The Bedel Security Blog

Managing the Relationship Between Information Technology and Information Security

Written by Vance Monical | Mar 18, 2022

It’s easy to use the terms “Information Technology (IT)” and “Information Security (IS)” interchangeably. They are equally important but serve different roles within organizations. Information Technology tends to focus on availability and technical aspects while the primary objective of Information Security is to manage IT risk to an acceptable level as determined by management.

Managing these roles can be challenging as the objectives of these functions have the potential to be in conflict with one another. For example, IT could be under pressure from business leaders to roll out a new system that has significant financial implications on the organization. It could be tempting to rush through an implementation and play catch up with IS on the backend. Delaying important IS functions such as risk assessments and vendor due diligence, at the very least, temporarily exposes the organization to additional unknown risk.

The IT and IS functions need to work together but also need their independence to be effective. What does that mean? It means that they should be on comparable levels of the organizational chart and report to neutral manager(s). If either role reports to the other, it would be difficult to not be biased.

It truly is a balancing act and should be based on the risk appetite of the organization. I’ve seen these roles report to various leaders within organizations and there isn’t a “one size fits all” solution. The key is to encourage a collaborative working environment while maintaining a level of independence for their respective roles.

It’s a best practice to schedule regular IT/IS meetings to update key stakeholders and reconcile any outstanding issues. In addition to IT and IS, representation at these meetings should include representatives from all key areas of the business. The meetings should be organized with the objective of leveraging technology to execute the organization’s business strategy while maintaining a strong security posture.

We understand that this can be a sensitive issue within some organizations, and we’d be happy to provide an independent perspective. Send us an email at support@bedelsecurity.com to start a conversation or check out our CISO Assessment Service

 

 

Additional Resources:

5 Reasons Information Security is a Team Sport
https://www.bedelsecurity.com/blog/5-reasons-information-security-is-a-team-sport 

The Gist of Governance
https://www.bedelsecurity.com/blog/the-gist-of-governance

The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper

Your Information Security Program Needs Focus
https://www.bedelsecurity.com/blog/your-information-security-program-needs-focus 

Two Essential Ingredients to Improve Your Information Security Program
https://www.bedelsecurity.com/blog/two-essential-ingredients-to-improve-your-information-security-program 

The 3 Key Roles in Cybersecurity
https://www.bedelsecurity.com/blog/the-3-key-roles-in-cybersecurity 

Ensuring Independence in Your Virtual CISO
https://www.bedelsecurity.com/blog/ensuring-independence-in-your-virtual-ciso

vCISO Questions and Answers 03: What does a vCISO do and what does a vCISO not do?
https://www.bedelsecurity.com/blog/what-does-a-vciso-do-and-what-does-a-vciso-not-do