In conversations regarding Information or Cyber Security at smaller companies, a question often asked is, “When does an organization need a security function?” In some cases, the statement follows, “We rely on our IT teams and are doing fine.”

While pursuing a tech-heavy focus does provide a level of security to an organization, there are fundamental advantages to using a professional where the primary skillset is security with a background (and likely expertise) in tech. Should one focus win over the other?

It’s true. Not every organization has a security function, a dedicated security person wearing a white cowboy hat and shiny tin star on the chest, ready to fight cyber bad guys. Many companies, especially tech-heavy ones, utilize a person with heavy Information Technology skillset and background knowledge about security. However, security is not just about the tools, but strategy and mindset, justifying a security-heavy focus where an IT-heavy focus has less benefit.

Organization Growth – More Than Just Hackers Take Notice

Smaller and growing companies frequently establish a security discipline when annual revenue reaches the $30M to $50M mark. Another indicator is when a business reaches 100+ employees. The actual numbers aren’t important, but what does matter is the level of upheaval happening due to change. The IT functions begin to feel the strain due to reorganizing departments, expanding services, and growing customer base. The IT person tasked with security will likely become overwhelmed with the expanding responsibilities for Identity and Access Management (IAM), endpoint devices management, role-based access, data privacy protections, server hardening, security management, etc. Because of their tech-heavy skills, the person will likely be pulled from security functions to put their IT skills to work elsewhere until more tech people can be hired (it’s just temporary, honest). With the security role stretched thin, executives may find it is finally time for creating a true security function, likely starting with a single multi-talented security-heavy person who can build a department from the ground up.

Often, investors begin to play more of a role. They take an active concern in managing risk as part of investing, which might include the requirement to add dedicated security professionals with security-heavy (not IT) credentials, to secure the business and reduce risk. An IT person who does security doesn’t quite hit the mark like a security professional who also brings IT experience.

And let’s not forget the customers. As the customer base grows, the business will seek larger organizations to serve. Larger customers, and especially enterprise customers, will ask increasingly challenging questions before finalizing a sale, such as how the business protects its systems and sensitive data. It becomes quickly apparent that a role with a primary focus on security is needed since the customers are structured this way and expect it.

Fighting the Three-Headed GRC Monster

Dealing with state and national laws, international standards, and risk are part of any business. While an organization may rely on outside legal counsel for guidance, most attorneys stop at answering how to best implement security or data privacy protections within internal departments, processes, or software coding/features. Risk identification and reduction is usually not their area of expertise. Using in-house counsel does not change the equation because internal efforts again fall outside of attorney guidance for the law.

Addressing GRC becomes a challenge for a tech-heavy focus because of the unfamiliarity of interpreting laws/compliance into actionable solutions. Also, identifying and remediating risk, often in the context of laws/compliance or malicious behavior, is not a ready skillset for a tech-heavy focus with a security background. On the other hand, security-heavy professionals can excel with practical GRC experience as it frequently is used daily in their roles. A security-heavy focus with an IT background means they are more comfortable with translating laws/compliance, legal guidance, and risk reduction into actionable practices. Also, a solid security professional understands that actions could be based on a combination of people actions, processes, or technologies, giving greater flexibility to solve security problems than a tech-heavy focus alone.

ISO-27001, SOC 2, Etc Are Now Table Stakes

Industry certifications are now becoming an entry-level requirement – table stakes – to sign deals with customers, especially enterprise-level customers. Obtaining one of the security certifications can be straight forward, with requests such as, “Provide evidence of your password policy in practice” (insert screen capture of your server’s password configuration screen). However, many of the certification items require interpretation based on security knowledge and experience. Also, the certifications are not simply a list of boxes to be checked with proof of a technical control. The certifications involve an understanding of the underlying purpose of specific controls and how they come together as an overall approach to providing security to a target system.

While a person with tech-heavy focus with a security background can certainly understand the technical controls that need to be in place, the certifications are actually about viewing computer systems from a comprehensive security standpoint and using the underlying technical controls as the means to achieving that overall security. Not everybody who is a security professional has had to deal with industry certifications. But an experienced security-heavy professional already views security from a holistic standpoint, is familiar with the certifications as an overall security strategy, and understands how more than one technical control, process, or policy can meet a certification’s requirements. A security-heavy focus followed by a tech background can shine in this area.

The IT vs Security Mindset

Let’s face it, IT people and security people are just different. For the IT mindset, it’s all about features, using or inventing technology to increase capabilities, streamlining or automating it. How to make things work. The security mindset is to look for the flaws in things. It’s not uncommon for security individuals to come from the world of gaming or testing where finding flaws in a system are rewarded. The tech-heavy view is to trust that technologies and designs work to meet a specific goal or solve a problem. The security-focus is to identify what system flaws can be used to gain system control and access data or privileges not available, and then weigh the impact and alternatives to fix the vulnerabilities with a combination of solutions, including IT.

It’s not easy to teach tech-heavy professions to think by default about risk and how something can break (isn’t that what testers and QA are for?). The security-heavy mindset operates in both the security and IT worlds, usually needing to identify a flaw’s degree of risk and then propose a fix that may not remove the issue but reduce it to a level that everybody can live with.

It’s All About Risk

In the end, perhaps the biggest factor to deciding whether to choose a tech-heavy or security-heavy person to lead an organization’s security function is the business’s approach to risk tolerance. A tech-heavy person with a security background is not the same as a security-heavy person with a tech background. For the tech-heavy focus, the technologies will keep the business secure, but in the end, security perspectives can be missed, the focus on risk can be absent, and a tactical approach rather than a strategic view followed. The longer a dedicated Security professional is not in the chair, the more time it could take to grow the business by signing larger customers. Without a true security focus, risk increases because there isn’t a strong strategic approach of multiple technologies as part of a plan. The impact by security is different, depending on the focus.

So What’s the Right Approach?

A house can be constructed with a range of methods, such as using hand tools, power tools, or even printing a house with a printer that uses concrete instead of ink. With time, the types of tools used will change. They become obsolete. The real test of the house’s quality is in how well it was designed to withstand the elements, make day-to-day use comfortable, and stay useful over time. The tech tools used for security will always change and become obsolete while the frameworks and methodologies to define a strong security posture largely remain the same.

As a security professional, it’s true that I am biased. I believe that organizations are well-served building a security function early and staffing it with people who are security-heavy, followed by a technical background. Not only will this approach instill a strategic rather than tactical perspective, but it will also plant the seeds of a culture based in security, rather than trying to cultivate a security culture later.