ZDNet UK

• CNET NETWORKS UK BUSINESS SITES:
• atlarge.com
• BNET UK
• silicon.com
• SmartPlanet.com
• ZDNet.co.uk

Should IT security be separate from IT?

• Tags:
• Security

Maxine Holt Butler Group

Published: 12 May 2006 13:10 BST

• 
• 
• 
• 
• 

...is not covered to a sufficient extent (for example, perhaps there have been notable failures in the past 12 months) then the creation of a separate IT security department is worthy of consideration.

The purpose of such a department must be identified before its creation, so that everyone is clear as to its reason for being. In Butler Group's opinion, the purpose of the department is to have full responsibility for all information security issues within the organisation, approving all software before its release, and delivering and managing the IT security solutions. It is strongly recommended that the head of the IT security department is a direct report to the chief executive officer, for purposes of integrity. It may be deemed appropriate to give the departmental head the title of chief security officer (CSO), but only if the IT department head is the chief information officer (CIO). If the CSO were to report directly to the CIO (or the IT Security department head to the IT department head), then the security challenges that the company faces could be compromised, with different objectives for each department.

The IT security department does not have to consist of a large number of people – for example, in a mid-sized, US-based healthcare organisation the IT security department has seven people. However, the individuals in this department take on multiple roles. In addition to the department head, there is a need for a contingency planner – this person must not only be involved in IT contingency planning, but business contingency planning as well.

Various IT administrators are also required, as are solution testers. The testing capability is required to test all solutions that are developed by the IT department, and the IT security department should also be responsible for approving (from a security perspective) the purchase of Commercial Off-The-Shelf (COTS) solutions that the IT department recommends.

Therefore, the IT security department does not have to be a big department, but it is essential that it carries responsibility for these functions, in order to be successful and accountable. Having a separate IT security department can have a number of benefits. One of the main benefits is the reduced IT security risk for the organisation, and a consequential benefit of that is improved IT security effectiveness. These benefits are achieved through the ability of the IT security department to concentrate on a single aspect of IT solutions – that of security. By reviewing the security of any system, whether built in-house, COTS or customised, the department can devote the time and expertise necessary to ensuring that the organisation's security is not going to be compromised. With the best will in the world, having the IT department undertake such a task is not always easy – as those of us with any amount of IT experience are aware, the testing aspect of any solution is compressed if time is of the essence.

By giving the IT Security department the responsibility and accountability for the security aspect of a solution, it is possible to ensure that the security aspects are fully tested before being put into a live environment. Further benefits that can come out of an IT Security department include the operational security, information assurance, and business security that arise from having a separate functional unit. One only has to look at security breaches that have happened to realise the importance of operational security, with the ultimate protection of brand image. The on-line banking organisation Cahoot, for example, suffered a breach just over a year ago, when it became clear that changes were made to Cahoot’s online systems some 12 days before a flaw was discovered, and it was confirmed that the subsequent security breaches were caused by the upgrade. Had a separate IT security testing function been in place at Cahoot, I believe it would be less likely that such a breach would have happened – because the flaw would have been found before the upgrade was implemented.

It is of course not all a bed of roses when separating out the responsibility for IT security into another department, and there are other issues that need to be addressed. These include the fact that the management and C-level directors of the organisation must be fully aware of information security risks; only in this way can they be committed to the aims and objectives of the IT security department. Following on from this, setting up the department is not the only executive responsibility; ensuring it runs satisfactorily, achieving objectives, is also required. To this end, executive sponsorship and reporting is vital, for the department to have "clout" around the organisation. This could, however, make the department appear to be "the heavy mob", and this also needs to be avoided.

There is no easy answer to this; it will be a fine balancing act and needs to be handled carefully. The alignment of IT security department objectives with organisational objectives may seem an obvious point, as it applies to all departments within the organisation, but it is important that this point is made. Furthermore, it may help with the issue raised above, regarding the department's appearance as "the heavy mob". A general understanding that the IT security department is subject to the same aims and objectives as the rest of the company will help the department, and indeed the whole organisation, to fully understand its role.

The final point is that the roles and responsibilities within the department are unlikely to remain static. Periodic reviews of roles and responsibilities are required, perhaps every six months or so, with updates to those roles and responsibilities being communicated to the department and the rest of the company as and when required. This will help address the changing face of the security issues that organisations must adapt to, and perhaps some companies will be keen to undertake reviews on a more frequent basis.

The creation of an IT security department is not necessarily the right way forward for every company, and there could be very good reasons for retaining such a function within the IT department. The benefits, however, can be significant, especially when cases have arisen where IT security needs to become more ingrained into the business. The suggestion is that the separation of the two could be considered, and in certain circumstances prove invaluable.

• 
• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed