Where does security fit in bi-modal IT departments?

There seems to be disagreement as to whether security workers should be in the innovation camp or look after the day-to-day operations.

When restructuring an IT department, the recent trend has been to look at possibly breaking it into two factions. One group that handles the daily tasks by putting out fires, and one that looks ahead in trying to create a new landscape that is immune to those fires.

The bi-modal idea has its benefits and its pitfalls but the determination seems to come down to the size of the enterprise. In the mid to smaller companies, there is not the luxury of splitting the security group out into subgroups. In the bigger companies the question becomes where do the security folks belong.

For Dale Denham, CIO of promotional products industry company Geiger, he believes security should sit in operations. An innovation team is focused on functionality, but an operations team would focus on making sure everything is secure, he said.

The Lewiston, Maine, company has a 25-member IT department that supports 750 workers (400 of whom are independent contractors). While acknowledging that mixing operations and innovation within a single team has its own set of challenges, he says he believes a bimodal IT department could easily develop a “throw it over the wall mentality” – that is, once the innovation team is done, it just tosses the completed project to operations without adequate transition and concern moving forward.

[ ALSO ON CSO: 7 reasons why users have trust issues ]

“There is the challenge of when you pass that over. You have to transfer a lot of knowledge, and that’s hugely inefficient and then if you want to upgrade that project, where does that update [get tasked]?” he says, noting his shop is “a big continuous improvement shop. We’re constantly making tweaks: Is that operational or innovation? If you were set up in two shops, who gets that?”

Denham says on his team nearly everybody does both operations and innovation. He says a handful of help desk folks and networking staff are straight operations, although they do help support innovation by, for example, spinning up a server when needed.

But overall, he explains, “when we launch new projects and new tools, the same people who support old tools are creating the plans and executing the plans for the new tools and then support them when they move to operations.”

Denham says the main challenge in this setup is keeping projects on track. “Your project planning is put at risk because you never know what the operational needs will come up,” he says, noting that a large firm might not be as comfortable with that risk as a small firm such as his. He says when he anticipates that his team members might be pulled away from projects, he builds that into a project’s timeline but it’s impossible to know how much time to build in.

That’s a big benefit, he says. The team members who are delivering innovation know they’ll handle it operationally, too. “You don’t lose the brain drain, you don’t lose out on the knowledge piece when a project transfers from innovation to operations,” he adds.

Security is everywhere

Robert Quarterman, vice president of Infrastructure Architecture and Technical Services at Service Benefit Plan Administrative Services Corp., is wrestling with how to bifurcate his IT team of 360 IT employees and 90 contractors.

With regard to the security task, he says, “security is moving at a pace that’s outpacing even agile at this point based on the cyber threats that are quickly emerging.” As a result, security has become a foundational function, “so security is embedded in every aspect of our lifecycle from the beginning, so we design our solutions for performance and security and functionality and that’s the only way we’re going to be successful with it.”

“That’s the way we’re approaching it, security is everywhere,” Quarterman says, noting that security people will be embedded in projects.

He says operations “is really about running the business, so once innovation is done, it becomes operationalized.”

He says that side of the house “operates at a different speed. They have different priorities, and different funding.” Funding for operations comes from the central IT department, he explains, whereas funding for innovation comes from business units – as does advocacy for individual projects.

Quarterman says the speed of technology advancements combined with the speed at which business wants to capitalize on them is pushing IT leaders like him to make the move. He says a split could also help improve talent management.

“We’re thinking about how to segregate them because we don’t have a clear distinction today so we lean on the same expertise in the organization to do the innovation but they’re still doing maintenance, too, so we end up with conflict on what gets priority,” he explains.

In other words, those on his team that are assigned innovative tasks are also expected to continue with their regular operations duties, too, he says. That means they’re sometimes pulled off an innovation project to handle an operational issue, which impacts IT’s ability to deliver projects as quickly as possible.

Brian A. Haugabrook, CIO of Valdosta State University in Valdosta, Ga., wants his employees to be creative and innovative at the same time. He doesn’t have plans to split his IT staff of 60 full-time workers and 40 part-time workers in two. He says he sees benefits in having people work on both innovation and operations.

That doesn’t mean that everyone is doing an equal split between the two tasks. The infrastructure team generally spends about 80% of its time on operations, for example. The same goes for the tech support team.

But they are still expected to focus part of their time on innovation, and Haugabrook says that yields real results. The infrastructure team, for example, is pushing innovative solutions using cloud technologies. The tech support team dropped its response time from two hours to under 15 minutes by looking at how successful police departments use data to enable rapid response to calls.

Keeping security centralized

Rob Meilen, vice president and CIO at Hunter Douglas North America in Broomfield, Colo., believes security is such an important part of the company that it cannot be broken out.

It’s easier to maintain security when you’re more centralized. It sort of bakes into the way you do these processes when you’re centralized,” Meilen says.

He oversees an IT team of 120, supplemented by another 30 to 40 workers in outsourced or contract positions. Like other CIOs, Meilen says work often falls into one of two camps, with one focused on new technology-enabled business initiatives and the second focused on keeping everything up and running smoothly.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOHunter Douglas

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mary K. Pratt

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts