Over the past 15 years, I have watched the tremendous growth and adoption of Information Security practices in organizations. While the profession has been around longer than that, I personally wasn’t involved with or engaged with a formal Information Security program until October 2004. One thing I’ve learned over those years is that there is a need to build a strong partnership between the IT programs and the Information Security programs at an organization.
A lot has been published over the years about the need for an Information Security Program to be independent and not heavily influenced by IT. This independence is advocated so the information security team can effectively assess risk and advise senior leadership of those risks without the influence of IT that can often lead to changes that reduce the urgency or impact of the risk in our registers. While that certainly can happen, if the partnership between IT and Information Security is established with the goal to protect the digital assets of the organization as a team, there is less likely to be concessions of risks that could lead to a costly breach. My belief is that if the organization properly defines the services each function is responsible for and their role in securing the digital assets, the partnership can flourish.
So how can you ensure this partnership can flourish when often the first response to a risk such as a software vulnerability is to define why the risk exists? It is human nature to try to explain why something happened in the first place rather than to work together to make it better. The initial defense can be because of a lack of resources, a perception of mitigating controls, the perspective of the risk assessor’s risk score, or even the potential threat of attack. But more often it is because of how the information is presented to IT from Information Security and the understanding of what everyone’s role is on the team. Well, I so often hear from IT that Information Security is throwing us under the bus when they identify a risk. Or that they are calling out a staff member for not performing their job. Well, maybe that could happen, but it isn’t what Information Security is.
"If the partnership between IT and Information Security is established with the goal to protect the digital assets of the organization as a team, there is less likely to be concessions of risks that could lead to a costly breach"
In short, Information Security is the practice of protecting information by mitigating information risks. Well you can’t do that if you don’t identify what the risks are which unfortunately means that you sometimes need to point out deficiencies in IT’s technology, practices, or procedures which is why you see such a defensive response. However, if you can work with IT upfront to decide how you will address or treat the risks, how you will evaluate the risks, and how together you will report on the risks, the partnership can grow together. If you take a one-sided approach where either side will dictate to the other of those items, then you will undoubtedly continue the foster a defensive culture between the two teams.
To build the partnership between IT and Information Security, you need to focus on a few key areas: 1) Define the roles you each need to play in protecting information at your organization. 2) Determine what will need to happen when a risk is discovered, regardless of who discovers it. Information Security’s job is to find where the risks are but they aren’t the only ones that discover risks. 3) Build a communication plan that includes who will be communicated to regarding risk, what will be communicated, and more importantly how you will communicate it. If the messaging appears to throw someone under the bus, well you really are. But if you build the messaging collaboratively, the organization will know that our technical resources have partnered in the success of our organization by protecting our digital assets.