Why do business management and IT have to fight about security

In Today’s world of data management the constant bickering and finger pointing that arises from a conversation between the business management team and the IT team is noticeable in most organisations.   Management does not or does not want to understand the requirements that are needed to protect the data and keep the information secure but IT does not understand the business constraints and the need for the organisation to produce revenue and in the end profits.

This fighting can have serious detrimental effects on the business.   The clash between the two can have a detrimental effect on the business.

The problems seem to arise with the different mind sets of the individual components of the business and therefore there is needed some type of circuit breaker so that they can understand the others point of view.

So what are the management team saying about IT:

The security team is restricting access to critical information.   Usually IT’s perception of a security problem and securing business data is controlled by the idea that restricting access to it is easier and more manageable for them.   This can have detrimental effects on the businesses access to critical business data by all users who require it.   Data access needs to be tempered with business needs.   The major requirement for IT is to understand the business structure and why certain people need and have access to the level of data.    Once this is done, IT can then set up the correct level of auditing on that access.

Personality  – IT is perceived as condescending.   The number of TV programs, cartoons and jokes that perceive IT as having no understanding of the real world are numerous to say the least.   In some cases it is true.    Most of the time this perception can be changed by involving the IT department in the rest of the business.

Business needs are not understood to the required level for decision making.  This is a serious problem with the IT departments understanding of the business.    IT seem to lose the understanding that they are in an organisation that is there to produce revenue and increase profits.   Without doing that there is no job.

Cost effective solutions are not usually proposed.    When IT puts together a proposal it is usually the Rolls Royce not the ford solution.   This creates friction because they usually want to play with the newest and greatest technology, not understanding the ROI requirements within the business.

Implementation of IT projects never seem to end.   We have all heard it, this software implementation is never going to end.   There are so many reasons or excuses – the scope has changed, the money is not enough, there are added features, there are problems with integrating it into the old infrastructure.   Some of the excuses are true but it normally comes back to inadequate planning and implementation.

IT are always looking on the bad side of everything.   No matter what happens within the business environment there are problems IT always seems to look at the down side of the problem.   The server failure, the help desk metrics, the monitoring requirements are too difficult.   We never have enough staff to do these jobs, and on top of that we are rolling out new desktops – what am I going to do.

IT have no understanding of the politics within the business.   To an IT person the business politics are as understandable to them as it is for management to understand the technological requirements of the business.   Small and medium business and not for profit organisations need to educate their IT staff in the culture of the business.

What can be done internally to improve the situation? IT needs a champion in the management team, someone who understands the business requirements but also understands the technological requirements to complete and support the business processes.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.