Your organization’s leaders have been operating under a delusion and it’s putting your company at risk. That delusion is the belief that your IT people know how to do security and compliance properly. This is a particularly rampant assumption that I run into all the time, and it’s almost always a false one.
Let me be clear: no matter how amazing they are, your IT team should NOT be doing cybersecurity, for a number of reasons. Period.
Just because you know how to drive a car, that doesn’t mean you know how to replace a transmission. Likewise, IT personnel can administer your network, they can resolve computer problems, and they can set up a VPN. But that doesn’t mean they know how to do everything in a secure and compliant manner.
This is the case whether you have an in-house IT team, an outsourced IT company, or even a secure-compliant hosting company. Here’s why.
Straight talk to make compliance management suck less
Check out the TCT podcast
IT Personnel Aren’t Cybersecurity Experts
In many of my discussions with stakeholders, leadership assumes that their IT department has security expertise they need to protect the company. And time after time, leadership is quickly proven wrong. This assumption is one of the greatest mistakes an organization can make — because you’re literally placing your company’s future at risk. A single data breach will shut down the majority of small- to medium-sized organizations within six months.
When your leadership assumes that IT can do security, it places everyone in an awkward and tenuous position. Your IT people don’t want to admit that they don’t know everything, because they’re used to finding ways to solve problems and being the go-to tech heroes. But security isn’t a problem that can be solved by doing online research.
It’s not a downfall that your IT team doesn’t know everything about security and compliance. They’re great at what they do. But IT and cybersecurity are two different fields, requiring two different realms of expertise and two different skill sets.
Related: These Red Flags Could Mean You’ve Been Breached
What’s the Difference Between IT and Cybersecurity?
The roles of IT and cybersecurity should be viewed as specific functions, with your cybersecurity function having an internal audit function. It is a great check and balance system between IT and cybersecurity, not dissimilar to the roles in finance of a typical organization. One group manages the day by day books of the company, with a separate function providing financial audit and oversight. Check and balance, with specified roles for both functions for the betterment of the organization overall.
Leaving everything in the hands of IT means there is no check and balance in place. When those aforementioned bad assumptions come back to haunt your organization, the experience will be akin to watching a train wreck you just can’t look away from.
IT oversees the use of technology to manage and process information within organizations. It creates, maintains, and manages computer and network infrastructures so that they run optimally and provide the solutions and computing power that the organization needs.
Cybersecurity, on the other hand, involves the protection of these systems from internal and external threats.
If your computer and network infrastructure were a house, IT would be in charge of architecting, building, and maintaining the physical structure. Cybersecurity would be in charge of keeping the wrong people out. Using IT teams for cybersecurity is like expecting your remodeler to provide home security.
What About IT Companies That Offer Cybersecurity Services?
Third-party IT providers are used to operating in a competitive market that’s absolutely cutthroat. There’s an incentive to present themselves as security experts in order to gain new clients, even if they don’t have depth of experience.
It’s very rare to find IT companies that can adequately provide cybersecurity services. I’ve seen firsthand countless times in client engagements — the day-by-day IT providers weren’t being truthful about what they were really qualified to do, taking on a fake it till you make it mentality.
I was assisting an organization that needed to get through a series of security and compliance engagements. They had a third-party company that was providing day-by-day IT services. As I began my work with the client, I needed to get a sense of their current situation and interviewed several internal and external personnel, including the IT service provider.
I wasn’t expecting a ton of expertise from the internal staff, but I was assured that the IT company knew what they were doing from a security and compliance standpoint. I walked into the conversation, and even in the initial dialogue I saw hints that something was off.
It wasn’t long into the conversation that I realized they didn’t understand basic best practices. For example, their idea of centralized logging was that the logs exist on the target systems, so you can go in and look at them. That’s not central logging. In fact, there was no infrastructure for centralized logging.
Other core concepts of security and compliance were missing. They didn’t have an updated and accurate inventory. There was no network diagram. The most basic elements of a security/compliance program weren’t in place. Even the information security policy was a mess and misaligned with the objectives of the target organization. I could go on.
Unfortunately, this example isn’t a rare outlier.
