Reply to post: IT isn't Information Security

Who's going to dig you out of a security hole when the time comes?


IT isn't Information Security

Some security functions can be performed by traditional IT types, but I think it is more than a little presumptuous to say that security is just a function of IT.

IT's job is to connect and enable.

Security's job is to prevent unnecessary connections and disable dangerous capabilities.

But even beyond the core mindset differences, good information security needs to be a lot more aware of the business impacts of systems: interruption, theft, or otherwise.

IT can say we need more capacity for storage, compute, whatever because there are concrete usage measurements and trends - that approach fails miserably when attempted with security since successful security is, by definition, an absence.

Then there's the specific subject matter expertise: are all IT admins expert in network forensics and security? Endpoint forensics and security? Incident response? Malware analysis? Forensic acquisition and chain of custody?

It is quite clear the author believes his capabilities in IT, but it seems far less clear these IT capabilities apply to information security or that said author is credible in dismissing information security skills and needs as mere branches of IT.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon