Will Enterprise IT Security Ever Converge?

Will the current state of enterprise IT security every converge? And if it does, should it?

The funding, direction and delivery of enterprise IT security is currently split between different departments. And, what's interesting to note is that this splitting of the IT security function is expressly established by design among most enterprises.

The three primary organizational buckets from which enterprise IT security is delivered at most enterprises include:

  • The IT operations department
  • Business units and operations
  • The IT security group

The extent of the divisions among these three very different stakeholder groups is reinforced by separate budgets that fund and operate enterprise IT security.

Although there is not total harmonization across enterprises, the responsibilities for IT security tend to follow predictable lines of focus across most enterprises.

These lines of focus tend to include:

IT operations. A relatively larger IT operations department typically focused on IT service management for maintaining computing and networking infrastructure. The focus in IT operations tends to be on highly available business operations are operating 7x24x365 and operate uninterrupted and unimpeded.

Business units. Business units and operations tend to focus on the users of IT services, applications, information and data required to service the needs of customers and operate the business.

IT security. A typically smaller IT security group is focused on some - but not all - of the information security process workflows described by the NIST cybersecurity framework. Instead the smaller IT security group tends to focus on the integrity of IT assets - including the infrastructure, applications and data - and the confidentiality of high-value, non-public information.

The different foci of the three - in truth it is more than three due to multiple enterprise business units funding and shaping IT security - results in a fragmentation of a small IT security function that is whipped-sawed back-and-forth between IT operations and the business lines.

The fragmentation sees funding, responsibility, accountability, planning and day-to-day operations spread across groups with different agendas, different objectives, and very different yardsticks defining "good."

The multiple business units and operations typical of large global enterprises makes management and governance of IT security from a single reference nearly difficult if not impossible.

One of the keys harmonizing the different stakeholder groups and budget centers is intelligence that delivers insights for each of the security stakeholder groups to achieve their objectives.

Unfortunately very little of this harmonization occurs today, nor is it automated today, and most of it occurs by happenstance and forced effort.

Will enterprise IT security ever converge, and should it?

Leave a Reply

You must be logged in to post a comment.

Featured Research

Spend on Security

Is your organization underspending on information security? If you’re like most, spending on information security lags far behind other priorities. Only during the past few years has spend on information security started to increase, but it still lags behind. In this Research Report, Wellington summarizes findings from research conducted with thousands of organizations to highlight

The Wizards of Tech

Find out how the unspoken issues of culture, incentives, business strategy, and people impact your life, and the utility of the technology products and services you rely on to operate your business. Download the full report – The Wizards of Tech – today!