IT and IS: Separation of Powers
At first sight, information security job doesn’t differ from information technology job dramatically. However, there is a big difference between these two fields. According to Candy Alexander, who directs the Cyber Security Career Lifecycle program for the Information Systems Security Association, “technologists want to see how something runs,” while “security people want to see how something breaks.”
The major difference of professionals in the sphere of information security is that their work with technology is just a part of their responsibilities. Every cybersecurity professional should understand IT and use that knowledge in practice as well as deal with managerial and organizational issues that are not within the competence of IT specialists. So, in other words, every cybersecurity professional should know IT, but IT specialists may not be IS professionals.
At the same time, lack of IS staff is acute now. According to Steve Morgan, the Founder and CEO at Cybersecurity Ventures, the demand for the cybersecurity workforce is expected to rise to 6 million globally by 2019. And the main problem lies not so much in the applicants’ limited technical knowledge, but in lack of strategic thinking and their ability to cooperate with management. A good cybersecurity specialist should not only be a qualified IT professional, but also an “effective manager”, assess business risks and have a good understanding of enterprise economics. And that, in turn, makes IS professionals more related to engineering specialties than ordinary technical specialists.
The reason for the insignificant difference between IS professionals and technical specialists in the opinion of management is due to the fact that information security unit often exists within IT department. It may seem reasonable at first sight because information security field is connected to technologies and the same specialists work on both IS infrastructure and software. Physical and economic security is seen as a separate entity but even in large companies the information security unit can be subordinate to the IT department. The issue of CISO’ subordination to CIO has been raised repeatedly.
Why cannot an IS service fully operate within IT department? The problem is that management in this case can be the part of internal threats. Data leaks can happen because of IT professionals and in case of collaboration of IT and IS professionals there is a risk of excluding them from controlled environment. It is not necessarily that IT specialists will become the reason for security incidents, however, ignoring such possibility, IS departments in fact shoot themselves in the foot. According to Ponemon Institute research, the vast number of data breaches can happen because of privileged insiders with the high access rights, including IT specialists.