Top Cybersecurity Myths: We Have a Great IT Department
MYTH: We are protected because our IT department is great! Our IT team fixes everything we need in record time. We’ve never had a breach, so our IT department must be keeping us secure.
Have you heard this sentiment from the C-level of your organization? Do you find yourself saying this in management or budget meetings as a reason why additional IT or information security (InfoSec) expenses are not justified? Have you heard this as a justification for why your organization doesn’t need to hire a separate Information Security Officer?
You’re not alone. Many organizations view IT and InfoSec as one and the same. They assume that because IT is doing a great job, the organization must be secure and have little risk of being affected by malware, hacking, phishing, breaches, or other incidents.
There are two primary reasons why this is a myth.
IT and InfoSec are different.
IT and InfoSec are two very different functions, and relying on the IT function alone to secure your organization would be a disservice to you, your clients, donors, and other constituents, and your mission. While IT and InfoSec often work in conjunction with each other, they have different goals, priorities, and required skill sets.
IT is needs-focused and has the ultimate goal of helping the organization with ongoing maintenance and support of the technology, infrastructure, and systems. The IT department resolves end-user issues, recommends enhancements to infrastructure, and works to increase the effectiveness and efficiency of existing technology. IT staff must have very specific technical knowledge and competencies related to the hardware, software, and network components actually used within the organization.
In contrast, while InfoSec staff must have a basic understanding of various forms of technology, the role typically does not require the same level of technical detail and hardware-specific knowledge that IT does. InfoSec staff must maintain competencies related to risk evaluation and mitigation as their primary goal is to assess risks, design controls to mitigate those risks, and establish monitoring procedures to identify deviations.
This article further explains the important roles the two functions play and why it’s important to devote adequate resources to each.
Security often takes a back seat.
While unfortunate, it’s a fact that security tends to come last. IT and InfoSec are generally not income-producing departments and these two functions often share budgets and resources. When budgets get tight, these areas tend to take the first hit. And ultimately, the needs of IT — supporting the infrastructure and ensuring technology runs as intended — take precedence over the security-related needs, tools, and processes of the InfoSec department.
Efficiency and effectiveness do not automatically mean security. And while your IT department may perform at a high level and staff may experience ease and efficiency in their day-to-day work, the reality is that the solutions may not be secured adequately if staffing and budgets are not allocated sufficiently between IT and InfoSec. It’s imperative for organizations to understand how IT and InfoSec work together, the differences between each area, and how to empower them to flourish in tandem.
This infographic outlines why organizations need both IT and InfoSec/cybersecurity functions. It can be a helpful tool in making the case for devoting adequate resources to each at your organization.
Please contact us at firstname.lastname@example.org with any questions or to discuss how we can help your organization assess and reduce your cybersecurity risk.
Allison Davis Ward
Allison Davis Ward is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.