weighing in on a debate with no one right answer

A few thoughts on “the debate” that is still going on.  And has been for decades.  Should the Security function report in to IT.  I’ve been a firm “no” for as long as I’ve been a practitioner.  I started reporting into a profit center/revenue unit and have reported in to both IT and directly to non-IT executive leadership since then.

Stripping it down, of course, the actual effective strategy is not whereSecurity reports, but whose attention it gets, the qualifications of the people doing the work and where the accountability is.  So the differences can be subtle.  And this brings me to economies of scale. 

The common belief is that the larger the organization, the more justified it is for IT and Security to be separate.  For one thing, the larger the organization, the more valuable all critical assets are in terms of real money.  The crown jewels of a national bank are just more valuable than of a local small business (again, this is just in terms of money; for a small business owner, their crown jewels may be of immense importance to them).  Even if the small business’s revenue is in the millions, it pales in comparison to the large financial institutions.  The national bank can afford to have a security function separate and apart from the IT department.

Increasingly, the small business can’t afford not to as well.  The small business needs IT and Security to be separate perhaps even more than the large business.

Here’s why: regardless of the structure of a cybersecurity function in a large corporation, cyber risk is mostly recognized and often somewhat managed at the executive, if not the board, level.  Incident reporting requirements, reputation risk and cyber liability insurance underwriters keep the risks fairly prominent.  Are there still large companies with their heads in the sand about the threats and the impacts of cyber attacks?  Sure.  But Cybercrime Magazine produces a list every year of the 500 CISOs for the Fortune 500.  AMd there is always someone with that level of responsibility.  Move down a few rungs on the ladder or company size and you will find CIO’s who will sau (as onr did to me recently) “we sit in both seats” (yikes).

The arguments for the separation go along the lines of motivation and incentive.  If a CIO’s job is to keep the systems up and running while delivering new technology and allowing for innovation, then they have incentives to cut corners on security.  Security slows it all down.  Security is loss control while delivering new apps and AI is cool and visible to the business.  Security sometimes identifies risks that are not worh taking and then the CIO is in the unenviable position of saying no to the business.  Better to have a CISO who can say no and make the call when things need to slow down.  And if the CISO is not reporting to the CIO, then there is less chance of a conflict of interest between the CISO and their boss.

Are CIO’s usually reckless?  No.  But it doesn’t hurt to have someone with arm’s length from the CIO  watching the IT department.  Does that structure alone prevent all attacks?  Of course not, but every advantage helps.

Which brings us back to the idea that smaller companies cannot afford this.  I know of 3 cases lately where getting security and IT services from a “one stop shop” was not at all a good thing for some small to midsize companies.  Here they are.   My information comes from talking directly to these firms and their IT providers.  These cases are all from 2024.

First case: firm reports that it was hit with ransomware but everything is ok now.  Their IT provider can say the day the attack happened, but is not certain of how the hacker got into the company’s network.  They believe it was a laptop that they found a corrupt executable file on it with a ransom note on it and the user cloecked on alink in a phishing email.  But when they discovered that laptop, they immediately re-imaged the device, destroying any evidence of the attack.  They conjectured the attacker got there by a phishing email but they somehow were unable to find the email even though they claimed the user’s email was not compromised.  Other remediation steps they took were to erase the note from the other machines that had it (!), reimaging those and running complete scans on machines that did not have the note using the anti-virus software that was installed on the machines when the successful attack happened.  They had everyone change their passwords too.

My security collegues are groaning at this, of course.  The IT provider destroyed the “scene of the crime,” was unable to prove the method of entry by the attacker and “cleaned” the machines that the attacker may have touched using the software the attacker already got around.

Second case: Again, a mid size company that outsources its IT and Security to a single IT service provider.  The company gets attacked with ransomware.  The IT service provider’s report includes the following remediation steps: we took away admin rights from almost all the users, we implemented MFA and we ran scans on all the machines.

So, the IT service provider did not have MFA turned on for all the users to get to their Microsoft 365 and never inventoried who had admin rights until those rights were abused.   The IT service provider’s website brags about their ability to provide security services.

Third case: In this one, the report indicated that the IT service provider was the victim who was hacked and from their environment, the hacker accessed all the service provider’s clients.  I never got a very clear idea of how the service provider was compromised but the anti-malware software that the service provider was running for themselves and their clients was designed for home computers and had no XDR capabilities.  The attacker had no trouble defeating it.  They have upgraded their anti-malware protection.  As an aside, we cannot rule out that this scenario is what happened in case one above and that the IT service provider re-imaged the machine without an investigation to cover up that they were the source of the attack.

In all three of these cases, the firms were not big enough to have much of an IT or Security function in house so they outsourced to local IT service providers.  The IT service providers claimed to provide “security” but what they really provided was half-baked solutions that they considered “good enough.”

I hope those examples illustrate how it is a false economy to have a local IT service provider provide security without some arms length independent review,  Or better yet, get IT service from one company and Security from another company that specializes in security.  You might argue that the one provider that can cover more functions (IT infrastructure, desktop support, security etc.) gives the small company an “economy of scale” because it covers more needs and the provider covers multiple firms so you only pay for wht you need, the saving is, I would argue, not well thought out.

While economists will calculate “economies of scale”, they are also proponents of specialization as having its own economic value.  You have to balance the two.

Bottom line: the hackers are absolutely thrilled that small and mid-size firms have IT and Security services from Jacks of all trades that are masters of none.