In Information Technology, we commonly hear the mantra of “doing more with less.” That may sound great, and in some cases it can actually be beneficial. It obviously drives the requirement of streamlining performance and the simplification of processes. It can drive innovators to innovate and the attrition of unnecessary systems. The predominate reason for this philosophy is cost cutting.
My argument would generally be that IT should NOT simply be keeping the lights on, it should be adding value by creating competitive differentiators for the business. Being able to execute on that effectively SHOULD change the perspective of IT as it is viewed by the rest of the leadership team. One particular concern I have in regards to those businesses that continue aggressively down this path of cost cutting (or don’t proper initially fund) IT, is in regards to Cybersecurity.
In many cases smaller shops, or shops that don’t fully understand the risks, tend to place their technical team members into split roles. Maybe the view is that someone should be a part-time security person and a part-time network or system administrator. This introduces several concerns and I wanted to quickly share three that are top of mind.
Issue One — What do I do in my spare time?
While issue three (below) may be the primary concern for many, I actually think issue one is the most important. Even the very disciplined in joint roles are conflicted. In our world, there is no such thing as spare time. We prioritize what we do and what we are never going to have time to do.
Spare time may be better defined as when we don’t have a fire to put out. In that case, the person in the split role might look at the capacity planning for the network or perhaps the WAN link that is throwing a considerable amount of CRC errors. The security person might look at recently reported exploits and consider how they would’ve leveraged their tools to defend against them. Are there deficits that need to be filled?
IT is not just about keeping the lights on. IT is also about growing with the business and for the business. What this means is very different for those focused on systems and operations when compared to those focused on security. Even the most disciplined person in this split role will struggle to fairly allocate time and mindshare to these competing interests.
Issue Two — Is Security or Operations More Important?
We know security would ideally be seamless. The controls should not inhibit the required use of systems. While this sounds great, the two are very hard to reconcile in some cases. What if changing a cipher suite on an eCommerce site to protect visitors resulted in connectivity issues of 2%? What if that resulted in 2% loss of $1,000,000 a day? What if you are in roles responsible for both the operation and “security” of the systems?
Notice that I placed quotes around the word security here. The reason for doing so is that it is my position that this is a risk conversation, should be made in conjunction with the business and probably should not be the burden of anyone that would find themself in the role I’m describing here. However, many in this role have these types of conflicts.
Issue Three — Attribution and Responsibility
I’m willing to guess that this is the first, or one of the first, issues that come to the mind of many when they read the title of this article. For me it is less important because I think finger pointing is wrong and actually doing a job better is paramount.
If I am a leader who is ultimately responsible, I would want to make sure I can trust my employees to effectively do their jobs. If they don’t have the resources they need, I would expect that they raise those concerns. And I would expect that we work together to take a risk based approach to understand what the business can afford, accept, and expect.
From an employee perspective, I might be concerned with being a scapegoat for shortcomings in either of the roles. I would feel like I’m taking personal risk to save the cost of adequate staffing. Combining these roles on to a single individual is simply a challenge for them and a challenge for managers who have an expectation of excellence.
I have talked to individuals that go into these types of roles on a number of occasions. In every case, I have voiced my concerns around these conflicts and my concerns about their personal accountability. Specific to roles in IT security, it is imperative that we focus on securing the digital assets. I just don’t think it is a good idea to combine that responsibility with roles that could compromise, or appear to compromise, the holistic integrity of the individual’s work.
Do you have opinions on roles split between security and operational aspects of IT? Do you have an experience to share? Help others out by sharing your experience as comments below.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.