August 04, 2015

IT Department Structure: Why It’s Time to Move Information Security Out of IT


Many security experts today are recommending that organizations move the information security role out of the IT department structure.

Back in the 1990s, it made perfect sense for security to be an IT function, writes Lior Div of the cyber security firm Cyberreason in a recent post. “But that was before enterprise-computing environments went global, borderless, fully mobile, and extremely complex.” With record-breaking security breaches occurring on a regular basis, he says it’s clear that corporate cyber security requires a major overhaul.

Here are some of the recommendations for the information security role in an organization.

Acknowledge the Important Security Function

While the responsibility for protecting an organization’s data used to belong to the IT function, “IT is about looking after technology resources,” said Paul van Kessel of EY, which manages the long-running EY Global Information Security Survey. “Data security is a strategic business imperative that requires an enterprise response under the broader information security umbrella.”

Mind the Security Gap

The information security gap is wider than ever due to the speed and complexity of the threat landscape – and cloud computing, social media, mobile, and business and personal crossover. Giving information security a voice of its own will better address those issues.

Support the Different Mindset

The IT department is service-oriented and tends to operate on a time and productivity basis, says Div. Today’s threat landscape requires security professionals to be more proactive about information security. “If security teams continue to operate in a culture dominated by the IT mindset, they will be more likely to miss important clues and hinder the ability to detect cyber-attacks.”

Give Security a Place at the Table

When security comes under the IT department structure, it’s not always included in decision-making at higher levels. Today, an information security officer should be involved during strategic planning to identify and mitigate security risks.

Separate the Departments

“Today’s security pros are no longer sentries guarding clear, digital borders,” says Div. “They’re risk managers and strategists. As such, it makes sense for them to sit outside of IT and be involved in strategic planning and report to management.”

At the same time, a Financial Services Institute 2014 study emphasized that privacy is a legal and compliance issue – not a technology issue. While IT staff keeps the technology infrastructure safe, the information security department, headed by a chief information security officer, should spearhead data protection.

Put Together a Trained Team

In the traditional IT structure, a common mistake was to ask system administrators or network monitoring professionals to handle security duties as part of their daily routine. Security awareness training is critical for all employees, and educational institutions such as the SANS Institute provide specific security and cyber security training.

Integrate Information Security

According to experts, ensuring that an organization defends all of its critical assets can no longer be delegated to IT. A proper security department will protect against external and internal threats by implementing a corporate culture of security from the top down with comprehensive security policies and procedures integrated into the workplace and the information security strategy linked to the business strategy.

Organizations are not paper-free yet.  Outsource document shredding to eliminate the risk of a data breach. Partner with a trustworthy shredding company that provides locked consoles, on- or off-site shredding, and a Certificate of Destruction after every shred.