IT is NOT Cybersecurity

“Cybersecurity” is a buzz word nowadays. Most people seem to think of it as an emerging field with all the recent media coverage over ransomware and activist attacks. For many individuals, the past few years were the first time they’ve heard the words cyber and security used together. Unfortunately, it is most often lumped in as another responsibility for IT. This should not and is not the case.

IT and Cybersecurity should be thought of as two entirely different fields, much like police officers and firefighters. You wouldn’t expect a police officer to show up at a house fire alone, just like you wouldn’t expect a firefighter to show up at an armed robbery alone. Sure, both professions are there to help you out in a time of need, but their training is specific to their purpose. The same can be said about IT and Cybersecurity. There’s a lot of crossover between the two fields, but it’s two different battlefields in the same war.

Run the business

An IT professional’s daily activities consist of operations and optimization. In simplest terms, this boils down to building new pieces of infrastructure, configuring the necessary applications, and supporting them. It’s all about uptime. This is a gross simplification. Within IT, you’ll have your architects, engineers, and administrators. Depending on the size and complexity of an environment, this role may be performed by a single individual. It is not a reasonable expectation to have these professionals responsible for the cybersecurity of an organization.

Secure the business

A Cybersecurity professional’s daily activities consist of security and compliance for an organization. This spans far beyond IT’s infrastructure responsibilities. Security is a process that extends to an organization’s physical premises, vendors, audits, business continuity, and safeguarding of all proprietary and confidential data. It’s not just about the files that are stored on your servers, it’s also about the files that lie on a desk. It’s not about making sure your web server is accessible, it’s making sure it’s accessible to the right people. It’s not installing a spam filter for phishing emails, it’s about researching and communicating the social engineering threats specific to the organization. They create robust security policies and maintain the top existent vulnerabilities in the environment.

Case study – Incident Response

Let’s take a topic that overlaps both IT and Security: incident response. Imagine an organization without a Cybersecurity team that was just taken over by Ransomware. This Ransomware was hidden inside a PDF and distributed via a phishing email. This email looked like it came from the CEO, which caused enough pressure on an unknowing employee to open the file. All the PCs reboot, they come back online, and everyone is greeted with a message asking for money. In this scenario, the organization decides to restore from backups instead of paying the ransom, so IT communicates the downtime to everyone and begins restoring all the affected assets from backups. IT then investigates the email that was sent, and blacklist the sender accordingly via the spam filter or firewall. After that, it’s business as usual.

A dedicated Cybersecurity team will have a specific incident response plan for a cyberattack. It will specialize in identification of the threat severity, containment of the affected machines, and identification of specific data compromised. They know that a company that has been compromised once is likely to be compromised again. The cybercriminal may have left a back door, or gathered enough information to sell to someone else. Running forensics on both the affected and unaffected infrastructure is key. Uptime and optimization are not an indicator of an uncompromised infrastructure. The Cybersecurity team will continue their forensics of the attack even after the company is operating normally. The incident response is not over until there is a formally document “lessons-learned” ready to be delivered to the executives, as well as an updated incident response plan.

A company NEEDS both

The key takeaway here is not that one is more efficient or more educated than the other, it’s that both IT and Cybersecurity operate on entirely different wavelengths and incorporate important checks and balances with each other. They depend and rely on each other. Cybersecurity is not a new or emerging field. Malware was distributed back when the internet was nothing more than a few connected computers at a handful of universities. Today, there are two types of cyberattacks: sentient, and automated. An IT team might be able to prevent an organization from some automated attacks with some patches or a firewall. When it comes down to the communication, education, and defense of existing, trending, and new sentient cyberattacks, it’s a complicated beast that requires the proper skill set and experience to combat.