Where does security fit in bi-modal IT departments?

two directions

When restructuring an IT department, the recent trend has been to look at possibly breaking it into two factions. One group that handles the daily tasks by putting out fires, and one that looks ahead in trying to create a new landscape that is immune to those fires.

The bi-modal idea has its benefits and its pitfalls but the determination seems to come down to the size of the enterprise. In the mid to smaller companies, there is not the luxury of splitting the security group out into subgroups. In the bigger companies the question becomes where do the security folks belong.

For Dale Denham, CIO of promotional products industry company Geiger, he believes security should sit in operations. An innovation team is focused on functionality, but an operations team would focus on making sure everything is secure, he said.

The Lewiston, Maine, company has a 25-member IT department that supports 750 workers (400 of whom are independent contractors). While acknowledging that mixing operations and innovation within a single team has its own set of challenges, he says he believes a bimodal IT department could easily develop a “throw it over the wall mentality” – that is, once the innovation team is done, it just tosses the completed project to operations without adequate transition and concern moving forward.

[ ALSO ON CSO: 7 reasons why users have trust issues ]

“There is the challenge of when you pass that over. You have to transfer a lot of knowledge, and that’s hugely inefficient and then if you want to upgrade that project, where does that update [get tasked]?” he says, noting his shop is “a big continuous improvement shop. We’re constantly making tweaks: Is that operational or innovation? If you were set up in two shops, who gets that?”

Denham says on his team nearly everybody does both operations and innovation. He says a handful of help desk folks and networking staff are straight operations, although they do help support innovation by, for example, spinning up a server when needed.

But overall, he explains, “when we launch new projects and new tools, the same people who support old tools are creating the plans and executing the plans for the new tools and then support them when they move to operations.”

Denham says the main challenge in this setup is keeping projects on track. “Your project planning is put at risk because you never know what the operational needs will come up,” he says, noting that a large firm might not be as comfortable with that risk as a small firm such as his. He says when he anticipates that his team members might be pulled away from projects, he builds that into a project’s timeline but it’s impossible to know how much time to build in.

That’s a big benefit, he says. The team members who are delivering innovation know they’ll handle it operationally, too. “You don’t lose the brain drain, you don’t lose out on the knowledge piece when a project transfers from innovation to operations,” he adds.

Security is everywhere

Robert Quarterman, vice president of Infrastructure Architecture and Technical Services at Service Benefit Plan Administrative Services Corp., is wrestling with how to bifurcate his IT team of 360 IT employees and 90 contractors.

With regard to the security task, he says, “security is moving at a pace that’s outpacing even agile at this point based on the cyber threats that are quickly emerging.” As a result, security has become a foundational function, “so security is embedded in every aspect of our lifecycle from the beginning, so we design our solutions for performance and security and functionality and that’s the only way we’re going to be successful with it.”

“That’s the way we’re approaching it, security is everywhere,” Quarterman says, noting that security people will be embedded in projects.

He says operations “is really about running the business, so once innovation is done, it becomes operationalized.”

He says that side of the house “operates at a different speed. They have different priorities, and different funding.” Funding for operations comes from the central IT department, he explains, whereas funding for innovation comes from business units – as does advocacy for individual projects.

Quarterman says the speed of technology advancements combined with the speed at which business wants to capitalize on them is pushing IT leaders like him to make the move. He says a split could also help improve talent management.

“We’re thinking about how to segregate them because we don’t have a clear distinction today so we lean on the same expertise in the organization to do the innovation but they’re still doing maintenance, too, so we end up with conflict on what gets priority,” he explains.

In other words, those on his team that are assigned innovative tasks are also expected to continue with their regular operations duties, too, he says. That means they’re sometimes pulled off an innovation project to handle an operational issue, which impacts IT’s ability to deliver projects as quickly as possible.

Brian A. Haugabrook, CIO of Valdosta State University in Valdosta, Ga., wants his employees to be creative and innovative at the same time. He doesn’t have plans to split his IT staff of 60 full-time workers and 40 part-time workers in two. He says he sees benefits in having people work on both innovation and operations.

That doesn’t mean that everyone is doing an equal split between the two tasks. The infrastructure team generally spends about 80% of its time on operations, for example. The same goes for the tech support team.

But they are still expected to focus part of their time on innovation, and Haugabrook says that yields real results. The infrastructure team, for example, is pushing innovative solutions using cloud technologies. The tech support team dropped its response time from two hours to under 15 minutes by looking at how successful police departments use data to enable rapid response to calls.

Keeping security centralized

Rob Meilen, vice president and CIO at Hunter Douglas North America in Broomfield, Colo., believes security is such an important part of the company that it cannot be broken out.

It’s easier to maintain security when you’re more centralized. It sort of bakes into the way you do these processes when you’re centralized,” Meilen says.

He oversees an IT team of 120, supplemented by another 30 to 40 workers in outsourced or contract positions. Like other CIOs, Meilen says work often falls into one of two camps, with one focused on new technology-enabled business initiatives and the second focused on keeping everything up and running smoothly.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)