According to the Congressional report on Equifax, a root cause of the breach was that Equifax moved the IT security team out from under IT due to “fundamental disagreements.” Although this is highlighted as a shortcoming in the report, in my opinion, this is misguided. In the vast majority of organizations, infosec shouldn’t be under IT. To understand why, start by imagining what would happen if your internal audit group were subordinate to the group it was auditing. Although this is an imperfect analogy (infosec performs far more than just an auditing function), it does begin to address the issue.
The report goes on to discuss moving infosec back under IT. Again, in the vast majority of cases this is the wrong answer. If we are all holding hands around the campfire, then maybe this works. In the real world, it only works when the right personalities are in place.
The Congressional report on Equifax is a great case study in why we need subject matter experts writing reports of this significance. During the testimony, Committee members became fixated on the fact that IT and infosec were in different organizations. They then drew inferences from the fact that IT referred to infosec for answers (and vice versa). But IT and infosec each staying in their own lane is a hallmark of a healthy organization.
Shouldn’t we expect that IT and infosec refer to each other for answers? Infosec performs two major work roles for an organization: architecture and audit. Architecture helps IT design secure systems and audit helps find issues (both through periodic testing and real time monitoring). I don’t want a single organization to have to answer to metrics for IT operations and security. Every system admin will tell you there are usually two ways to solve a given problem (and the easy way is rarely the secure way).
The whole Enron event went down because Enron was in bed with their auditors. It’s hard to not see where the corporate organizational structure recommended in this report (IT and infosec reporting to the CIO) can go very wrong. I’ve seen it first hand (repeatedly).
The report claims that separating IT and infosec created an “accountability gap.” Sure, it created a distribution of work, but each team was “accountable” for its own work roles. Obviously communication between groups was a serious issue. We shouldn’t downplay that, but we also shouldn’t pretend that forcing the two groups to both report to the CIO was going to magically fix things. What I read here is that Equifax, like so many other firms we’ve worked with for incident response, had a toxic relationship between IT and infosec. Combining the groups does nothing to fix your culture problems. I’ve seen it tried – without replacing leadership, it fails.
There’s a lot of great information in the report that’s never been publicly available (at least not in this format). But there are big misunderstandings in this report too. I believe the root cause is that non-SMEs are interpreting complex topics without true understanding.