Your day-to-day IT support team is not comprised of cybersecurity experts, and the services your IT team provides do not include comprehensive information security protection. Read that again because it’s very important to understand. Your IT support team’s primary function is not to reduce your organization’s risk, find your organization’s vulnerabilities, or protect your organization from threats. Your IT department’s primary function is to troubleshoot functional issues with your technology and help maintain your technology so you can perform your day-to-day business operations effectively.
Even at Connect Cause, our core Managed IT services are primarily focused on providing functional support and maintenance for your technology. While most Managed IT Service Providers include some very minor cybersecurity services (such as endpoint protection, patching, basic backups, and maybe email filtering), this does not mean that those partners are information security experts or that their offerings are sufficiently protecting your organization.
Don’t get it wrong – you need IT support too. It’s just that the purpose of an IT team is not to provide security. Just like the purpose of a cybersecurity team is not to help troubleshoot why your application won’t launch or why your computer is performing slowly. Or, put another way, while a dentist and a podiatrist are both doctors who went to some form of medical school, you wouldn’t expect your podiatrist to know how to perform a root canal and you certainly wouldn’t ask them what they’re doing to help keep your teeth white. Information security as a true discipline is as different from effective IT support as athlete’s foot is from a cavity.
However, the lines are blurred. Organizations expect their tech people to be cybersecurity experts and think that their “monitoring tools” are “protecting them.” Some technology experts even have a passing knowledge of cybersecurity. They do a good job of making it sound like you’re sufficiently protected. And they may even know more than you do. But trust us, it isn’t enough. If you truly want to be protected, you need a partner that also has a complete Managed Security Services stack and a mastery over the Information Security discipline. You may even purposely want that partner to be separate from your IT provider (there are pros and cons to both, please ask us if you’re interested).
The key to a successful information security program at any organization is awareness, knowledge, and dedication to having a secure posture across all facets of information security. Smaller organizations may rely on consultants and organizations specializing in it. Larger enterprises may employ dozens or hundreds of individuals to cover their basis for information security and may also leverage consultants or outside experts as well.
What is Information Security?
Information security in general is a vast and complex topic spanning multiple disciplines. At its most fundamental level, it’s the concept of ensuring the confidentiality, integrity, and availability of all your organization’s information.
Is Information Security the same as Cybersecurity?
Cybersecurity is a specific subset of Information Security. All Cybersecurity is Information Security, but not all Information Security is Cybersecurity. Cybersecurity is specifically about the digital protection of digital assets and information. Cybersecurity is focused on mitigating digital vulnerabilities as well as gathering and applying useful intelligence to hunt for and mitigate threats that pose a risk to an organization’s digital information.
Besides Cybersecurity, Information Security itself also includes Operational Security, Security Operations, Physical Security, and GRC (Governance, Risk, and Compliance). Each of these disciplines is comprised of a multitude of complex subcategories.
How does Information Security include Physical Security?
Your information isn’t always just digitally accessible. There are physical elements to safeguarding your information. For example, physical files in a locked filing cabinet, screen protectors to prevent people visiting your organization from looking over a shoulder and reading what’s on the screen from the side, enclosures for computers and network equipment, or video surveillance systems to monitor for unauthorized physical access. All these concepts fall under the umbrella of Information Security in some capacity because, even though they are focused on physically securing something, this is ultimately in service to protecting your organization’s valuable information.
What’s the difference between Operational Security and Security Operations?
This one is a bit more confusing because of how close sounding the names are.
Operational Security is driven by organizational policies. It’s basically the method by which any organization documents its stance on information, security, and all the various related items, and the consequences for violating those policies. Enforcement of Operational Security is usually a combination of incentive not to break the rules (employment, promotions, raises, bonuses), and punishment for breaking the rules (written warnings, demotions, being fired, or even being sued or prosecuted).
Security Operations is the intersection of information technology and information security, the actual service delivery and support of cybersecurity solutions, not in service to an organization’s daily business operations and workflows, but in service to the confidentiality, availability, and integrity of the organization’s valuable information.
You mentioned governance, risk, and compliance. That sounds complicated. Does this apply to my organization?
The short answer is “Yes, on some level it probably does.” And while the topic is complex, it doesn’t need to be complicated. All GRC really means (in the context of information security) is that an organization is properly overseeing and maintaining its security program, thoughtfully considering risks to their organization, incorporating all of this into their Operational Security, and (perhaps most importantly) that they are actually complying with these policies and any laws that they have to abide by implementing controls to ensure compliance.
This all looks like a lot and it’s a bit overwhelming. Can you make this easier to understand?
Absolutely. And don’t worry, we get this a LOT.
The simplest explanation we can give is that it’s very challenging to secure information and be compliant, and that means there are a lot of specific ways to do it, depending on what that information is, where it lives, and how your organization wants to (and needs to) deal with it. Thousands of platforms, tools, and concepts exist to help with securing it all. Those solutions need to be understood, sourced, implemented, and managed by someone. They almost always need to be licensed or warrantied too. The licensing and the labor to do all this effectively is not only expensive but complex.
Why Connect Cause?
Connect Cause is proud to offer a dedicated division of our company to information security, separate from our core IT and VoIP offerings. We employ information security experts who can help our customers navigate the complexities of risks, threats, and vulnerabilities across their digital, physical, and operational landscapes. We provide a multitude of related products and services led by dedicated virtual Chief Information Security Officers (vCISOs) to improve our clients’ security postures, reducing their risk and insulating them from threats or exploitation of vulnerabilities.
We do all the heavy lifting for you by sourcing a variety of solutions, acquiring them on your behalf, and managing them for you ongoingly. We’ve strategically chosen our own partners and platforms to take the guesswork out of it for you and have created different packages of solutions that you can subscribe to. Just reach out to us about your fears, concerns, and needs – we’ll worry about coming up with the right recommendations for you.
The best time to implement security for your organization was yesterday. The next best time is today. Reach out to us today for a free cybersecurity consultation and find out what we have to offer.
—www.ConnectCause.com—