- Last Week As A vCISO
- The IT Shuffle
The IT Shuffle
IT Support is one of those areas in early stage companies that often gets neglected. Often, companies believe that since people are technical, there’s no need to have dedicated IT Support. They may bring on an outsourced IT firm, but then realize that they need an in-house internal IT leader/team to actually own projects and initiatives. I see the same pattern happen over and over, like groundhog day.
The fact of the matter is that no one wants to own IT.
It gets shuffled around like a hot potato and either ends up with Engineering, Operations, or Finance. Just as a neglected child of the family, IT feels unsupported and initiatives don’t make it past an email. They don’t even get to napkin or whiteboard stage!
More and more these days, IT is at the frontlines of security. They are dealing with users on a day-day basis and touching components that affect them. We will take IT!
Many security controls are IT managed or require IT to deploy, such as:
Endpoint Security (EDR, etc)
Local Admin Privileged
Single Sign On, LDAP, User Directory
Lost / Stolen devices
Endpoint Device Management (JAMF, Airwatch, etc)
Zero-Trust Initiatives, VPN provisioning (Device and Client certs)
More and more we are seeing a trend of Security owning IT. It’s an excellent opportunity in fact. No one wants IT, so the business is happy to see a welcome home for them, while at the same time security can manage IT initiatives with security built in. It’s a win-win for everyone. Add an automation layer that both security and IT can utilize and you have an awesome machine! Not to mention the visibility/support IT would gain at the exec level assuming security is reporting to a CXO (CEO, COO, CFO, GC), as it should be.
IT + Security Is Critical For Progress
An ambitious company looking to improve their security posture or elevate their security program will run into blockers early on if they don’t have anyone with IT expertise available (in-house or external).
At smaller startups I have seen these people managing IT:
Chief Of Staff
VP Of Engineering
Sometimes all at the same company and within the same year! 🥔
These people have more important things to do like build the company, but more importantly, they don’t have security expertise!
Even at larger startups and enterprises, IT may be there, but they’re usually severely understaffed and usually in KTLO mode (Keep The Lights On) without the capacity and experience to rollout a medium or large project like SSO (Single Sign On) or Security Awareness Campaigns for example.
If you have or plan to have over 100 people at your organization, or are trying to do SOC2… please hire an FTE IT leader.