It’s easy to use the terms “Information Technology (IT)” and “Information Security (IS)” interchangeably. They are equally important but serve different roles within organizations. Information Technology tends to focus on availability and technical aspects while the primary objective of Information Security is to manage IT risk to an acceptable level as determined by management.
Managing these roles can be challenging as the objectives of these functions have the potential to be in conflict with one another. For example, IT could be under pressure from business leaders to roll out a new system that has significant financial implications on the organization. It could be tempting to rush through an implementation and play catch up with IS on the backend. Delaying important IS functions such as risk assessments and vendor due diligence, at the very least, temporarily exposes the organization to additional unknown risk.
The IT and IS functions need to work together but also need their independence to be effective. What does that mean? It means that they should be on comparable levels of the organizational chart and report to neutral manager(s). If either role reports to the other, it would be difficult to not be biased.
It truly is a balancing act and should be based on the risk appetite of the organization. I’ve seen these roles report to various leaders within organizations and there isn’t a “one size fits all” solution. The key is to encourage a collaborative working environment while maintaining a level of independence for their respective roles.
It’s a best practice to schedule regular IT/IS meetings to update key stakeholders and reconcile any outstanding issues. In addition to IT and IS, representation at these meetings should include representatives from all key areas of the business. The meetings should be organized with the objective of leveraging technology to execute the organization’s business strategy while maintaining a strong security posture.
We understand that this can be a sensitive issue within some organizations, and we’d be happy to provide an independent perspective. Send us an email at support@bedelsecurity.com to start a conversation or check out our CISO Assessment Service.
Additional Resources:
5 Reasons Information Security is a Team Sport
https://www.bedelsecurity.com/blog/5-reasons-information-security-is-a-team-sport
The Gist of Governance
https://www.bedelsecurity.com/blog/the-gist-of-governance
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
Your Information Security Program Needs Focus
https://www.bedelsecurity.com/blog/your-information-security-program-needs-focus
Two Essential Ingredients to Improve Your Information Security Program
https://www.bedelsecurity.com/blog/two-essential-ingredients-to-improve-your-information-security-program
The 3 Key Roles in Cybersecurity
https://www.bedelsecurity.com/blog/the-3-key-roles-in-cybersecurity
Ensuring Independence in Your Virtual CISO
https://www.bedelsecurity.com/blog/ensuring-independence-in-your-virtual-ciso
vCISO Questions and Answers 03: What does a vCISO do and what does a vCISO not do?
https://www.bedelsecurity.com/blog/what-does-a-vciso-do-and-what-does-a-vciso-not-do