Vulnerabilities / Threats

11/13/2018
10:30 AM
Kevin Kurzawa
Kevin Kurzawa
Commentary
100%
0%

RIP, 'IT Security'

Information security is vital, of course. But the concept of "IT security" has never made sense.

Information security is vital, of course, and I'm not proposing its elimination. But it's time to kill off the whole concept of IT security because it never made sense in the first place.

Without doubt, information security is an essential function for any organization that values its data and/or reputation. However, the term "IT security" leads to confusion about what the security roles are, where the responsibilities start and end, and how competing objectives between departments are prioritized. This is especially important because information security has priorities opposed to those of the IT department.

Defining Terms
There are two possible meanings for "IT security." One focuses on the types of controls under its scope, applying only to technical safeguards and putting aside the administrative and physical ones. The alternative definition specifies the department that security is concerned with — IT, that is — and ignores information maintained by other departments.

Just as there is no marketing-specific security or HR-specific security, an IT-specific security focus makes little logical sense. Placing information security within another department leads to a narrower and short-sighted implementation of information security for the whole organization. 

Where IT Security Fails
When primary security expertise is located under the IT department, the perspective is restricted to the realm of the IT department and veers from information security's traditional holistic, organizational oversight. These two departments have different concerns, risks, and priorities. Some of the IT priorities are adaptability, technical features, and efficiency; infosec priorities include confidentiality, integrity, and availability. Some overlap occasionally will exist, but it is not significant enough to overcome the glaring differences and frequent conflicts between the two. 

An objective for one department introduces risks for the other. One example is the vulnerability scanning of network devices. Scans may cause additional scheduling headaches for IT, misbehaving devices, and user complaints about the efficiency of the systems. The consequence of a seemingly innocuous scan is that IT must temporarily put aside its priorities in order to react to these complications. So, obviously, vulnerability scanning is not on the IT wish list.

These frustrations work in both directions. New features that IT implements introduce more vulnerabilities, more systems to secure, and more risks. Information security staffers have additional headaches for every new system introduced to the environment. Therefore, a separation with distinct executive authorities should be maintained to serve as a check and balance to each other in the same way that a finance department exists to create a budget and prevent one department from spending all of the company's profits.

CIOs Are Not CISOs
I have the utmost respect for CIOs and the responsibilities that are endlessly heaped upon them. However, one responsibility that they should not be tasked with is information security. Infosec has its own skill set and mindset, which are different from those in IT because of how people in that role have been trained and conditioned. The difference in ability causes a difference in position; CIOs are specialists in IT, and CISOs are specialists in information security.

It's human nature for us to have a bias toward the things we know best. If security is under IT — as is the case with IT security — this bias will relegate the security objectives to secondary priorities, with IT goals taking precedence. Or, as sometimes happens, security objectives become merely an afterthought to IT's priorities. 

Infosec Done by IT
It's true that many organizations aren't large enough to justify an entire department for information security — especially when that group may be only one or two individuals, or not have a specialist. Usually in these situations, the responsibility for security controls are incorporated into the roles for whichever IT staff member is working on a function that overlaps both IT and infosec. This maintains the IT department as both the implementor and verifier of its own work, a significant conflict of interest. 

A Match Made in Heaven
Most every organization that has begun to implement security controls also already has either a risk management or internal audit department. Either of these departments is a better fit for an emerging information security group. A significant aspect of infosec is the verification of controls, and the independence from the operational duties of that which is being evaluated is key. This leaves the IT department as the implementors of the technical security controls, just as they were. However, now the governance of deciding which controls to implement and the verification of their effectiveness reside with an impartial entity outside of IT.

Give Infosec Some Respect
Information security deserves an equal footing just like any other foundational department, such as accounting, marketing, or IT. Conflicts between the different priorities should be settled by senior executives from multiple disciplines looking holistically at the costs and benefits instead of the inherently IT-focused CIO handling this intradepartmentally.

Make the Move
If you have an IT security group or security-focused staff that takes direction and reports to the head of IT (i.e., the CIO, VP of IT, etc.), then take the opportunity to properly segregate duties and the conflicting interests from one another. Move the processes for verifying technical, administrative, and physical information security controls to a separate department than the one implementing them.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kevin Kurzawa has a background in a variety of environments, with each having its own unique business drivers. His experiences in IT and information security have ranged from Department of Defense contractors large and small (including Lockheed and Harris) to traditional ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hucklesinthedark
100%
0%
hucklesinthedark,
User Rank: Author
11/19/2018 | 6:11:20 PM
Cybersecurity
I've always treated cybersecurity as a part of IT security, and you know how I feel about IT security now. I combine them because of the word cyber. Which means the internet, or all things digital. Hence, it's very limiting and most definitely wouldn't guard against the lost briefcase.

I assume cybersecurity is so frequently used because it has a cool rating of +8. There aren't many other words that can make you sound like a ninja quite like cyber can.
eatondave
0%
100%
eatondave,
User Rank: Strategist
11/19/2018 | 9:30:05 AM
and whilst we're at it let's kill "cyber security" as well
Am I the only one who has never really gotten the whole 'cyber security' thing? To my knowledge no-one has ever been able to come up with a definition that is universally accepted and every definition I've seen either misses out whole chunks of information security or tries to shoehorn them in, and ends up looking ridiculous. 

Whenever someone tries to explain to me that 'cyber security' covers everything I just ask them which 'cyber bucket' they place the risk of the CEO leaving his briefcase containing hardcopies of the latest M&A deal he's working on in the Uber cab.

Sure there are info sec risks in cyber land, just as there are info sec risks in the physical world, and info sec risks in the neural world as well. By sprinkling the term 'cyber' around like confetti at a wedding, we risk making that part of the risk spectrum which actualy causes the greatest number of incidents, namely the bioware; layer 8; users; people or as someone said to me recently - the 1D10T segment, think that it does not apply to them or that technology will fix everything.

 
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Symantec Intros USB Scanning Tool for ICS Operators
Jai Vijayan, Freelance writer,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3988
PUBLISHED: 2018-12-10
Signal Messenger for Android 4.24.8 may expose private information when using "disappearing messages." If a user uses the photo feature available in the "attach file" menu, then Signal will leave the picture in its own cache directory, which is available to any application on the...
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.