Security challenge: Wearing multiple hats in IT

Are you taking on multiple job responsibilities at your company, including some aspects of information security? If so, you’re not alone. At many organizations, IT professionals are being asked to handle a variety of security tasks and functions. For them, wearing multiple hats can create both opportunities and stress.

In a recent online survey of 287 IT and business professionals conducted by CSO, CIO and Computerworld, a majority of respondents (54 percent) said the IT department handles information security at their organization.

In contrast, only 17 percent said that a dedicated group handles information security. An additional 14 percent said information security is handled by a mixed team that includes IT and infosec workers, and 6 percent said their organization has a dedicated security team that includes infosec. That means only 37 percent of the respondents work at organizations with dedicated infosec professionals, which might explain why many organizations have a hard time keeping up with security.

People who wear multiple IT and security hats — or who oversee such workers — aren’t necessarily happy about the situation or what it means for their organizations’ security programs. But they’re finding ways to cope.

National FFA, an organization that promotes career success through agricultural education, has increased efforts to secure its systems and data considerably in recent years, says Joel Gibbons, National FFA’s director of IT and compliance.

Gibbons is responsible for all technology operations and development, as well as security for the 150-person organization. “My operations team includes a security lead who handles the daily security operations,” Gibbons says. “Specifically in the security area, I handle mostly communications, training, policy and strategy.”

Security has always been important to National FFA, “but the visibility of security efforts has changed, in part due to the large data breaches that have [made] headlines over the past two years,” Gibbons says. “In the past, a CEO could simply have faith in the efforts of security professionals in the company. Now, the CEO needs to know more to be able to answer specific questions about how we are securing whatever needs securing inside the organization’s perimeter.”

With Gibbons and his team of 14 handling multiple aspects of both IT and security, ensuring that data is safe can be a struggle.

“Security is a full-time job, and then some,” Gibbons says. “In a small organization, I can’t always afford to let my security folks focus solely on security. There are always other things they need to do. That can have a negative impact on security. Or, it can have a negative impact on any other things they aren’t doing because security efforts take so much of their time. It’s a daily balancing act.”

To address this challenge, National FFA uses tools that automate mundane security activities to take some of the burden off of the IT team’s security specialists.

“We utilize external partners to help augment, but not replace, our in-house security expertise,” Gibbons says. “We know that we are never secure enough. We have to continue to improve. We also know that we will probably not be 100 percent successful.”

Given that reality, the organization has contingency plans in place for dealing with incidents when they occur. “It’s only a matter of time before someone finds an access point that we’ve missed,” Gibbons says. “That’s just the nature of the game these days.”

Also juggling multiple roles is the director of IT at a midsize financial services firm based in the New York metro area, who manages cybersecurity in addition to all of the daily functions of the technology department, including the help desk, desktop support, engineering and development.

The director, who asked that his name and company not be identified, says his responsibilities have increased considerably “as the outside technology landscape has evolved over the last five years.” The role, he adds, has morphed “from a traditional CIO position into an all-encompassing CIO/CSO management role, where the need to stay ahead of what is occurring in the technology/cybersecurity space is required.”

One of the challenges is maintaining tight security “in a world where end users expect the same level of accessibility that they enjoy at home,” the director says. “End users do not fully comprehend the need for restrictions to their office internet access. The most difficult challenge is cybersecurity awareness and training, instructing end users to think before they click and changing the mindset.”

Executives at the 140-person financial services firm are aware of the threats posed by nefarious actors, “and we agree that it is best to remain more secure and ensure business operability than to become the next firm on a list of compromised or breached companies,” he says. “Our firm employs the concept of erring on [the side of being] more secure with limited third-party accessibility to the extent that is practicable.”

As a result, the firm limits access to any non-business-related sites or services — including all third-party email, cloud storage and video streaming services.

Still, it has been a struggle for the IT director to fulfill his expanded responsibilities with his team of four IT workers. “We are now being asked to be the gatekeepers of all technology, not only ensuring we are keeping the lights on, but now also policing the entire organization — from firewall perimeter to inbound and outbound persistent threat management,” he says. “I have had to learn the dark side of the web with regard to security in order to understand how to protect our assets from persistent external threats and end user fallibility.”

At Green Clinic Health System (GCHS), a physician-owned healthcare system in northern Louisiana, Jason Thomas serves as CIO, director of IT and HIPAA security officer, meaning he ensures that GCHS complies with the terms of the Health Insurance Portability and Accountability Act. With four full-timers and one part-time staffer, his department handles all aspects of IT and telecommunications for the system’s five facilities, and also serves as the internal cybersecurity department for the 450-person organization.

“I often joke that if it plugs into the wall, it falls under my purview,” Thomas says. “But that’s less of a joke and more of a friendly way of telling people which department to call first.”

This wide-ranging role does provide some benefits from a security standpoint. “Since I lead the IT department as well in my capacity as IT director, I have the day-to-day visibility into operations and challenges that allows me to bring concerns regarding organizational operations and security directly to upper management, and guide or develop the necessary tools, policies and procedures to address any issues or needs,” Thomas says.

One example of how the combined IT/security role proved to be a benefit was in the deployment of an electronic health records system several years ago. “With that implementation came a serious review and rework of our technical policies and capabilities to support secure electronic access to records,” Thomas says.

But that doesn’t mean there aren’t significant challenges, and one of the most recent has been around the acquisition of new medical practices. “Sometimes there are political challenges I have to confront as CIO, such as trying to explain to a physician why he or she can’t continue to do something the way they used to do it when they were a stand-alone practice,” Thomas says.

At other times, there are technical issues such as those that arise with the potential reuse of existing workstations and the associated tasks of auditing current configurations to ensure they are free of malware and capable of supporting security policies and software.

Good communication is key to meeting the challenges. “We have weekly management meetings to discuss current issues around the organization,” Thomas says, “and many times security issues are brought up and plans are formed to resolve those issues.”

Related video: 3 things you need to know now