Why Information Technology is NOT Information Security

You may think your IT department is overworked and doesn’t respond. Or, you may think the IT folks are geniuses with everything under control.

Regardless, the nature of the IT Department is such that it focuses more on “accessibility” than on “security.”

True, the IT Team is likely providing guidance on Information Security and adhering to a set of “cyber security” standards that they believe is correct. But, the reality of the IT department is such that they are trying to keep everything running, everyone accessing, every system updating. They are not systematically, strategically assessing your Information Security posture and striving to improve it.

The CIA Triad

The crux of the issue lies in the “CIA Triad.” The CIA Triad states that Information Security is essentially a balancing act between three somewhat disparate goals – confidentiality, integrity, and accessibility.

  • Confidentiality: Pursues measures that are designed to prevent sensitive information from unauthorized access attempts.
  • Integrity: Maintains the consistency, accuracy and trustworthiness of data over its entire lifecycle.
  • Accessibility: Strives for information to be consistently and readily accessible for authorized parties.

For IT, Accessibility is King

The IT Team lives primarily in the Accessibility world. They are frequently measured by their ability to provide up-time and accessibility to the network and all the resources that are required by the organization.

Throughout the course of their day, they are required to make hasty risk analysis and approvals of application, software and network access based upon the needs and desires of their end users or management. Navigating these decisions can be tricky, and IT managers may be unwilling or unable to conduct the in-depth analysis that is needed to protect the organization from risk.

The IT team is also frequently in reactionary mode. They perform numerous break-fix duties and take pride in providing as close to 100 per cent up-time as humanly possible. They have little time for validation, strategic planning, and the implementation of an Information Security program.

The IT Team often is put in the position of being the technology problem solver. They are asked to “make it happen.” If you’ll pardon the retro-reference, the IT team may be the “MacGyver” of your organization, fixing the problem, sometimes creatively – which unfortunately can introduce an unknown amount of risk into your organization.

For Information Security, Confidentiality Rules

Information Security Professionals, on the other hand, are solely focused on the information security posture of the organization. Their focus is more on the Confidentiality part of the CIA triad.

An Information Security Professional will:

  • Assess current Information Security Controls
  • Establish and Information Security Baseline
  • Discover and Report Vulnerabilities
  • Assess and Define Information Security Risk
  • Provide assistance regarding compliance and Cyber Security Maturity enhancement

Helping IT Implement “IS”

With Accessibility competing with Confidentiality, it’s no wonder so many organizations struggle with information security. However, Information Security does not have to be overwhelming or complicated. Bringing in an unbiased perspective to assess your cyber security maturity can be an expedient solution to figuring out what information security measures you need to take and in what priority.

CM3 provides baseline information security assessments which identify your risks and prioritize a plan for how to move forward. Please reach out for a consultation.