‘Separating IT and cyber security: A necessity not a nice to do’


Even with the GDPR less than one year away from implementation, and cybersecurity rising swiftly up business leaders’ agendas, most organisations still do not have the right governance in place to protect themselves from cyber attacks. Historically, IT departments have taken responsibility for overseeing cybersecurity, but in today’s regulatory environment this practice simply isn’t appropriate or effective.  

A holistic cyber security strategy is no longer a ‘nice to have’ but a business necessity, and ensuring that you have a suitable governance structure in place is crucial.

Cyber security and IT responsibilities must be separated in order to provide adequate checks and balances and ensure that existing cybersecurity measures are effective in protecting the business against a variety of malware and ransomware.

>See also: Cyber security is a ‘people problem’

In most organisations, IT departments are responsible for configuring and maintaining on-premises network infrastructures and cloud based systems, so they cannot also be responsible for verifying the security of these networks. This situation would be akin to asking a payroll professional to audit their own entries – in short, it’s simply not appropriate.

When a business reaches a certain size, it will almost certainly engage with two separate accountancy firms, one to file its taxes, and another to complete its annual audit. The two very rarely interact, and it is unlikely that businesses would entrust the same firm with both responsibilities.

Naturally, leaders would want to ensure they have an independent, quality review from an entirely separate team to ensure that practices are being conducted properly, efficiently and in line with relevant regulation.

Similarly, cyber teams should be kept entirely separate from their counterparts in IT, and cyber security measures should be audited and reviewed by an expert who has had no involvement in the creation of said network defences.

Furthermore, while its often expected that IT teams have a reasonably wide-ranging understanding of cybersecurity, the fact remains that IT professionals are not necessarily cyber security experts.

IT and cybersecurity professionals have very different skill sets, and while IT professionals will likely have a grasp of basic cybersecurity principles, they are far less likely to be knowledgeable about the evolving nature of individual cyber-risks and the potential threat they pose to businesses.

>See also: Is your business too complacent about cyber security?

However, the issue remains that cyber security professionals are particularly difficult to find, train, and retain. A cyber expert must have an exceptional combination of skills.

Not only do they need hard computer science skills, such as an in-depth knowledge of operating systems, networks, databases, and programming, they also need a refined set of cognitive skills, such as critical thinking and creative problem-solving. Even large international businesses can struggle to assemble and maintain a team with such a specific set of skills and the relevant experience.

Therefore, for most companies the best way to manage their cyber security function is to hire an external firm that can provide this expertise – crucially one that maintains a team of highly capable consultants. It’s also worth considering how you outsource your cyber security function, as f retaining a firm that can provide a comprehensive review of all cybersecurity issues is essential.

To avoid ending up with a fractured approach to cyber security, companies should look for a cybersecurity partner who champions a holistic approach. Having one company complete a penetration test and another create a firewall is neither cost effective, or efficient.

>See also: The cyber security industry: on the front line

Regardless of whether you are an SME or an established company, it’s crucial that you have appropriate governance structures in place which establish a clear division between the responsibilities of IT and cyber security teams as well as a formalised escalation plan for when breaches or attacks occur.

For many companies, this means engaging with a firm that can provide expert advice and feedback on all aspects of your cybersecurity strategy – from designing security into a system at the chip and board level all the way up to understanding enterprise issues both on premises and in the cloud.


Sourced by Jeremy Rasmussen, Cyber Security director, Abacode


The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...