As a business leader, you might not know all that much about tech — and that’s why you have an in-house team of IT experts to fulfill the digital needs of your growing business. Yet, something that many business leaders fail to realize is that not all IT professionals have the same skills.
While your IT team might be well-versed in building and maintaining systems and networks, integrating cloud environments and understanding data architectures, they might be dropping the ball when it comes to a critical service: cybersecurity.
Here are a few reasons why an existing IT team might be struggling to maintain effective security and how you can make changes to your IT department to reduce cyber risks.
Lack of Security-specific Training and Expertise
As mentioned above, not all IT employees have the exact same skills, largely because there is no single path into the IT profession. Some of your staff may have degrees in fields like computer science or computer information systems, but many may be self-taught or credentialed through narrow bootcamps. Suffice it to say that there could be a wide range of information security knowledge and experience amongst your team.
From now, you might begin prioritizing security expertise in your new IT hires to increase the level of security knowledge and skill amongst your IT staff. You might also offer or mandate professional development opportunities that involve enhanced information security training. Anything you can do to close the gap between your team’s existing security capabilities and what your organization needs is a step in the right direction.
Lack of Context Regarding Systems and Applications
IT professionals can only prepare for and respond to situations they understand. While their baseline knowledge and expertise may be sufficient for standard business operations, they need as much information as possible from other departments within the organization to develop effective security systems and processes in specific circumstances.
For example, a sudden spike in inbound network packets, to most IT staff with some security training, will look like a DDoS attack, which will result in costly downtime and a potential loss of valuable data. Thus, IT workers may take immediate action to interrupt the traffic and protect business systems.
However, if a major business marketing campaign just recently launched, the inbound network packets may be a result of increased consumer awareness and excitement, and thwarting that traffic will cause the business harm.
IT benefits from as much context as possible. Unfortunately, isolation of IT can prevent them from accessing the business metrics they need to make correct determinations. Thus, you should work to integrate IT more effectively into key business systems to ensure that proper context is available to security staff.
Excessive Amount of Communications Overhead
Often, to achieve context, the security team within IT is expected to communicate individually with other teams within the organization, but this amount of communication is extremely inefficient. The number of connections IT must make every week can become overwhelming, preventing IT staff from accomplishing anything more than merely maintaining open communication with the rest of the company.
To reduce the overhead and increase efficiency, you might consider easing communication between IT security and the rest of the organization through memos and meetings. This shifts the onus of communication from IT to other departments and ensures that key members of all teams are appropriately informed.
Destructive Attitude From IT Centralization
Many businesses choose to centralize IT, meaning containing all aspects of IT management under a single, cohesive department rather than dispersing IT functions within different departments which may have distinct needs and strategies. Centralization may seem more efficient, but it tends to put a dangerous distance between IT staff and the rest of your workforce which can result in hostile attitudes.
For example, in managing security training of the workforce, IT employees may not understand how to explain the hows and whys of basic security practices, like creating strong passwords. As a result, only a small percentage of the workforce may adhere to these practices, creating vulnerabilities. In response, IT may assume that the workforce is stupid or lazy, further reducing their likelihood to offer deeper explanations that might improve security.
To produce a truly secure IT infrastructure, you need to eliminate the harmful attitude produced from isolated, centralized IT. Some decentralization efforts should help, but you might also try team-building exercises for building empathy and understanding.
If you suspect that your current IT team isn’t effectively managing the security needs of your business, you should take steps to investigate whether they are appropriately experienced, are communicating with the rest of your organization, have the right context and maintain the right attitude.