IT and cybersecurity in the company: roles and responsibilities

Maurizio Tondi, Axitea’s Security Strategy Director, reflects on the incompatibility of roles between cyber security and IT in small and medium enterprises.

Very often, organizations – and small and medium-sized firms in particular – tend to entrust cybersecurity to those who already manage the company’s IT, whether it is an internal figure or an external consultant. It is a choice that may arise from economic considerations, from the convenience of having a single interlocutor, but also from a lack of awareness of security issues by company managers.

Cybersecurity is not only technology

For many people, cyber security is considered a purely technological aspect, and it is therefore delegated to those who already deal with technology issues at the company. But this is a mistake, as cybersecurity goes far beyond mere technology: it represents an element of potential integration on the one hand, but is also a separate practice from a liability and risk management standpoint, requiring specific skills and “separation of duty”.

We believe that security is a strategic and also very pragmatic aspect that affects the business of every organization, and, due to its specific characteristics, it should be managed by someone with an expertise in this area. For SMEs, just as for all other organizations, it is critical to define an IT security and data protection plan to defend against external and – increasingly – internal risks.

The importance of specialization

It is critical that the oarties responsible for cybersecurity have specific skills in this sense. If the size of the company allows it, there may be an internal information security manager, the so-called CISO (Chief Information Security Officer).

When the presence of this figure is not justified at organizational or business level, it is advisable to outsource it to a company specialized in security, which will be able to provide the client company with advanced skills, the right level of independence and a more evident “neutrality” in the interest of the business owner or the company management.

This is also supported by the highest industry standards that indicate this separation approach as a best practice (ISO27001:2013 and NIST CSF). It is also a question of skills: in smaller companies in particular, the persons in charge of IT have a general knowledge of the many systems that allow a company to operate.

However, cybersecurity in this respect is a world unto itself, requiring specific skills, continuous updating and a focus on “cyber threats” that an IT Manager is unlikely to achieve.

Conflict of interest

If a single role, person or supplier manages both IT and cybersecurity, an obvious and dangerous conflict of interest may arise, resulting in an overall increased risk and, in case of mismanagement, damage. There doesn’t have to be malice or bad faith: it is simply that the priorities of the IT that supports the business may be and often are different than those that should ensure data, system and employee protection and business continuity.

However, IT and security can, and indeed must, work together, especially because they are closely linked to the company’s business processes, even if considered from different standpoints. An effective security strategy certainly starts from correctly managing the IT infrastructure, but it is much more than that, because it also takes into account connectivity, individual systems and, above all, people and behavioral components.

An example of collaboration between IT and cybersecurity: patch management

Every day, cyber criminals generate new attack attempts, based on technology or on the exploitation of inappropriate user behavior, such as phishing. And every day, all organizations are targeted by attacks of various types, which exploit strictly cyber or human weaknesses.

The figures who deal with the IT infrastructure are responsible for updating computer systems with security patches, so as to correct any vulnerabilities in systems or programs.

It is fundamental that those who focus on cybersecurity (and are responsible for it) verify that this work is carried out continuously and punctually: only by separating the roles, can we distinguish the controller from the controlled, and avoid a dangerous conflict of interest which, if present, could put the company in danger.