Many organizations mistakenly house their cybersecurity function within their IT department, assuming the two functions are similar enough. But cybersecurity and IT need to maintain healthy boundaries in order to provide the highest levels of service to their organizations.
At Asylas, we see it all the time: IT departments with a small sub-team focused on security. Or a CIO with no CISO counterpart. It’s not only a conflict of interest, it also decreases the success rate of the security function. IT departments are laser focused on functionality and efficiency, while cybersecurity focuses on protection and risk management. When security operates under the rule of IT, safety is often sacrificed on the altar of convenience and efficiency.
Understanding the differences between these two critical functions helps to make the case for why they should be separated.
IT and Cybersecurity: Different at the Core
A good IT team is focused on managing and maintaining an organization’s technology infrastructure. This includes software, hardware, networks, and systems. The goal is to keep the business’s tech running smoothly and to support business operations with minimal user friction.
One could argue that cybersecurity is a specialized branch of IT–especially since they are often touching many, if not all, of the same systems in their day-to-day operations. But the mindset of a security team is inherently different.
Security focuses on protecting the systems, networks, and data that the IT team has set up from cyber threats, unauthorised access, and breaches. Security teams often introduce friction to the user experience as a safeguard against risk.
And that is the fundamental conflict: how much user friction is tolerable? IT prioritizes speed and availability, while cybersecurity prioritizes caution and security. When one function is housed inside the other, the freedom to operate based only on your function’s mandate is compromised.
The Risk of Merging IT and Cybersecurity
Due to the nature of their differences, IT and security teams frequently deal with conflicting priorities. IT teams prioritize uptime and productivity, which may lead to oversights when it comes to security. On the flip side, cybersecurity teams prioritize risk reduction, sometimes at the expense of convenience.
Consider the simple act of logging into your company laptop and accessing files that are critical to your job. IT wants you to enter the system quickly and painlessly (and without a call to support). Security wants you (and only you) to enter the system safely and to maintain a safe connection for the duration of your working session and to only view/edit/share data that is required for your role. Of course IT will make you enter a password to access your laptop. But security will ensure that the password is high-quality, while also training you to use VPN, and encrypting data when required.
In addition to following different priorities, IT professionals often lack the specialized expertise required to maintain a high level of cybersecurity. Cyber threats evolve rapidly, requiring dedicated security professionals who can focus on the changing threat landscape.
When IT oversees security, there’s a higher risk of bias or oversight in assessing risks.
Cybersecurity is a Business Risk Function
Many leaders make the mistake of thinking that cybersecurity is a minor issue that can be handled by IT and then forgotten. But the truth is that cybersecurity affects an entire organization. Poor security risks financial loss and reputation damage.
The increasing role of regulations and compliance require organizations to invest in dedicated security leadership. There are legal consequences for failure to comply with GDPR, HIPAA, and other evolving mandates.
The National Public Data incident could have ended as a minor breach, but poor boundaries between IT and cybersecurity helped catapult the attack into a business-ending catastrophe. NPD is a data aggregator for background checks. The company holds the personal data of nearly every American. Their systems were first accessed through a security lapse in December 2023. That lapse was complicated by the fact that an NPD data broker accidentally exposed a file that contained passwords to its backend database on the website’s homepage. The end result was that 2.7 billion pieces of data, including the names, addresses, and social security numbers of most Americans are now freely accessible on the dark web.
No system is completely immune to attackers. But NPD could have slowed or prevented this catastrophe by addressing any of several vulnerabilities. A proactive security posture would have addressed outdated systems, enabled MFA (multi factor authentication) wherever available, and monitored APIs more closely. The lack of dedication to real-time network monitoring and encryption of sensitive information were both critical oversights.
How to Strengthen Cybersecurity as a Separate Function
Cybersecurity should be an independent function with direct reporting to executive leadership. The CISO should report to the CEO/CFO/COO rather than to an IT director or executive.
This separation will improve the organization’s security posture: Risk assessments will be more rigorous. Incident response times will improve. And accountability and compliance will rise.
For leaders who are ready to right their ship by creating a healthy boundary between IT and security, the following tips may come in handy.
- Hire or elevate a dedicated cybersecurity team
- Implement security governance frameworks (NIST, Zero Trust models, etc)
- Regularly audit and assess IT and security practices independently
- Educate leadership on the importance of cybersecurity as a business risk function
- Encourage cross-functional collaboration between IT, security, and compliance teams
Conclusion
IT and cybersecurity serve different purposes. Merging them as one function creates an intolerable amount of risk. Healthy IT and security departments require healthy boundaries.
If your organization’s IT and security functions are too deeply entwined, it’s time to reevaluate your cybersecurity function and consider separating it from IT. Your threat resilience will do nothing but improve.
Want to learn more about how to structure your company’s IT and cybersecurity departments so they can stop stepping on each other’s toes? Reach out to Asylas at 615-622-4591 or email info@asylas.com. Or complete our contact form.
