It will ensure that there would be a lot more coordination between shadow IT owners and physical security set-up owners
I choose to agree that the Information Security (InfoSec) function should be independent of enterprise IT.
It is a myth that InfoSec is limited to IT and information stored in IT infrastructure. No doubt, IT has a very big (and major) role to plan when it comes o information handling and therefore, it has a lion’s share in the Infosec aspects. However, information and its security is not limited to IT alone. Secondly, when we talk of enterprise IT, the inclusion or exclusion of shadow IT would depend on the said organization. Regardless of any organization treating shadow IT as part of enterprise IT or not, the application of InfoSec definitely is necessary for Shadow IT.
In an organization, shadow IT mushrooms up only because enterprise IT does not have enough manpower or are heavily loaded with their enterprise priorities. Due to this, the operations / business functions directly engage and avail services of third party IT service providers and finally supervise and run the show by themselves for the limited requirements. Having InfoSec independent of enterprise IT would help avoid the risk of misunderstanding such as, being part of enterprise IT, Shadow IT is excused from the discipline of InfoSec– and this is only a “good to have” thing for shadow IT.
Next in line is physical security. Almost all the physical security measures have IT interfaces and lot of this information is stored, processed, and used within certain IT systems. It is also observed that, like Shadow IT, these kind of set-ups are generally owned and managed by an administrative department who evaluates, installs and owns the building management systems.
If InfoSec is independent of enterprise IT, there would be lot more coordination between shadow IT owners and physical security set-up owners as this function is not considered mixed up in enterprise IT. Last but not the least, the InfoSec function should be particular to the security needs of the information while remaining sensitive about delivery deadlines. They should not get bullied to overlook or compromise certain controls that are necessary or say critical from an InfoSec perspective. That can be facilitated only if InfoSec is independent of enterprise IT.
Apart from this, many more systems can be quoted which always or most of the time do not fall in enterprise IT domain. These systems include SCADA systems, R&D DMS, Design Department Systems etc, because they have skills to use platforms and systems which are different from enterprise IT and are better at maintaining the same. However, they too have to be kept in the umbrella of company-wide InfoSec initiatives. That would be more easily possible if InfoSec is independent of enterprise IT. While all this is being discussed, let us not forget that enterprise IT, being a major information handling setup, will definitely respect and follow InfoSec principles.
Another equally important reason for InfoSec to be independent of enterprise IT is to keep non-IT security (paper, people and other means of communication such as voice and video) within its purview as well as making it approachable without entangling pure technology aspects to InfoSec domain.
Milind Mungale is executive vice president & CISO at NSDL e-Governance Infrastructure Limited