The Case for Cybersecurity Separation of Duties

Separation of duties (aka SoD) is nothing new. Since commerce began business managers recognized the sensibility in not giving one person too much power. It makes easy sense to us that the person who manages the payables is not the cheque signer. We clearly see the logic in not assigning conflicting responsibilities to the same person or group. For example, the entity that audits the processes, is not one day-to-day managing those processes. It makes perfect sense.

Separation of duties is a fundamental tenant in cybersecurity. SoD should be baked into the policy and procedures of your organization so that it spells out what IT tasks should be separated and who will complete them. However, to truly ascertain whether you are compliant, we need to take a step back. We need to look, NOT just at procedures, but rather take a look at your org chart. Do you see IT and Cybersecurity in two separate groups? If not, then you have a problem. Yes, they may sound like they should be two peas in the same pod, but not so. IT support/management and IT security must be different departments with different resources.

Enterprise-level organizations are on board with this and have been for some time. Even smaller organizations with IT departments are recognizing the rationale of hiring specialized cybersecurity talent outside of their IT group. However, one group that has been slow to adapt are Managed Service Providers (MSP).

It’s not hard to understand why. They are a business and want to maximize the dollar spend at each client. So they strive to get the IT services AND cybersecurity services too. To be fair, some MSPs do have separate resources to deal with security and this is good. Not as good as a 3rd party consultation, but better than nothing. Many however, even if they tout themselves as offering IT security services, are really using the same resources that do the IT support... and this is not good.

Here are 5 excellent reasons why your IT team and your cybersecurity team should be different.

#1 - Conflict in Goals – IT is all about creating value. Your IT team is optimizing and innovating to deliver faster, better, simpler technology. They are tasked with enabling teams to work more productively, to drive more leads, to make more sales and to provide the analytics to repeat.

Cybersecurity, on the other hand, protects that value. It seems subtle… creating value vs defending it. However, it is stark in contrast. Cybersecurity is risk management. Risk management is not a peer to IT, rather, IT reports to Risk Management. It's the way it must be.

IT Says: Let’s do it faster. Let’s make it easier. Let’s make it cheaper.

Cybersecurity Says: Let’s double-check that. Let’s control that. Let’s monitor that.

Two different worlds. Cybersecurity and IT are two parallel train tracks and like the trains that run on those tracks, they should never cross to the other track.

#2 - Day-to-day Issues – The simple fact is that IT gets bogged down in day-to-day issues and projects, and security is what gets pushed to the back burner. Help desks are are driven by metrics. How many issues were resolved? How long did it take? How many are left over from yesterday. And when there are just not enough hours in the day… well, there’s always tomorrow to harden security. Until one day tomorrow means walking into a company-wide ransomware attack. We cannot be complacent with our IT security and your cybersecurity resources should not be dealing with ordinary issues.

Help Desk Dashboard

Help Desk Dashboard

#3 - Convenience over Security – Anyone in IT will tell you that convenience and IT security are diametrically opposed. They are on opposite sides of the scale and it is a challenge to balance those scales with your goal of being secure on one side and resolute power users on the other. Without checks and measures from a higher power, IT will often opt for the more convenient resolution to an issue (especially when there are 28 more issues behind it). They mean well and the user is happy, but in the long run, it is a dangerous disservice.

With planned policy, documented change management process and third-party oversight, IT support can operate safely within the agreed upon standards. 

#4 - Superior Knowledge – The IT team are very smart, well-trained and experienced in IT, but to serve effectively in cybersecurity you must be up to date with vulnerabilities, risks, techniques and solutions in cybersecurity. A person or group tasked specifically with this will better be able to keep up in the fast-moving sector.

#5 - Accountability – Especially in the MSP space is accountability important. Who of their staff has access to your systems? What management tools are they using? Are their passwords complex and protected with at least two factors of authentication? What happens when one of their staff leaves? These are just a few of the integral questions that business management need answers to. The latest trend of MSP's getting hacked, leaving the bad guys easy access to their entire client base, is proof in the pudding that these conversations must happen. Having a higher level of accountability is what is needed to bring these discussions to the table and decide if the answers are sufficient.

If your organization has an IT team that includes cybersecurity functions, discuss bringing on a cybersecurity specialist to your team to address the deficits we have highlighted here. Alternatively, hire a third-party consultant to provide that review and oversight.

If your organization uses an MSP consider getting a second opinion on how they are doing at keeping you secure and how they speak to the challenges that we have reviewed here.

The segregation of the IT and security functions in an organization are critical to staying safe in this highly complex technical world in which we live. Stay safe and don't let the bad guys in.

Ethix IT Security/Support is an IT security company. The challenges we highlighted here are the reason Ethix IT came about, and why we choose to only offer IT security services. Ethix IT is not a managed service provider. When we do provide IT Support Services, it is through one of our trusted partners who fully subscribe to our finely-tuned security playbook. This also allows us to provide security consultation and 2nd opinions to organizations who already have an MSP and are happy with them. Reach out to Ethix IT if you are ready to sleep tight knowing you are getting the best possible cybersecurity services.