Many small and medium sized companies are missing the boat in terms of their IT security. In an area where there is expert knowledge required, many IT generalists are put to use. A rethink is needed. The first steps towards a change are underway, but many IT departments are still fighting an uphill battle.
When looking at the staff composition you will find that all of them are basically doing a good job. With a staffing and budgets being traditionally tight, they manage to keep everyday operations going while also taking care of occasional hiccups in their systems. What are they expected to be proficient in? Basically everything from user account creation and administration to software installation & maintenance, planning of (sub) networks, router configurations as well as hardware maintenance. Many IT departments have mastered the art of bending over backwards to keep the business afloat.
Things become murky when specifically looking at IT security. Most IT people are aware of the fact that communications should be encrypted where possible, they know that permission levels are important to have and that security entails more than protecting things with a password. Oftentimes knowledge does not go past a basic high to mid-level degree, though.
This is where the problem is: a great number of those working in IT are not security experts. This is not really their fault: especially during the early days of workspace digitization, security was not a concern. What was (and still is) required are people who are capable of planning and implementing sustainable concepts as well as maintaining them. They have done their jobs well and still do. However: it takes more to effectively secure a network. Any plan should be made under the premise that an emergency will occur at some point. In an ideal world, every network is planned with security in mind. Unfortunately, the reality consists mostly of networks that have grown over time and which now need securing. Being able to plan an entirely new network from scratch is an exception rather than the rule.
If you ask any manager what the IT department responsible for, the most obvious answer would be „They are responsible for IT, of course“. But what exactly does this mean? What are the people in the IT department held accountable for? It is very likely that you get an answer on the lines of “The IT department is there to make sure that all PCs and servers as well as the business processes involving them are working properly.” So apparently, the primary task of the IT department is to keep operations going and to add or replace components every now and then. Before new security issues are uncovered on a weekly basis, this was perfectly appropriate. When security issues starting taking center stage, it was clear in most cases that these issues involved IT components – and that’s what the IT department is responsible for, after all.
IT security as a domain in its own right had been at best leading a life in the shades. In the best case this practice translates to a high level of stress for IT departments. In a worst case scenario, it can be the root cause of spectacular security incidents. In any case, to think that the IT department should also be responsible for IT security is not appropriate anymore. The realization that security is playing an increasingly important role in today’s modern and connected business world is gradually taking hold. Everybody understands that an IT outage through a hardware defect or a malware infection is a problem – when no invoices can be created or goods cannot be kitted, the company is losing money. The same is of course true if confidential information or trade secrets are exposed. But: old habits die hard.
Here we have arrived at the core of the problem. Security need collaboration and, above all, time. In organizations, though, where the IT department is stretched almost to breaking point already with the tasks that they have accepted, it is hardly surprising that the first measures to be cut back are those that require the most time and are the least critical for maintaining everyday operations. In such an environment, in-depth and effective security measures have no chance of gaining any traction. Those chances get even slimmer if employees or even senior executives feel that a proposed security measure is getting in the way of their work.
It is a fact that the IT department’s responsibilities towards maintaining everyday business are going to remain the same, whereas the demand for security is constantly increasing. IT security has become much more than “just another one of IT’s side shows”, therefore it cannot be dealt with “on the side” anymore. This field requires profound knowledge and expertise. The challenge for management therefore is to make this knowledge available to their organizations. This can happen through new hires, through qualifying existing IT staff or by getting external providers on board. The latter makes a lot of sense for companies that do not have the capability to create a dedicated position for a security expert.
When anything security-related is being championed by upper management, though, it immediately gets a whole new quality than what it would have if a lower-tier IT admin is trying to propose and push the same project.
On one hand, it is a topic which should not be underestimated under any circumstances. On the other hand, we have to concede to the fact that the majority of organizations have their business focus outside IT security. It is in those organizations where thinking about outsourcing the security aspect of their IT to a dedicated provider is especially worthwhile. In the long run, there is not going to be a way around this – businesses and IT service providers need to consider hiring IT security specialists in addition to their IT generalists. This is going to be the only viable method of getting a sustainable security concept without breaking the bank.