Pilots and technicians
Why do IT administration and IT security have to be two different areas? In short, simply because they follow different approaches.
Imagine that IT administrators are the pilots who take off, land, and above all fly an airplane. So, they keep your company up and running. And of course they constantly carry out various checks.
In contrast, it is the task of IT security to challenge the functioning of the infrastructure and to carry out critical tests to do it. They have to try to break things up sometimes. IT security experts are, therefore, more the technicians who X-ray the rivets during the regular large checks of aircraft and check all parts for their resilience. As you know, of course, pilots who are not trained for this do not do that. But this is done deliberately by another and independent team of specialists.
So you can't really implement both in one department. Even though they benefit from each other or are dependent on each other. Because the one who implements and maintains a solution should not be the one who “objectively” confirms its security.
IT security: The reality is different
However, we regularly witness exactly this scenario, especially in medium-sized companies: The internal IT administrators or external IT service providers take care of IT security “just at the same time”. If you are busy with your daily business, sick colleagues or projects, this almost always means that you no longer pay close attention to it. For example, patch management is neglected due to the lack of time. Network traffic is not analysed. And the firewall updates are not updated promptly or even not at all.
Also, the server that caused an immense problem after the last update attempt is also often no longer touched. And this sometimes for months or years — as the service or application runs without problems on it.
The saying “Never change a running system” has unfortunately also led administrators to behave surprisingly conservatively. And this of all places in an area that is constantly reinventing itself!
As you can see, what we’re missing here is a third party, who regularly holds a mirror up to IT administration, and occasionally puts a “finger in the weak spots”. And that can also exert gentle pressure.
IT administration: Setting a fox to keep the chickens
With regard to data protection, the German legislator understood that the fox would be the keeper of the chickens, if an IT administrator were also a data protection officer in the company. And so they simply banned such a construct.
This is exactly what should apply to you in the company in the area of IT security. Like data protection, this must be viewed separately from IT administration. This can either be an external IT security team or a staff unit that is only committed to the management.
As with almost all fundamentally unpleasant topics, this means: Shirking or ignoring it doesn't help. On the contrary: If you actively address the topic of IT security in your company, it will bring you to a higher level of security in a short time.
Yours sincerely,
Gordon Kirstein