Roles, teams and even entire departments are often combined
to streamline efficiency and reduce costs, but this is not always
as straight-forward as it seems,writes Chris Samuel,
CISSP, an IT security consultant in the online gaming
industry.
All too often, I see arrangements that just don't make sense.
Usually it involves a small, specialist team being absorbed into a
larger, more generic one, where the technology and skills are
diluted and consequently the ability to deliver the optimum
solution, or even a suitable one, suffers.
Let us consider security versus networking. From a
non-technical, senior management view, the technology seems the
same - sometimes it is even provided by the same supplier.
Unfortunately, the similarities stop there. Networking is primarily
concerned with availability and speed for the lowest cost and with
fast provisioning; security should primarily offer protection and
detection with precision and reliability. There are obvious
conflicts.
If the person responsible for the combined team is not security
savvy, the security gradually slips from best-of-breed applications
expertly configured to provide robust and precise security, to
technology provided by more general network suppliers configured
with perhaps less understanding of the current security risks.
In the worst cases, the security technology simply gets an
"upgrade" or refresh to actually become a generic appliance from a
"blue-box" supplier, providing the essential functionality but
lacking the specific functionality for which the original
technology was selected years before. These products can be easier
to maintain, which is a genuine necessity with a larger pool of
administrators, but this can result in deskilling and sometimes
lead to less suitable solutions to the day-to-day business
requirements.
Businesses must be aware that regulatory standards such as PCI
DSS demand that relatively sophisticated security technology must
be present at different levels within a business, and they go on to
specify that such systems must be operated and maintained by
suitably skilled staff.
Financial savings
There can be benefits to even the most unlikely arrangement, and
these usually involve financial savings, which is a major
consideration for everyone right now. But there is a risk that many
companies will not realise their long-term security is being
sacrificed as a result of this kind of departmental change. There
should ideally be a long-term strategy, but at the very least a
conscious decision by the business.
I have seen multi-layer defences for large internet-facing
environments reduced to security levels that would not be
recommended for the average household, while the business usually
remains blissfully unaware - until the next security event causes
irreparable damage.
As threats in current times continue to develop and the profile
of security increases, most will eventually come to the conclusion
that the two areas are very different, despite their similar roots.
Managers must look beyond this and recognise that security is
essential and currently unique. At one time all IT roles, whether
development, data entry or systems administration, were considered
to be the same; now it is very difficult to find a business that
has not recognised the separation. The same must be the case for
security.