The relationship between IT and IT security isn’t always the most cordial. The leaders don’t always see eye-to-eye. What’s more, that mutual hostility culture permeates the entire department. It doesn’t help that the CISO, a relatively recent role, has rapidly grown into a business leader. The CISO’s views sometimes receive as much weight as those of the CIO.
Yet, these two functions are at the heart of business success. That’s happening more as the world of work becomes ever more tech-dependent. The COVID-19 pandemic also accelerated this dependency, forcing organizations to adopt remote work. Now’s the best time for IT security and IT to work together to secure the organization’s future.
First, let’s see what might cause conflict between these departments. Then, we’ll explore why it’s crucial to create a better relationship between them.
IT and IT Security: Head to Head
It’s always a good practice to separate IT and IT security. IT staff handles routine administration and operation. Then, IT security can handle risk compliance. IT and IT security have different, separate roles. Still, they both ensure smooth function in company systems. As each department tries to execute its role, conflict often arises.
Let’s suppose IT wants to roll out smartphones for some workers to use. In that case, IT security considers the cybersecurity risks accompanying mobile device use. That’s why IT security will oppose this decision. That may cause friction between the departments. What’s more, the two teams report to different unit heads–the CIO/CTO for IT and the CISO for IT security. That may also exacerbate the conflict.
When a clash occurs, office politics and soft power determine the resolution path. In that case, the end result isn’t always in the organization’s best interest. These negative consequences are why you need the two teams to be on good terms.
The Importance of a Good IT-IT Security Relationship
Even if the teams work to create a smooth working relationship, conflicts will still happen.
Picture this: Senior management is pushing hard for IT to put in place a new application. Under pressure, the IT staff may consider ignoring some risk mitigation requirements. IT security would then have to reinforce these requirements. The clash has 2 possible outcomes, a best and worst-case scenario:
- Create process inefficiencies
- Grind things to a halt
Neither situation is ideal. They’re also challenging. That said, the teams can fulfill their responsibilities and maintain a productive relationship. Let’s discuss some best practices to reduce friction.
4 Ways to Improve IT Team Relationships
Conflicts between IT and IT security don’t have to be unmanageable. Clashes also don’t have to create rifts. That’s why you can take deliberate, well-thought-out actions to improve the relationship. Let’s talk about 4 things your organization can do to get things going:
1. Dismantle the Retrogressive Culture
The problematic relationship between IT security and IT comes down to a negative culture rooted over the years. For example, IT security may delay projects to test security policy compliance. IT could’ve also disregarded a key process that allowed for a security attack. These anecdotes can foster lasting bad blood between the two units. Further microaggression piling over the years isn’t good for teamwork and collegiality, either.
Tackling this harmful culture head-on is where it should all begin. Make sure the teams don’t see each other as ‘the other’. Rather, help them realize they’re indispensable partners. Show them they’re both critical for the organization’s success. It’s not a competition or winner-take-all. In fact, the two can thrive and succeed simultaneously.
This change starts from the top. CIOs and CISOs have to treat their teams as a part of each other, not as distinct, rival units. Organize joint workshops and team-building events, too. That helps break down the walls between the two teams. Creating channels for resolution and escalation is also key.
2. Implement Collaboration and Communication from the Start
Each department routinely feels like they’re presented with issues abruptly. That could be a key reason for conflict. Imagine these 2 situations:
- IT has been working on a project for weeks, and the CISO just got a memo to check compliance
- The CISO stops a project for IT to address security concerns
In either instance, one side feels unnecessarily inconvenienced.
Early project collaboration and communication is important. That’s because it can build mutual respect and a partnership mindset. Both teams feel vested in the project and understand that they rise or fall together. This approach is also consistent with the DevSecOps mindset taking root in many organizations. Security is no longer restricted to the project’s final phase. Instead, it’s also woven into the project.
Considering IT security early in the project also reduces the risk of disruptive security changes.
3. Choose a Suitable Reporting Structure
When the CIO and CISO both report to the CEO, it doesn’t always reduce friction. That’s a common misconception. While this has worked for some, no two organizations are the same. What works for one may not necessarily apply to the other. That’s why, taking into account your organization’s industry is key.
