I hear all too often from business leaders who think their IT Support team and their Security team are synonymous. They just assume that Support addresses all of their security needs by default. After all, the IT Support gang has been managing the anti-virus software so, they must be doing everything else related to security. Although it was never discussed, the same logic dictates that if they are “handling security,” IT support is fulfilling any compliance requirements as well.
Not so fast!
That logic is the same as thinking that the person paying your monthly bills is also setting your finance strategy and filing your annual corporate tax returns and shareholders’ report. I suspect not. While both of those roles involve finance, they each require very different skill sets to accomplish their ends. It’s the same for IT. While both are technology-focused and overlap in places, each has significantly different foci, tools, and processes.
Firms should not “tack on” security responsibilities to their IT support person. Of course, IT support should play a role in your security, but organizations need someone dedicated to and focusing solely upon security at every level.
What’s the BIG Difference between IT Support and IT Security?
All companies should have some sort of IT Support function. If technology is core to your business, you might need a higher level of support. Whether an internal user takes on the responsibility or it is outsourced to a 3rd party, you can be assured that your IT is functioning as it should.
Support generally covers areas like:
- Helpdesk and end-user support
- Monitoring the network for performance and uptime
- Setting up servers and networks
- Strategic guidance
- Manage 3rd party vendors (ERP, internet provider, telco, etc.)
If you need help setting up a new laptop or working in Excel, you can turn to an expert in IT Support. If you’re unclear about the ramifications of a new business initiative, you can have Support get involve to help clarify strategic choices so you can make more sound investments.
Never assume that your Support is either equipped to or already handling security concerns by default. They most likely are not.
Security focuses on risk management. It is concerned with identifying your areas of risk, adding protections, implementing systems for detecting hackers, alerting the business to respond to a breach to stop it, and if the inevitable happens, recovering from the breach. Its purpose is to keep people productive, your enterprise running, and your data safe.
Support generally covers areas like:
- NIST Cyber Security Framework – Identify, Protect, Detect, Respond, and Recover
- Managing backups
- Managing updates and patching
- Implementing and managing Anti-XXXX (virus, spam, malware, ransomware….)
- Penetration Testing
- Endpoint Detection and Response
- Dark Web monitoring
- User security testing and training
- Multi-factor authentication
- SIEM (Security Information & Event Management)
- Vulnerability Monitoring and Alerting
Each of these items involves distinct technology systems and technical expertise beyond traditional IT Support knowledge.
Together with the business, Security addresses questions like:
- Have you identified the cyber risk to your business?
- Do you know the protection layers available, implemented, and hardening your systems?
- If you had a breach, how would you detect it in time to respond?
- Do you know what the plan would be to respond to and stop it?
- Are you aware of the actions you would need to take to recover from a breach and its financial and reputational damage?
The business must own security and drive it. Ultimately, it is business leadership’s primary responsibility to engage the IT team about security—not the other way around. As I said, your IT support team should definitely be involved with your security. IT is there to inform, guide, share best practices, implement, and manage. If IT Support is not fully engaged with Security, both areas miss the opportunity to contribute to their fullest extent in protecting the organization.
Never assume that IT is addressing your security needs. Get in front of them and ask the hard questions.