Information security is not information technology

Recent news coverage has been filled with talk of the split of U.S. Cyber Command from the National Security Agency. It’s a transition that makes sense. Cyber Command is focused on warfighting within the cyber domain while the NSA is focused on intelligence collection, and while the techniques are often the same, the objectives are extremely different. In fact they’re governed by two completely different laws.

Cyber Command falls under Title 10 of US code, which governs warfighting. Within the cyber domain this is termed Computer Network Attack, or CNA, and means hitting an adversary with the goal to disrupt, deny, degrade, or destroy information, computers, or networks. All of these activities are very likely to be noticed by the adversary. On the other hand, NSA is governed by Title 50, which covers covert intelligence collection — an activity which is only effective if it’s not noticed by the adversary.

The two activities are so different that it probably never would have made sense to combine them, except that there’s an overlap of the skill sets and the tools. So what lesson can businesses learn from this?

Security specialization

To anyone who has been involved in information security for the last few decades, this combination of unrelated objectives based on some overlap of skill sets and tools is all too familiar. This is why businesses combine IT and Information Security functions. In fact, many business leaders wrongly view InfoSec as an IT specialization. It’s not. InfoSec is a security specialization.

This distinction becomes much more clear when we consider the similarities between IT and building maintenance. The focus of both jobs is to ensure that everything is working and available – whether that’s the HVAC or a network infrastructure. And there’s certainly some overlap with security. Availability is one of the three pillars of the security principle known as the CIA triad – Confidentiality, Integrity, Availability. Furthermore, building maintenance is often responsible for doors and locks, just like a company’s IT department is often responsible for maintaining firewalls and antivirus. However, applying security principles in someone’s area of focus doesn’t make them a security expert.

Security expertise requires a different view of the world. Some people are born with it. Bruce Schneier, the cryptographer, tells a great story that illustrates this: As a kid, Bruce bought an ant farm. It didn’t come with live ants; instead, it came with a blank card. To get the ants, one would fill out the card, send it to the company, and they would mail a tube of ants to your home. “My friend expressed surprise that you could get ants sent to you in the mail,” Bruce writes. But Bruce’s response illustrates the difference in a security perspective: “What’s really interesting is that these people will send a tube of live ants to anyone you tell them to.”

Security professionals are constantly, perhaps compulsively, looking for ways to make things work in unexpected ways. Not everyone who has it is born with it though. It can also be honed over years of focus on security. This is why we’re seeing so many former members of the military and Intelligence Community moving into careers within Information Security. (Disclosure: I’m a veteran of both the military and the intelligence community.) These are security professionals who are transitioning their security expertise to another domain: Information. It’s one of the few security specializations that exist in the civilian world.

This distinction helps clarify that, despite sharing a common word in their titles, Information Security and Information Technology apply very different principles to attain very different objectives. These objectives are so different that businesses must ultimately segregate the two focuses, and this segregation makes sense in more ways than one.

Conflict of interest

In addition to being a different specialization, there’s also a clear conflict between the interests and perspectives of those responsible for ensuring that things work and those ensuring things are secure. Finding the right balance between accessibility and security is a key part of a modern organization’s success. It’s important to remove the possibility of either perspective squelching the other.

When security is excessive, an organization can lose the functionality that enables its primary focus. On the other hand, when the IT focus of functionality and accessibility exceeds an organization’s security, breaches become imminent. Balance is key here, because erring on either side can be devastating to an organization.

Where should security fit within an organization?

IDC predicted that 75% of CISOs will report to the CEO by 2018, but a recent survey by K Logix shows that more than half still report to the CIO. This structure ignores key factors: the inherent conflict of interest, and the fact that security isn’t a subset of IT. Some have argued that the CIO should report to the CISO, but this just creates these same problems in a different way. A simple solution is to give the CISO and the CIO the same reporting structure, with both reporting to the CEO. But that isn’t the end.

With the never ending stream of data breaches in the news, we’re going to see a dawning realization from business leaders of every kind: information security is about existential business risk, not IT risk. Ultimately, it’s a Board of Directors-level issue. The National Association of Corporate Directors has realized this, and recently published their Director’s Handbook on Cyber-Risk Oversight, and corporate boards are starting to realize they need security expertise at the board level. The shift is imminent; the only question that remains for most companies is whether they’ll realize it prior to, or as a result of, a catastrophic data breach.