The CISO can report to the CIO if the CIO has a deep appreciation of technology risk reduction. Instead, in industries with an unusual regulatory burden, like healthcare, the CISO should report to the General Counsel. Ultimately, focus on the outcome. You should also choose what best reduces risk.
4. Have the CISO Report to the CEO or Board When in Doubt
In the organizational hierarchy, the CIO is a higher profile. It’s also an arguably more important position in the company. When people talk about the C-suite, they often refer to the CEO, COO, CFO, and CIO. A CSO may also handle matters where security is critical to everyday operations.
While the CISO is also a ‘chief’ of their unit, they don’t receive the same weight as the CIO. That means their views may get brushed aside in favor of the CIO’s more strategic input. Yet, denigrating the CISO’s views only works against the organization in the long term.
That’s why it’s best if the CISO reports to the board or CEO. That ensures a more beneficial power balance. That can also dismantle some problematic power dynamics that disadvantage IT security teams.
Helping the Organization through Collaboration
Both IT systems play a crucial role in every enterprise function. That’s why a healthy partnership between IT and IT security has many tangible benefits. Take a look at these 6 upsides:
- Better, well-rounded decisions
- Better cost management and return on investment. Prolonged conflict is expensive
- Better protection of data and applications
- Healthy employee retention. Endless conflict creates a toxic work environment
- Less time spent on conflict means more time devoted to productive activity
- Punctual project management. Everything gets done within schedule
To be fair, the conflict between IT security and IT isn’t unique. You can see it when risk management functions interact with other departments. Persons working in internal audit, compliance, risk management, and legal will encounter pushback. That’s because they’re insisting on compliance with company procedures. They also have to enforce industry standards and market regulations.
IT staff believe the risk management functions are the obstruction departments. That’s because they often block any process or project that doesn’t strictly adhere to procedure. From their side, risk management teams believe the other departments are reckless and fixated on short-term gain. Of course, these extremes aren’t an accurate representation of the other party.
Good thing? It’s not all doom and gloom. You can have a balanced relationship that prioritizes the strategic enterprise-wide interest. You should also lay down a deliberate, well-thought-out plan to foster harmony. Then, IT security and IT can finally bat on the same team. The relationship will never be completely devoid of conflict, though. Still, it’s one thing to disagree on debatable issues and quite another when conflict runs deeper.
Why do organizations need an IT security department?
An IT security department is a risk management function that oversees IT systems and processes. They have to ensure projects are compliant to several standards. To name a few, technology and data regulations, industry standards, policies, and procedures. It’s a necessary role since the IT department can’t objectively assess their own work for non-compliance. A positive working relationship between IT and IT security is vital.
What is the difference between a CIO and CTO?
CIO (Chief Information Officer) and CTO (Chief Technology Officer) are often used interchangeably. They both describe the senior-most person in charge of the organization’s technology systems. Some organizations have a CIO and CTO both reporting to the CEO. In that case, the CTO is often the more technical-inclined role while a CIO leans more toward strategy.
What is DevSecOps?
DevSecOps is an evolution of DevOps. DevSecOps stands for Development, Security, and Operations. It’s an Agile framework philosophy. It also embeds security considerations in every phase of the software development process.
What is the role of a General Counsel?
The General counsel is also referred to as the chief legal office or the chief counsel. The general counsel is the senior most executive in charge of legal matters in an organization. They’re the principal in-house advisor on matters like law, regulation, and ethics. They usually have a broad knowledge of the business, too. That allows them to have great business insight, backed by their legal expertise.
What is employee retention?
Employee retention is when an organization can keep its employees. In that case, the employees choose not to pursue job prospects elsewhere. It includes setting up motivational strategies to improve the employees’ excitement and focus. It also relies on good compensation and additional perks. All in all, that increases an organization’s productivity and reduces employee turnover.
DevSecOps and DevOps Integration:
Learn more about DevSecOps integration with DevOps in this blog.
Discover how IT and Business can get along in this article.
InfoSec Pros vs. Hackers:
Explore the complexity in the relationship between InfoSec Professionals and hackers here.
The CISO’s Challenges:
Learn about the CISO challenges stemming from the increasingly risky world here.
Read about how you can prioritize cybersecurity for the board here.