For someone with security and compliance experience, it becomes crystal clear almost immediately if an IT provider actually knows what they’re talking about. Because you’ve either walked the walk or you haven’t. And if you’re faking it, a practitioner will spot it quickly. It’s like trying to speak a language you’ve never studied. You might fool others who don’t speak it, but you won’t fool a native language speaker, even for a minute.
If you’re relying on your internal IT personnel or an external IT provider to handle your cybersecurity and compliance program, you’re gambling with your organization.
Ransomware Attacks Are Getting Worse — Here’s How to Prepare
Who Should Fill the Cybersecurity Role in Your Company?
If IT personnel aren’t cybersecurity experts, who do you need to hire to fill the gap?
My biggest recommendation to any organization is NOT to go straight to a security/compliance Assessor. While an Assessor knows what they’re doing, their job is to evaluate your company against the target framework. They come in, validate your company, and walk away. It is not their role to hold your hand as you try to figure it out.
Don’t get me wrong, they will certainly provide high level directional guidance, but their role is not to become your de-facto operational security team. Frankly, it would be a conflict of interest to be responsible for day-by-day security while also assessing your stance.
Instead, hire an organization that provides security consulting services — a firm that can act as your internal audit function. A Consultant will be on your side and won’t judge you based on what state your organization is in when they first walk through the door. Their priority is to get you where you need to be so that you can reduce risk to the organization and prepare you to meet your additional security and compliance obligations.
Because the Consultant is part of your team, you can be completely honest with them about your current practices and situation. You don’t have to worry about any skeletons in your closet. Your Consultant won’t report you, and they don’t care about what happened before — they only care about getting your organization in shape.
TCT can provide security/compliance consulting services to organizations of any size. We also partner with consulting firms and are happy to make referrals, if you prefer. But whatever you do, don’t go it alone. Hire a security and compliance Consultant who can get your organization’s ducks in a row and keep them there. This is by far the best, safest, and most effective way to ensure that your company’s protection is as strong as possible.
Support Your IT Professionals
Once your leadership recognizes that it isn’t appropriate to solely depend on IT for cybersecurity protection, you’ll need to start conducting the initial GAP assessment of the organization against their target objectives. I guarantee that the first time a Consultant comes in and assesses your present stance, they will find all kinds of gaps that you never knew you had. There will be a lot of items that need to be remediated.
When that happens, it will be tempting to point fingers at IT for dropping the ball. Leadership may want to say things like:
- Why haven’t we been doing X?
- It seems obvious that we should have had such-and-such in place.
- Why didn’t anyone ever notice this or that?
Resist that urge. Remember, your IT team aren’t experts in cybersecurity and they’ve been doing their absolute best until now.
If leadership throws your IT personnel under the bus over these findings or makes any kind of insinuation that they aren’t doing their jobs well, you’re just flaming a good resource that doesn’t deserve the heat. You will inevitably lose good people who have given blood, sweat, and tears to your organization.
Instead, it is critical that your IT staff be well supported within their realm of expertise. They aren’t security experts — nor should they be. These are two different careers with two different sets of skills, backgrounds, and knowledge. Your IT people should never have been thrust into security responsibilities to begin with. Reminder: this all started with a bad assumption by leadership.
As your company brings on security experts, it is of utmost importance that you affirm the work of your IT professionals and communicate throughout the company that you have their back. Make sure that leadership walks that walk.
Why Companies Need Security Attention Everywhere
Establish a Strong Cybersecurity Foundation for Your Organization
I understand the dynamics involved with your cybersecurity program. Everyone is trying to make ends meet in the most cost effective way possible. If you can kill two birds with one stone, why wouldn’t you? But the problem with this scenario is that the lack of clarity, the lack of truth, and the bad assumptions all combine in a perfect storm of significantly increased risk for your company.
Don’t play with the viability of your organization. Relying on ill-equipped IT personnel opens your security posture up to multiple holes in your protective armor. It isn’t just one weak point that could get missed by an attacker — there are many weak points throughout your environment that are now exposing your company to attack.
Is it time to relieve your IT personnel and bring in a cybersecurity Consultant? TCT can help you find the right person for the job. Let’s talk!
Let TCT's consultants bear the burden
Say goodbye to the chaos of compliance
