Information Technology and Information Security are not the same thing. In fact, they are often not even on the same organizational team, and frequently have conflicting objectives. In businesses large and small, whether your IT operations are all in-house or provided by a managed IT services provider, it is absolutely vital that there be a clear and constant flow of communication between IT Operations and Information Security.
IT Operations – Run the Business
The focus of IT Operations departments is to keep the IT machinery that business depends upon up and running, and getting as much processing per dollar of investment as possible. Their concerns and Service Level Agreement targets are generally around availability, transactions per hour and response times. A mantra that might be applicable is “pedal to the metal, open the flood gates and get the work through!” In many cases, security controls work at odds with these goals.
Information Security – Protect the Business
Information Security is primarily focused on protecting the company’s IT infrastructure and specifically the data being processed, stored and transmitted. Controlling who has access to systems, programs, networks and data is foundational to protecting those resources. Establishing controls to prevent cyber attacks, and executing procedures to search for and detect malware or other zero-day threats, can be seen as hindrances to the operations focus.
Formalized Communication – Defining Common Goals and Objectives
Beyond what may appear on the surface to be conflicting objectives, Information Security is important in today’s interconnected digital world. Few small businesses survive a data breach, with 60 percent being out of business within six months following a breach. Big businesses tend to have a higher survival rate, but the reputation damage from a breach can be huge. According to Allianz, a major insurance firm, the actual financial losses are negligible compared to the reputation loss. It is imperative that you have a documented security policy, which can then be translated into specific operational goals and objectives. This will drive changes to align with goals that will combine both long-term security and operational efficiency. This way IT Operations can incorporate secure practices into their deliverables and adjust performance goals as necessary.
This is particularly true when your IT Operations is outsourced to a managed IT services provider. While they will endeavor to know and understand your business to a level required to recommend services and then deliver to your needs, it will remain with you to truly understand what data you have, and what your “crown jewels” are within your business. Having a documented Information Security policy which is reviewed routinely with your IT department or service provider will enable clear and continuous communication ensuring alignment of both areas.
Where to start?
If you currently have no formal documented Information Security Policy, defining one should be a key objective for 2017. If you are working with a fully managed IT services provider like Intrinium, they can help guide you in development and implementation of a policy. But if your IT Operations are all in-house and you want to keep it that way, take a look at a publication from the National Institute of Standards and Technology (NIST). This publication was written specifically for SMB owners, and outlines a framework of six actionable domain areas that should be addressed in your policy. It also has cross references to various security and regulatory standards you may need to address. After all, nobody knows your business like you, and nobody cares to protect it as much as you!