Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/13/2018
10:30 AM
Kevin Kurzawa
Kevin Kurzawa
Commentary
100%
0%

RIP, 'IT Security'

Information security is vital, of course. But the concept of "IT security" has never made sense.

Information security is vital, of course, and I'm not proposing its elimination. But it's time to kill off the whole concept of IT security because it never made sense in the first place.

Without doubt, information security is an essential function for any organization that values its data and/or reputation. However, the term "IT security" leads to confusion about what the security roles are, where the responsibilities start and end, and how competing objectives between departments are prioritized. This is especially important because information security has priorities opposed to those of the IT department.

Defining Terms
There are two possible meanings for "IT security." One focuses on the types of controls under its scope, applying only to technical safeguards and putting aside the administrative and physical ones. The alternative definition specifies the department that security is concerned with — IT, that is — and ignores information maintained by other departments.

Just as there is no marketing-specific security or HR-specific security, an IT-specific security focus makes little logical sense. Placing information security within another department leads to a narrower and short-sighted implementation of information security for the whole organization. 

Where IT Security Fails
When primary security expertise is located under the IT department, the perspective is restricted to the realm of the IT department and veers from information security's traditional holistic, organizational oversight. These two departments have different concerns, risks, and priorities. Some of the IT priorities are adaptability, technical features, and efficiency; infosec priorities include confidentiality, integrity, and availability. Some overlap occasionally will exist, but it is not significant enough to overcome the glaring differences and frequent conflicts between the two. 

An objective for one department introduces risks for the other. One example is the vulnerability scanning of network devices. Scans may cause additional scheduling headaches for IT, misbehaving devices, and user complaints about the efficiency of the systems. The consequence of a seemingly innocuous scan is that IT must temporarily put aside its priorities in order to react to these complications. So, obviously, vulnerability scanning is not on the IT wish list.

These frustrations work in both directions. New features that IT implements introduce more vulnerabilities, more systems to secure, and more risks. Information security staffers have additional headaches for every new system introduced to the environment. Therefore, a separation with distinct executive authorities should be maintained to serve as a check and balance to each other in the same way that a finance department exists to create a budget and prevent one department from spending all of the company's profits.

CIOs Are Not CISOs
I have the utmost respect for CIOs and the responsibilities that are endlessly heaped upon them. However, one responsibility that they should not be tasked with is information security. Infosec has its own skill set and mindset, which are different from those in IT because of how people in that role have been trained and conditioned. The difference in ability causes a difference in position; CIOs are specialists in IT, and CISOs are specialists in information security.

It's human nature for us to have a bias toward the things we know best. If security is under IT — as is the case with IT security — this bias will relegate the security objectives to secondary priorities, with IT goals taking precedence. Or, as sometimes happens, security objectives become merely an afterthought to IT's priorities. 

Infosec Done by IT
It's true that many organizations aren't large enough to justify an entire department for information security — especially when that group may be only one or two individuals, or not have a specialist. Usually in these situations, the responsibility for security controls are incorporated into the roles for whichever IT staff member is working on a function that overlaps both IT and infosec. This maintains the IT department as both the implementor and verifier of its own work, a significant conflict of interest. 

A Match Made in Heaven
Most every organization that has begun to implement security controls also already has either a risk management or internal audit department. Either of these departments is a better fit for an emerging information security group. A significant aspect of infosec is the verification of controls, and the independence from the operational duties of that which is being evaluated is key. This leaves the IT department as the implementors of the technical security controls, just as they were. However, now the governance of deciding which controls to implement and the verification of their effectiveness reside with an impartial entity outside of IT.

Give Infosec Some Respect
Information security deserves an equal footing just like any other foundational department, such as accounting, marketing, or IT. Conflicts between the different priorities should be settled by senior executives from multiple disciplines looking holistically at the costs and benefits instead of the inherently IT-focused CIO handling this intradepartmentally.

Make the Move
If you have an IT security group or security-focused staff that takes direction and reports to the head of IT (i.e., the CIO, VP of IT, etc.), then take the opportunity to properly segregate duties and the conflicting interests from one another. Move the processes for verifying technical, administrative, and physical information security controls to a separate department than the one implementing them.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kevin Kurzawa has a background in a variety of environments, with each having its own unique business drivers. His experiences in IT and information security have ranged from Department of Defense contractors large and small (including Lockheed and Harris) to traditional ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hucklesinthedark
100%
0%
hucklesinthedark,
User Rank: Author
11/19/2018 | 6:11:20 PM
Cybersecurity
I've always treated cybersecurity as a part of IT security, and you know how I feel about IT security now. I combine them because of the word cyber. Which means the internet, or all things digital. Hence, it's very limiting and most definitely wouldn't guard against the lost briefcase.

I assume cybersecurity is so frequently used because it has a cool rating of +8. There aren't many other words that can make you sound like a ninja quite like cyber can.
eatondave
0%
100%
eatondave,
User Rank: Strategist
11/19/2018 | 9:30:05 AM
and whilst we're at it let's kill "cyber security" as well
Am I the only one who has never really gotten the whole 'cyber security' thing? To my knowledge no-one has ever been able to come up with a definition that is universally accepted and every definition I've seen either misses out whole chunks of information security or tries to shoehorn them in, and ends up looking ridiculous. 

Whenever someone tries to explain to me that 'cyber security' covers everything I just ask them which 'cyber bucket' they place the risk of the CEO leaving his briefcase containing hardcopies of the latest M&A deal he's working on in the Uber cab.

Sure there are info sec risks in cyber land, just as there are info sec risks in the physical world, and info sec risks in the neural world as well. By sprinkling the term 'cyber' around like confetti at a wedding, we risk making that part of the risk spectrum which actualy causes the greatest number of incidents, namely the bioware; layer 8; users; people or as someone said to me recently - the 1D10T segment, think that it does not apply to them or that technology will fix everything.

 
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...