needing more each and every time, time and time again. The only real way to get rid of less then good security is to rebuild from scratch. In a practical way ofcourse.
Security is either a company wide effort, top to bottom, or it's a paper tiger. And a costly one at that because more often then not the way companies handle their internal security is a good indication how they handle almost everything else.
It is interesting that you approach security in the same manner as providing an IT service. Yes, both are evolving and moving towards being considered as peers in the boardroom .
But it is also important to consider that the mandates and goals for security and IT differ. Trying to roll security in the IT umbrella could be compromise the ability of the security organization being able to operate as an independent set of eyes for the business. IMHO, that is a very valuable aspect of this seperation and security should be regarded as a value added, not just a compliance measurement function.
Yes, security is going to be distributed/ntegrated across the IT operations groups and that is going to be challenging to implement but it is also important to maintain the individuality of the security organization.
An independent set of eyes for the business should be achieved by auditors. A quality assurance team if you will that acts as roaming coaches, top to bottom, across the various business processes taking into account every aspect that makes, breaks, improves, demotes such processes. Security is just a part of that all. An important one at that but still a part.
Once you take out and highlight security alone it'll become a product. A goal in itself. Since good security is an integral part of just about anything it's exactly for that reason that one shouldn't seperate (highlight) it.
The focus should be that without build-in security from scratch one simply doesn't have what it takes. One is simply working with incomplete processes. Time for some serious re-evalutions in such events.
Security is not an add-on module. Although plenty of sellers out there that will make you think otherwise if you're not carefull.
IT security is a very broad term to debate upon! The very term triggers a shiver! Security can be at different levels: viz., perimeter, physical and aplication level.
Each of the above should be looked in as a seperate area of security study!
The question is: Who wants to take the responsibility for a possible break-down? Break down could be in terms LAN, WAN, networks, IP level or could be on the application level in terms of Phishing attacks, Dos or DDoS and many more Internet based attacks.
IT Security is a broad term to be used for a possible decision to be made. It would be intresting to debate on the same and a possible speculation cannot be ruled out!
The way I see it as a IT security analyst, in terms of aplication level security, seperating IT from IT Security has its own Pros and Cons.
Pros could be an efficient team out there to deal with and come out with possible solutions in terms of the right cryptographic and Encryption being used and a lot more on those grounds for the same in co-ordination with the Peers of the company. Cons because of the word co-ordination I used earlier.
There are more than one areas of IT that needs to works in coordination with IT Security. There still would be a part of work that the IT and the IT Security guys would need to do together under one roof, across the table.
Likewise, there could be a seperate entity concentrating on specific areas of security viz., application.
Once you break down security into manageable items you'll find later on that the sum isn't better then it's parts. Best thing to do is to go for the sum at once and tap individual departments on the fingers for not doing their part in the overall sum that makes up overall security.
In short: every part should be worried about the sum of security. Not just their part of the equation. Unless you think that having a piss contest will actually lead to lasting results security wise overall. It won't. Remember: overall security is about finding and avoiding weak spots. Whereever they are.