I was talking with a prospect yesterday who is an information security manager; extremely professional and creative at what he does. In the course of the conversation, I realized that there are fundamental differences in mentality between IT and Security practitioners.
Back when I wrote COBOL/CICS applications for Tadiran Information systems – some of our work looked like what these guys in the picture are doing – standing on a scaffold, patching bricks and praying that in the next rain, the parquet floor won’t get flooded.
Most IT professionals don’t write software anymore – they evaluate, implement, maintain and support packaged applications from vendors. Firms use enterprise systems like Oracle Applications. Oracle buys companies all the time and has a large, complex portfolio of add-on products used to improve functionality of Oracle Applications, stave off the competition and up-sell customers; with products like Oracle BI Applications.
The key phrase for IT professionals is predictable processes – making sure that the evaluation process is adhered too, making sure that the implementation process of a new module or system is executed in a uniform and timely fashion (I learned these buzz words at Intel almost 20 years ago…). The most important thing (and this relates to security as well) is to ensure that the execution of business functions by people using the system also conforms to the company business process.
Security professionals don’t write software either – many do Perl and TCL scripting, and here and there a few write C code to generate custom packets for network hacking etc…Although many infosec people come from a software development background, most of the work is about specifying, evaluating and implementing TLA products and services; SIM, DLP, IPS, NAC, ERM, PCI, DRP, SOX. Based on empirical evidence with clients – the majority of infosec departments are very focussed on compliance and perimeter security and very technology and product-focussed, not unlike their IT brethren.
The key phrase for security professionals is UNPREDICTABLE EVENTS – responding to internal and external attacks on people (phishing, social engineering and terrorists), systems (hacking) and data (data loss and fraud).
IT Business applications are defined by the business and corporate business objectives. Security activity is defined by people and organizations who don’t carry a company card and don’t care how much money a company pours into security of people, process and techology.
This is a fundamental mismatch between IT and Security groups. Since I can’t buy into something I don’t understand – I have difficulty seeing how complex standards like COSO/COBIT help bridge the gap. Politically – the analogy of a hot potato comes to mind.
I would propose that the common ground for IT and Security practioners in a company starts with a very simple idea of brick and mortar security. If everyone (IT, IT Security, Compliance, Risk managment and Physical Security) start thinking and talking in the same brick and mortar language of attacks, vulnerabilities, assets and countermeasures we will be able to improve both the process and respond better to the unexpected events.