This article was published on NJBIZ here, and was written by Joshua Weiss, TeliApp’s CEO.

Whether you’re supporting a public or private organization, communication is always the most important ingredient to ensure any meaningful, long-term relationship. So, when new large potential clients start explaining to me that they don’t need their own information security department because “oh, yeah, our IT department handles all of that security stuff,” I feel compelled to explain to them the differences between information security (aka “cybersecurity”) and information technology. It starts with a history lesson.

It is true that, “back in the day,” employing security measures to protect digital infrastructure was the responsibility of the Information Technology department. Every IT professional would develop, deploy and periodically review security parameters that met the needs of their organization, taking into consideration leadership’s risk appetite and any budgetary constraints. And for the most part, with few exceptions, things remained pretty static.

Information security has developed into its own distinct discipline. In fact, even within information security, no one person in the organization is expected to fill every role. On the contrary, a modern and current infosec group that supports a large organization may (and should) have a chief information security officer, a compliance officer, an auditor, a system administrator, a network engineering & security group, and even a full-time penetration tester.

Let’s review these critical roles:

• The CISO is both a technical security officer and senior analyst and is the official who heads all information security management, compliance and operations.
• The compliance officer manages legal and risk mitigation responsibilities, such as contracts, insurance and incident response.
• An auditor ensures that technology operations are consistent with compliance and regulatory requirements of the organization and the industry.
• The system administrator oversees the daily operations of security efforts, including device setup and maintenance, deploying security patches on all devices, as well as employee training.
• The network engineering and security team develops and implements penetration prevention mechanisms, develops network architecture, performs threat intelligence and analysis, and develops and implements attack surface boundary methods.
• The penetration tester performs actual authorized testing on the environment to discover vulnerabilities and potential attack surfaces.

These essential personnel are critical to the success of any infosec group. Smaller organizations that do not have the need or the budget to employ the above personnel either hire an information security vendor who does, for a more affordable fee, or choose to hire a smaller in-house group with the same responsibilities.

So what?

So why can’t an organization just give those responsibilities to the IT department? What’s the actual difference between IT and cybersecurity? The first part that needs to be explained are the two team’s priorities, and how assigning cybersecurity roles to an existing IT department – and likewise assigning IT responsibilities to an infosec group – can create conflicts of interest that open the doors to disastrous, cascading consequences, which could result in the dreaded ransomware attack.

The IT department’s primary concern is ensuring that its team members are as productive as possible. This means ensuring that an employee’s assigned computer and other equipment are sufficient such that the team members can perform their responsibilities effectively and efficiently. Infosec’s primary concern is ensuring that those team members are using that equipment safely such that it stays within the scope of the organization’s security parameters. These two different priorities, when assigned to the same people or team, can create obvious conflicts of interest.

When I explain to leadership the differences between IT and cyber, I like to parallel those roles to something that may be easier to understand. I compare the responsibilities of an IT team to that of executive concierges in a building, ensuring smooth productive operations and basic security, such as locking and unlocking doors, routing packages to the correct destination and making certain that guests only have access to authorized locations within the building.

Infosec professionals, on the other hand, are akin to armed security guards, trained to deter and ultimately defend against serious security threats and breaches. Just as a building concierge would not be on the frontlines defending against an armed assailant, so too an IT team member is not the ideal candidate to defend against cybersecurity threats.

Another common misconception is that the IT department’s primary role is desktop support, basic troubleshooting and setting up workstations. This is not the case. Just as cybersecurity has emerged as its own distinct discipline, so too IT has significantly evolved and become a much deeper discipline than it was in the past, paving the way for many subspecialties within IT.

Depending on the specific needs of the organization, your IT department may be overseeing network infrastructure design and optimization, helping develop disaster recovery and business continuity planning, auditing systems to ensure compliance and governance requirements are met, overseeing cloud infrastructure and its management, enabling and monitoring system integrations, monitoring performance optimization, and the list goes on.

And of course, both IT and infosec professionals must spend a significant amount of time continuing to obtain valuable certifications so that they can always be at the forefront of their respective fields, spending any potential “downtime” researching new technologies.

Better together

A client once used the term “digital surgeons” to describe a scene in which she observed an IT and infosec team working together in unison to eliminate a cybersecurity threat and restore operations with surgical precision. The IT team rapidly isolated certain systems and deployed clean backups, while the infosec team analyzed the attack vector, identified an exploit in an email server and implemented policies to block further intrusion.

The collaboration allowed continued operations, with reinforced defenses. Both teams’ expertise – IT’s technical agility and infosec’s adversarial insight – turned a potential catastrophe into a case study in resilience. This term “digital surgeons” resonated with me because in the medical field there are also many specialties and subspecialties, wherein multiple team members frequently work in unison to achieve a successful outcome.

In today’s digital age, the sheer volume of data, complexity of systems, and evolving threat landscape make it impractical to combine IT and InfoSec roles. Their responsibilities require distinct expertise and close collaboration. Both are absolutely critical to any organization’s short- and long-term success, yet their respective highly specialized and differentiated functions must be recognized to ensure organizational resilience.

Read the full article on NJBIZ here.