Information security is filled with innovative and effective standards, policies, and other mandates that require a lot of paperwork. Because of this constant focus on policies and reporting, many information security professionals have lost contact with their IT brethren. The divide between IT and information security departments has impaired the ability to build solid, fact-based information security frameworks.
As an information security professional, I believe the onslaught of standards and guidelines has given some the impression that information security is independent from information technology. This is misleading because the most successful security professionals tend to have highly technical backgrounds and consistently use IT to ensure the integrity of their service.
For instance, when performing information security assessments, how frequently are we talking to the IT department about technical controls applied to the information systems? The answer is usually not often enough. In my opinion, this regularly results in the formulation of security plans that are mostly based on assumptions made about critical systems. To avoid this dilemma, we should restore our bridge to the information technology department to ensure there is an integrated approach to data protection. Without consistent communication and full transparency, we are in jeopardy of creating assumptive risk assessment and mitigation strategies that could prove to be costly.
So what is saving us now? What might be saving us is the inherent understanding from those in the security profession that IT is part of the “trusted system.” This trust is essential; the information security practice should be based on an intimate knowledge of the enterprise and the protection mechanisms in place to defend it. As a result, we should have knowledge and access to the IT enterprise.
Getting into the IT department can be a challenge due to corporate organizational structures that often separate the IT and information security staff members. I propose that security professionals work with their management team to bridge this gap between the two departments. This dialogue could begin with the security department reviewing an IT policy or getting involved with configuration change recommendations. In turn, IT could create an operations security function within the organization. Regular briefings will result in a comprehensive approach to information security. For example, if those responsible for security were to receive an in-depth brief from the IT department on the logical network designs, and review what access controls are in place across the enterprise, it will give them an opportunity to move away from assumptions and towards fact-based risk assessment and mitigation strategies.
Bridging the organizational divide between IT and information security will result in our ability to leverage knowledge across both departments. This integration is necessary to build robust information technology and information security programs.
In the next article, I will talk more about how security professionals can implement this strategy.