Imagine there was a building inspector who inspected and signed off on a construction job. After a serious collapse in the building, it was determined that a failure to follow building code was to the reason the structure failed. The inspector was the town’s building inspector and a private contractor – inspecting his company’s own work.
Clearly this would be a conflict of interest that should never exist, yet in many companies today cyber security oversight is handled by the IT staff. This is very dangerous, as you cannot serve two masters. IT staff is primarily concerned with function – getting things to work and keeping them running. Cyber security focuses on restricting function for the sake of protection. When there is conflict, one has to win over the other. That is not to say that an individual will intentionally hamper security for function, but let’s look at what naturally happens.
A recent real-life example we uncovered was an IT Systems Administrator who needed to get a new management software running to support the business. The software automatically set up a service account with domain administrator rights. The Systems Administrator was having issues he didn’t have time to resolve, and set this account to not require a password. That’s right, a domain administrator account that did not require a password. This organization’s Security team was alerted by a monitoring solution and made the system administrator delete the account, fix the issues, and then reinstall the software properly. What would have happened if the Systems Administrator was also tasked with upholding cyber security? Which need would have won out, function or security? We will never know since this company had separate roles and the security role was empowered to prevent this dangerous configuration (and the company had a monitoring solution in place to alert the security team).
So the lesson is that these roles need to be separate, even if the security role needs to be outsourced. We cannot as a protectors of information, continue to allow function over security.