Your IT Guy is NOT your Security Guy

For the last nearly 23 years of running a cyber security company, one thing has remained consistent and that is that IT staff, sys admins, network admins, love to hate security personnel. I say this because of the countless times we have been hired by companies to provide a security service only to be met with a line of defence stronger than the Chicago Bears had back in 1985.

It is like there are two opposite forces at play within the same organization. Management recognizes the need for outside expertise, while the IT staff try their best to convince management that “everything is being handled” and there is “nothing to worry about”.

This dichotomy is commonplace in most companies and here is the reason. It all started way back when computers started to become mainstream in business. There were those people that were amazed at what they could do with them, and those that wanted to know how they did what they did. In other words, there were people that were happy just using computers as a tool to accomplish a task, and there were others that needed to know how they tick. This difference became known as the gap between the tech savvy, “techies” and virtually everyone else in the company I call the “know betters”, the ones that know better then to question a techy.

Since then, the techies have ruled the back-office server room and the know betters, know that it is off limits. Only those that can carry on a technical conversation are welcome. Know betters, are easily intimidated by the techies, and the techies know it. They have been using this to their advantage for many different reasons. Knowledge is power, power equals better pay, more responsibility and more respect. Not all techies think like this, only the ones that are too full of pride, or territorial… never met a techy like that…said no one ever….

So here is the modern-day problem. Security issues are on the rise, cyber crime is hitting all companies big or small. There is a shortage of certified security professionals and even fewer competent IT shops that can provide solid security advice or service. Due to this, there are more and more IT staff being elected as the new “security guy” even though they may not know the first thing about security.

Management likely has no idea about the differences. They have trusted their techies for decades. Surely, they can handle the security of the company. Although security and IT are often spoke about in the same sentence, security is really a specialized part of IT all on its own. It’s like the special ops in the military. Qualified security professionals live and breathe security. They know everything a sys admin or network admin will know and a ton more about security. Techies know this, management most likely does not.

However, the management folks that do know are calling security companies to make sure their networks and infrastructure are safe because they realize that security requires a unique skill set. It doesn’t mean that they believe their techies are inferior, but they likely realize that they may lack the skills that a trained and certified security professional possess. It may also mean that they don’t believe that their techies should be scoring their own companies security report card… For an example, there are fully qualified accounting staff in every company, yet a number of times each year, an independent accounting firm is retained to verify that the assets and interest of stakeholders are secure. This practice is fully accepted, even welcomed by the accounting staff.

Security meets the IT staff

In many cases, after the management makes the call to the security company, and we “the security company” are introduced to the IT staff, our first meeting feels like a stand off scene in a Clint Eastwood spaghetti western. We eventually break the ice and explain that we have been hired by management to help bolster or ensure that the security of the company is up to par, and we are looking forward to their cooperation. This is the point where the one person that was previously “assigned” to handle the company’s security feels compelled to share that responsibility with a few of his unsuspecting co-workers. If we are lucky enough to establish a point of contact that we can work with the engagement proceeds but not without plenty of resistance, stalling, and a few ghosting events along the way.

Now, we understand why this phenomenon happens and it is explainable. Above I explained the gap between techies and the know betters. This gap has been enjoyed by techies from what seems like the dawn of time. Techies generally know that what they say, will be unchallenged and taken at par value. Why not, they’re usually able to outsmart management with techno jargon, and a maze of technological explanations that leave management in the dust. Management is wise enough to know not to take a knife to a gun fight and will accept whatever the techies advise them.
Once the threat of exposure passes, all goes back to normal until the next pang of uncertainty hits management and they bring up the topic of security again. This is a cycle that has gotten many companies that we visit into a security mess, breach or incident in the first place. It’s a cycle that must be broken.

Your IT guy is NOT your security guy. Same as your mechanic is not your dentist. For the sake of the company, management must insist on outside help or hire a certified and experienced security professional to help improve their security. It is unwise to trust the responsibility of security to solely on your IT guy. Management must insist that their IT staff opens up and collaborates with outside security support teams. Management needs to ensure their staff that their job is not in jeopardy just because they cannot perform a security audit or take on the responsibility of ensuring that their infrastructure is secure. Good security is a task that takes coordination, a team effort and collaboration to properly execute and maintain. There are also aspects of security that are outside the domain of the techie, such as employee awareness, B2B electronic transactions, and on-boarding and off-boarding of employees and contractors, which is in the H.R. domain.

For many companies, security is no longer an option. It is being enforced by compliance standards, insurance companies, shareholders, vendors, and suppliers. With a shortage of security professionals considering hiring outside help from a qualified security company is a wise decision that will gain many benefits. It is a chance to finally have peace of mind knowing that your corporation has done all that is possible to secure its data, intellectual property, and reputation. It is a chance for your IT team to work with a security team to better understand how to maintain a secure infrastructure.

We are all on the same team. When there are fewer security people then there are hackers and bad actors, IT staff need to be open minded and throw away the pride and resistance to open up and admit that they are unable to do everything the management hoped they could do as the trusted IT staff.

In the medical field, general practitioners, and specialists work together all the time to save lives. IT staff and security professionals need to learn to do the same if we are to defend ourselves from inevitable attack.