Security Zone: Keep IT security separate

Roles, teams and even entire departments are often combined to streamline efficiency and reduce costs, but this is not always as straight-forward as it...

Roles, teams and even entire departments are often combined to streamline efficiency and reduce costs, but this is not always as straight-forward as it seems, writes Chris Samuel, CISSP, an IT security consultant in the online gaming industry.

All too often, I see arrangements that just don't make sense. Usually it involves a small, specialist team being absorbed into a larger, more generic one, where the technology and skills are diluted and consequently the ability to deliver the optimum solution, or even a suitable one, suffers.

Let us consider security versus networking. From a non-technical, senior management view, the technology seems the same - sometimes it is even provided by the same supplier. Unfortunately, the similarities stop there. Networking is primarily concerned with availability and speed for the lowest cost and with fast provisioning; security should primarily offer protection and detection with precision and reliability. There are obvious conflicts.

If the person responsible for the combined team is not security savvy, the security gradually slips from best-of-breed applications expertly configured to provide robust and precise security, to technology provided by more general network suppliers configured with perhaps less understanding of the current security risks.

In the worst cases, the security technology simply gets an "upgrade" or refresh to actually become a generic appliance from a "blue-box" supplier, providing the essential functionality but lacking the specific functionality for which the original technology was selected years before. These products can be easier to maintain, which is a genuine necessity with a larger pool of administrators, but this can result in deskilling and sometimes lead to less suitable solutions to the day-to-day business requirements.

Businesses must be aware that regulatory standards such as PCI DSS demand that relatively sophisticated security technology must be present at different levels within a business, and they go on to specify that such systems must be operated and maintained by suitably skilled staff.

Financial savings

There can be benefits to even the most unlikely arrangement, and these usually involve financial savings, which is a major consideration for everyone right now. But there is a risk that many companies will not realise their long-term security is being sacrificed as a result of this kind of departmental change. There should ideally be a long-term strategy, but at the very least a conscious decision by the business.

I have seen multi-layer defences for large internet-facing environments reduced to security levels that would not be recommended for the average household, while the business usually remains blissfully unaware - until the next security event causes irreparable damage.

As threats in current times continue to develop and the profile of security increases, most will eventually come to the conclusion that the two areas are very different, despite their similar roots. Managers must look beyond this and recognise that security is essential and currently unique. At one time all IT roles, whether development, data entry or systems administration, were considered to be the same; now it is very difficult to find a business that has not recognised the separation. The same must be the case for security.

Read more on IT risk management