Although cybersecurity, data security, information technology, and system administration fall under the same umbrella, there is a stark contrast between securing data and managing it.
The main focus, career experience and skill sets brought by each of these professionals are different yet they still work together to build secure and reliable digital assets. Entrusting IT staff to secure data properly is like asking your CPA to audit their own work. Mistakes can happen and often get overlooked, and it’s unlikely that they will be properly reported. Any errors could cost small businesses millions in legal fees, forensics, brand reputation damage, and customer settlements from a data breach.
Before getting into the potential issues from conflating IT and InfoSec, it’s important first to understand the difference between the two professionals and their respective responsibilities. It’s not uncommon for small business owners to think that an IT staff person, good at system administration is also educated and experienced with InfoSec. Many system administrators are unfamiliar with the cybersecurity landscape, the threats that could turn into serious compromise, and the standards and best practices to protect from these risks, which is why data breaches and cyberattacks continue to plague SMBs and cost them millions in damages.
When small business (SMB) owners reference anything under the IT umbrella, they typically think of system administrators, network and server administration, and any staff member who keeps digital assets available and running smoothly. These staff members are critical to the everyday operations of digital resources and network communication. They ensure that users can stay productive and have access to network resources critical to their job functions.
Cybersecurity and IT professionals have a very different responsibility.
The security of data and the resources that store it are an InfoSec professional’s primary concern. IT staff unfamiliar with cyber-criminals’ behavior and habits are incapable of identifying threats and could potentially add unknown risks to an organization. InfoSec staff also help monitor digital assets to quickly detect an ongoing attack and contain it in the shortest timeframe and most efficient way possible.
The underground cyber-criminal landscape is always evolving, with attackers finding new ways to scan and exploit vulnerabilities. InfoSec professionals must stay up-to-date with the latest threats and vulnerabilities, and then alert IT staff about the necessity to schedule an update to patch the vulnerable system. This responsibility will save organizations millions from falling victim to unknown threats, and many IT staff do not have the resources to stay familiar with the newest threat actors.
InfoSec works directly with administrators to keep systems protected from the latest threats often publicized in advisories available to businesses and hackers. Although both InfoSec and IT staff have different functions, they still must work together to provide services to a business. Their job functions fall under the same umbrella, so both departments have overlapping responsibilities. For
instance, an InfoSec staff member auditing network infrastructure might find that the network is not properly segmented to protect the billing department data in-motion from other departments located on the same network segment.
InfoSec staff would work directly with system administrators to design additional firewall infrastructure to ensure limited downtime and a smooth transition to new network architecture for all users and connected applications.
Network administrators and IT staff responsible for building a secure environment can also be overworked when they have limited knowledge of Information Security. This issue leads to mistakes, including misconfigurations, missed unpatched vulnerable resources, privilege accumulation and
escalation, and unnoticed ongoing attacks from malware and phished stolen credentials.
Essentially, cybersecurity and data protection is a full-time job that should have a professional’s focus instead of leaving it as an additional workload for an already full-time employee.
