How Does Your IT/IS Garden Grow?
First, you have to water plants if you want them to flourish. Second, it’s an amateur mistake to put too many plants in one flower bed. Plants in south Louisiana, where I live, are always thirsty and they don’t like to be cramped! But before you stop reading, I promise this is not just an ode to my failed flowers.
Let’s say you have an average-sized flower bed. Lowe’s has a sale, and the purslanes and vinca are a steal. You can’t pass up either one. The plants are small and they look great side by side in your flower bed. But unbeknownst to you, you bought trailing vinca! They weren’t kidding with that name – it trails right on over to the purslane’s spot in the flower bed. The resources of the bed start to wear thin and it can’t support both species. You realize it’s time to move your purslanes to another spot.
And so it is with the information technology (IT) and information security (IS) functions of an organization. While an organization is smaller or less complex, IT and IS may flourish under one employee or department. But as the organization grows, systems and networks become more complex, and risks change and intensify, this single employee or department may struggle to support both critical functions. It is time to separate the IT and IS roles.
One of the primary justifications for separating the IT and IS functions is that each serves a different purpose. Staff wearing the “IT hat” focus on production, implementation, and maintenance of technology, including:
- Confirming service level agreements are met
- Completing projects within given deadlines and budgetary restraints
- Ensuring your technology is working effectively and efficiently
- Resolving end-user issues
Personnel in the IS role are more concerned with security, control frameworks, and monitoring and reporting on those controls. Their duties often include:
- Performing risk analysis and assessing technology before implementation
- Designing controls to mitigate identified risks
- Monitoring to ensure the controls are operating as intended
IT and IS are inherently different, and it becomes difficult for a single team to achieve the goals of each effectively and efficiently. While the flowers in the example above could have been sustained in one bed, you would have needed to cut the vinca back to give the purslanes room to grow. Similarly, a single person or department could fill both IT and IS roles, but critical responsibilities may receive lower priority or even be omitted to sustain the combination.
Flowers have different needs. What may be too much sun for one is just right for another. Some flowers need copious amounts of water every day while others are watered weekly at most. IT and IS also have different needs and often require separate skill sets to achieve success in their roles.
IT employees are responsible for maintaining specific hardware, software, and network components. They must keep up the technical knowledge to support each, and technical certifications are also warranted.
While IS staff must maintain a basic understanding of the technology, they do not need to know all the details of each system to be able to provide the oversight needed for control design and monitoring. They do need security-related certifications and training on current threats to ensure they have the expertise to constantly improve the control framework for the technology that IT implements.
The Benefits of a Flourishing Garden
If you separate the IT and IS functions in your organization, you will begin to see how complementary these positions can be in supporting your technology environment in a secure and controlled manner. By granting independence to these two roles, staff members will have the ability to hone their skills and streamline tasks. Assigning separate budgets to each function will help your organization disperse resources more effectively. It will also establish a system of checks and balances.
How does your garden grow?
Take a moment to think about how your organization’s IT and IS functions are structured. Ask these questions:
- Are these roles functioning independently of one another?
- If not, do employees have enough resources to sustain both functions?
- Are resources devoted equally to technology and security duties?
- Can you ensure that technical support doesn’t take precedence over risk assessment, control design, and monitoring? This can be extremely important during disaster situations, when IT is focused on restoring systems. Without a dedicated IS team assisting with the restoration, systems often are not restored to their previous secured state, which creates vulnerabilities.
- Do we adequately monitor our control framework through testing, report analysis, and log review?
If you answered no to any of the questions above, you may need to reassess your structure and determine how to further grow these critical areas.
Allison Davis is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.