You’ve decided you need to set up an Information Security group in your IT department, or perhaps you already have one but it is not performing to your expectations. One of the decisions you have to make is whether to integrate IT security within your current structure or to keep some of it separate from IT operations.
For example, do you want the same staff who patch servers and manage firewalls to perform audits and create policies? There are advantages and disadvantages to both approaches, and we will discuss some of them here.
In an environment where IT Audit and Policies are separated from IT operations, you have a separation of responsibilities, ideally with no conflicts of interest. This is due to one group defining policies and procedures, and another group carrying them out. The first group is also responsible for periodic audits to ensure that the second group are carrying out their duties appropriately.
The disadvantage to this is that it can, and often does, introduce conflict or bad feelings between the two groups, especially if you introduce this environment to a staff who have been performing both sets of duties for some time.
In an integrated environment, IT security policies, procedures and audits come under the same umbrella as IT operations. Here, you basically have the same group of staff setting standards and following them. Although there is no separation of duties, and this setup is sometimes referred to as ‘the fox guarding the chicken coop’, it is quite common in many organizations to have such a setup. In some cases, it works quite well. In other cases, not so much.
The advantage of this type of setup is that you are unlikely to see the same level of bad feeling between colleagues. The disadvantages are obvious and are largely due to there being no watchdog overlooking operations.
In my experience, I have found that the optimum setup is to have two separate groups for each functional area, reporting up to a very strong manager. The manager must be strong because inevitably, he or she will have to make some tough decisions on issues where both groups disagree with one another.
In addition, a governance model must be established and implemented so that each group clearly understands what their responsibilities are and how they should be carried out. This will eliminate most of the conflicts between the two groups.
If you are wrestling with this problem, give us a call to discuss setting up an appropriate governance model to meet your IT security requirements.