The relationship between IT and information security can be difficult to navigate: there are traditionally conflicting interests and perspectives between IT, which is responsible for making sure tools and systems work, and security, which must make sure they're protected.
Finding the right balance between accessibility and security is "a key part of the modern organization's success," said Juliet Okafor, senior vice president of global security solutions at Fortress Information Security, in an InteropITX presentation on the topic this month. Rigid silos between IT and security have become "a clear point of attack" leaving organizations vulnerable.
The dynamic between the two groups has changed along with technology. Back in the 1990s, security was considered a function of IT. Corporate networks had a hard perimeter; firewalls were the foundation of security. Modern enterprise computing environments have since become global, borderless, fully mobile, and more complex than ever before.
This evolution has driven new sets of challenges for both groups, said Okafor. IT is worried about data availability while security prioritizes data protection. IT focuses on system uptime; security works on system safety and control.
Culture also varies between the two. IT tends to be more agile, with shorter and more frequent maintenance windows. Operational technology, and sometimes security, typically require more time with longer maintenance periods. They don't want systems down for periods of time, she noted; they're operating in an environment where things have to stay up and running.
Companies are figuring out how to best position the two. An upcoming Dark Reading study on the relationship between IT and security found 37% of businesses surveyed have a distinct security department, with its own staff, within a larger IT department. Twenty-one percent have one or two security people in IT; 21% said they don't have any people who are dedicated to security full-time. This is just a peek at the study, which will be published in July.
Thirty percent of 120 technology and security professionals report IT and security work well together and their relationship is improving. The majority (38%) says while their dynamic is generally good, it "needs some work here and there." About one-quarter say miscommunication between the two has led to continuity or security issues.
"The disparity between how IT operates, and how infosec operates, demands we take a closer look at how they're working together," Okafor explained. "Due to budgets, reporting structure, IT and infosec often have a tough time with competing and sharing turf."
The CISO and security team should be given a seat the table when decisions are being made, she noted. Oftentimes they aren't: Only 15% of respondents in Dark Reading's study say security is at the table for the beginning of every new project, and their views are always considered critical. Twenty-eight percent say security is brought in at the start of most important projects and they have a strong voice.
However, nearly the same amount (27%) reports security is "consulted sometimes" and is usually heard "if it's a legitimate concern."
Technical knowledge is important but it's not the only answer to the problem, said Okafor. What's critical here is communication: the ability to understand and engage with the person you're talking to. "The biggest issue with security and technology tends to be people," she pointed out.
A key trend in bridging silos is having different team members work on problems together, she added. Give IT workers a sense of what security projects are like, for example, so they can learn about requirements and needs from the infosec side and apply those skills to other projects.
More and more, Okafor continued, success in security means knowing and understanding the business. Security professionals with business and/or liberal arts backgrounds can and should work with their IT colleagues, who have more technical expertise, to come up with more comprehensive solutions to problems. IT employees may also bring technical contributions to security teams, which may not have the same level of proficiency in Java or C++.
"The more we can bring IT people into infosec, the more the IT team, and the entire security department, benefits," said Okafor.