Corporate IT, Security Teams Need to Put Aside Mutual Distrust

NEWS ANALYSIS: For years a major threat to enterprises large and small has been a gap between the IT department and the security team, which frequently competed for influence and funding.

IT-Security Gap 2

AUSTIN, Texas—The tales of a fundamental disconnect between the IT staff in many companies and the security staff in those same companies abound.

Those tales are based in fact as the IT department tries to meet the needs of the employees in a company, while the security staff tries to make sure everything stays secure. The result from the viewpoint of the IT staff is that the security specialists are trying to keep them from getting their work done.

The viewpoint from the security team, of course, is that the IT staff is a basket of incorrigibles in terms of risky behavior. Fortunately, this disconnect appears to be changing. I first realized this while walking around the exhibit floor of SpiceWorld here where I noticed a significant increase in security vendors at what is really an IT trade show and conference. A check with the organizers confirmed my opinion that the presence of security had gone up at this particular show.

So I wondered if this was an indication that the traditional gap between IT and security was changing. I spoke with security consultant and author Andy Malone, who had traveled from the UK to discuss security issues with IT people. Malone said that he's observed the same thing.

One of the primary causes of the gap between IT and security is a lack of trust, Malone said. Each group saw the other as standing in the way of doing their jobs and in many companies, competing for resources and influence.

The resulting lack of cooperation prevented companies from creating and maintaining secure networks. Worse, in some companies, a division was created by senior executives who either fostered competition between departments or in some cases didn't understand one side or the other, or perhaps both.

"Trust is hugely important," Malone said. "The stumbling block is often upper management." He added that each group actually knows what needs to be done to build a properly functioning, secure enterprise but that they don't get the support they need. Worse, training in secure computing for employees is frequently never done because of a lack of interest and resources.

But now that's apparently changing. "Technology is like the Wild West," Malone said, "people moved in with their new stuff. The bad guys are right behind them. Next comes the sheriff." It's the sheriff that helps restore order and security, both in the Wild West and in the wild world of IT. That sheriff takes the form of the security staff.

The problem is that the security staff needs to have the cooperation of the IT staff if they're to be effective. After I talked to Malone, I talked to the folks staffing the booths of the security companies at the SpiceWorld show, and I asked them what they were seeing in terms of cooperation between two functions that should be related.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...