Should IT security be separate from IT?
Published: 12 May 2006 13:10 BST
The IT department faces an enormous range of management issues, of which IT security is one significant aspect. For 2006, security is no longer the most pressing of the IT issues; it does, however, remain a major consideration.
Security affects many aspects of IT – operational, complexity and risks of IT systems and measurement of value, to name just a few examples. Furthermore, the addition of compliance and corporate image into the mix makes the security issues facing the IT department quite extensive.
The selection and implementation of IT security solutions can be an onerous task, alongside the maintenance of these systems. If an organisation had a separate IT security department, this department would be solely responsible for not only the selection and maintenance of IT security solutions, but also for approving the new solutions requested by the IT department and the rest of the business. In this way, all security aspects of a solution are thoroughly tested before implementation (or purchase), thus reducing the risk to the organisation. This responsibility is taken away from the IT department, leaving it to concentrate on fulfilling the organisation's objectives.
However, separating IT security from the IT department can become a company political hot potato if not handled carefully. It requires the IT department to manage the relationship with the IT security department – perhaps this is not something it is willing to do, or able to take on for whatever reason. And if there are no issues with IT security in an organisation, then is it necessary to create a separate IT security department? The fact is that if all IT security aspects are being handled adequately and sufficiently in advance, without any breaches, it is unlikely to be necessary to create a separate department.
In order to determine if separation of IT security from the IT department is appropriate, it is first important to be aware of the IT and business drivers that influence security. The IT drivers include internal and external threats; these threats are not diminishing over time but are getting worse, and the internal aspect (both malicious and otherwise) continues to be the worse of the two. Other IT drivers include service commitments; do the security aspects of a system slow down the responses to unacceptable levels within Service Level Agreements (SLAs)? Other examples include IT complexity, business complexity, auditability, patch management – the list goes on.
The business drivers that influence IT security include accuracy and consistency – ensuring that all business data is processed accurately and consistently without any opportunity for it to be breached. SLAs have already been mentioned as IT drivers, but of course they are also applicable as business drivers, to ensure that the organisation is able to conduct its day-to-day work without fear of security breach. Other business drivers include the protection of the organisation's image – for the likes of Amazon and eBay, this is crucial. Even for companies with a strong high-street presence, such as Argos, security breaches can severely affect brand image.
Compliance is a major driver for IT security, ensuring that key factors are managed, with examples including the control of access to systems and the creation of an audit trail. When all these factors have been reviewed, the extent to which security is ingrained in the culture of the IT department should be fairly clear. If IT security...
Previous
Did you find this article useful?
117 out of 275 people found this useful
- Share this article:
Full Talkback thread
5 comments
-
Liability and purchases are two things underestima... Arthur B. -
IT security is a very broad term to debate up... Manikandan Natarajan -
It is interesting that you approach security in th... Anonymous
-
An independent set of eyes for the business should... Arthur B.
-
Once you break down security into manageable items... Arthur B.
