Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

833-847-3280
Schedule a Call

Cyber Security and IT: Separate Them

Small and mid-size companies frequently ask how to organize their cyber security assets and responsibilities to best protect their companies. This is more a question of function than of form, and it requires companies to challenge some assumptions about their IT departments as well as the perceptions of cyber security reports.
The immediate action taken by most corporate management teams is to make cyber security the responsibility of the IT shop. It seems a natural fit to place a highly technical and complex function under the direction of the IT Director or CIO.

But the real reason for this decision is that most corporate management teams have a minimal understanding of cyber security, nor dedicate the time it takes to learn it. This is a poorly designed organizational structure that can impede the flow of critical information to the C Suite due to conflictive responsibilities.

There are two key perceptions that need to be addressed. One, a report on cyber security gaps and vulnerabilities (not to mention a breach) is seen by the C-Suite as a damning display of improper planning and a larger threat to the existence of their business. Two, the same report on the cyber security status of an IT architecture is deemed pejorative by Senior IT personnel and seen as a threat to their position due to the exposure of cyber security gaps. This leads to dilution, or even non-disclosure, of key cyber security findings to the C Suite.

Both these perceptions are weak, yet extraordinarily ingrained in corporate management. The C-Suite should understand that most, if not all, IT systems that are connected to the internet are going to have some vulnerabilities and gaps due to flaws in software and applications, not just architecture. They also need to understand that there is a good possibility that they will be, or are, breached, and they need to better prepare to respond to that breach. In most cases, this is not the fault of IT management. Rather, an analysis of their system such as a vulnerability scan or a penetration test offers a chance for the IT director to open the discussion with the C-Suite on the appropriate measures, to include budget, technology, managed services, training etc, required to better prepare the company for a breach response. They should not “white wash” or minimize the results of a report or scan.

The solution: corporate C-Suites should become educated on cyber security threats and shift focus from defense to now identification and response in reaction to a breach. They should not have the unreasonable expectation that technology and training can protect themselves 100% — staff should be required to prepare both a disaster response and crisis response plan. Finally, separate cyber security and IT, placing cyber security either under another C-Suite position due to its criticality or have it report to security where the conflict between reporting cyber security issues and their impact on the IT department does not impede the flow of critical information. These steps will go far in ensuring that cyber security remains a priority and does its job in keeping the C-Suite informed.

Latest Posts

A transparent image used for creating empty spaces in columns
 With the release of PCI DSS 4.0, penetration testing requirements have evolved to enforce a layered approach to security. This update ensures that organizations assess vulnerabilities at both the network and application layers, creating a more comprehensive security posture to protect payment card data.…
A transparent image used for creating empty spaces in columns
Web applications are at the core of digital business operations, making them a prime target for cybercriminals. A successful attack on a vulnerable web application can lead to data breaches, financial losses, reputational damage, and compliance violations. To safeguard against these risks, organizations must conduct…
A transparent image used for creating empty spaces in columns
   With the release of PCI DSS 4.0, penetration testing requirements have become more rigorous. The scope has expanded to ensure comprehensive security coverage within the Cardholder Data Environment (CDE) and beyond. The enhanced scope now mandates deeper assessments, covering not just the primary…
A transparent image used for creating empty spaces in columns
Conducting internal penetration tests can be challenging for organizations with multiple locations. Unlike a single-site business, a multi-location enterprise faces a broader attack surface, diverse network configurations, and varying security postures. A well-structured penetration testing strategy is crucial to systematically evaluate security across all locations…
A transparent image used for creating empty spaces in columns
The Payment Card Industry Data Security Standard (PCI DSS) is evolving with the release of PCI DSS 4.0, introducing a stronger focus on penetration testing as part of a proactive cybersecurity strategy. Historically, penetration testing has been seen as a once-a-year compliance requirement, but with…
A transparent image used for creating empty spaces in columns
As cyber threats become more sophisticated, penetration testing has emerged as a critical security measure for businesses of all sizes. However, one of the most common questions organizations ask is: “How much does a penetration test cost?” The answer is not straightforward, as the cost…
contact

Our Team

Name(Required)
This field is for validation purposes and should be left unchanged.
On Load
Where? .serviceMM
What? Mega Menu: Services