Listen to this Post

Introduction:
In the evolving landscape of digital threats, a foundational governance error persists: conflating Information Security (InfoSec) with IT Security. This blurring of strategic oversight and technical execution creates systemic vulnerabilities, leaving organizations exposed despite investments in tools. Understanding and implementing this separation is not bureaucratic—it’s the bedrock of a resilient security posture.
Learning Objectives:
- Distinguish the strategic, governance-focused role of Information Security from the operational, technical role of IT Security.
- Implement practical, separated workflows for policy creation (InfoSec) and technical enforcement (IT Security).
- Identify and remediate the risks created by merging these distinct functions within an organization.
You Should Know:
1. The Strategic Architect vs. The Tactical Engineer
The core distinction lies in purpose. Information Security is a strategic, business-aligned function responsible for the “what” and “why.” It defines the security program’s goals based on risk appetite, regulatory requirements, and business objectives. IT Security is the tactical, operational function concerned with the “how.” It engineers and operates the controls that enforce the rules set by InfoSec.
Step-by-Step Guide: Establishing the Separation
- Define the Charter: Draft two distinct charters. The InfoSec charter authorizes them to set policy, assess risk, and conduct independent audits. The IT Security charter authorizes them to implement controls, manage security tools, and lead incident response.
- Organizational Structure: Place the Chief Information Security Officer (CISO) or Head of InfoSec outside of the IT department, ideally reporting to the CEO, CFO, or a board-level risk committee. The IT Security Manager typically reports to the Head of IT Infrastructure or the CTO.
- Process Design: Establish a formal “Policy-to-Control” workflow. For example, when a new data privacy regulation emerges, InfoSec drafts the compliance policy. This policy is then handed to IT Security to translate into specific firewall rules, DLP configurations, and access control lists.
2. InfoSec in Action: Crafting the Law
This function operates through governance documents and risk frameworks. Its tools are policies, standards, and risk registers, not firewalls.
Step-by-Step Guide: Implementing an InfoSec Control
Objective: Restrict unauthorized software installation.
- Policy Drafting (InfoSec): Create an “Acceptable Use and Software Policy” that states: “Only approved software listed in the corporate repository may be installed on endpoint devices.”
- Risk Assessment (InfoSec): Document the risk of unapproved software (malware, compliance violations, instability) and get business approval for the policy.
- Control Hand-off: Formalize the requirement and send it to IT Security for implementation. The requirement is: “Prevent execution of binaries not signed or from approved paths.”
3. IT Security in Action: Enforcing the Law
This team translates policies into reality. They manage the technical landscape, responding to the “what” defined by InfoSec with a “how” using technology.
Step-by-Step Guide: Enforcing the Software Policy (Technical Implementation)
Platform: Windows using Group Policy & AppLocker.
- Design the Rule Set (IT Security): Based on the policy, decide to use AppLocker with a “Whitelist” model.
- Create Rules (IT Security): In the Group Policy Management Editor (
gpedit.mscor via GPMC), navigate toComputer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker. - Configure Rules: Create a new rule for executable files. Use “Publisher” or “Path” rules to allow applications from `C:\Program Files\` and `C:\Program Files (x86)\` and for specific signed publishers. Set the default rule action to “Deny.”
- Deploy and Test: Link the GPO to the appropriate Organizational Unit. Test on a non-critical machine to ensure approved software runs and unapproved installers are blocked. The command `Get-AppLockerPolicy -Effective` can be used to check applied policy.
-
The High Cost of Convergence: A Vulnerability Walkthrough
When one team handles both strategy and operations, critical gaps emerge. Imagine a scenario where the team managing the SIEM (IT Security) is also responsible for auditing its own alerts (InfoSec). This is a conflict of interest.
Step-by-Step Guide: Exploiting the Convergence Gap
How an attacker might leverage poor separation:
1. Reconnaissance: Attacker phishes an IT Security analyst.
- Lateral Movement: Using the analyst’s credentials, they access the SIEM console (`https://internal-siem.corp`).
- Covering Tracks: The attacker modifies or deletes the alerts generated by their own activities. Because there’s no independent InfoSec team auditing the SIEM’s log integrity or alerting rules, the breach goes unnoticed.
-
Mitigation Through Separation: With a separate InfoSec team, they would have “read-only” administrative access to the SIEM for audit purposes. They would run independent integrity checks, using tools like `osquery` on the SIEM server itself to monitor for unexpected process or file changes, ensuring the “police” (IT Security) cannot tamper with the “evidence.”
-
Building Bridges, Not Walls: The GRC & Engineering Handshake
Separation requires collaboration, not isolation. A Governance, Risk, and Compliance (GRC) platform often acts as the handshake point.
Step-by-Step Guide: Automating the Policy-to-Control Lifecycle
- InfoSec Creates a Requirement: In the GRC platform (e.g., ServiceNow, RSA Archer), InfoSec files a “Control Requirement” for encrypting data at rest in AWS S3.
- Automated Ticketing: The GRC system automatically creates a Jira ticket for the Cloud IT Security team, tagged with priority and policy reference.
- Implementation & Evidence: IT Security implements the control using AWS KMS and S3 Bucket Policies. They then attach the Terraform code and a CLI verification command as evidence to the ticket.
Verification Command (IT Security provides this) aws s3api get-bucket-encryption --bucket my-secure-bucket --profile prod
-
Audit Closure: The GRC platform notifies the InfoSec auditor, who reviews the provided evidence and closes the control requirement, completing the loop.
-
Cloud & DevOps: Where the Separation Becomes Paramount
In modern cloud environments, the separation shifts to “Cloud Security Governance” (InfoSec) vs. “Cloud Security Engineering” (IT Security). InfoSec defines the guardrails; engineering builds them into CI/CD pipelines.
Step-by-Step Guide: Implementing a Cloud Guardrail
Requirement: No S3 buckets can be publicly readable.
- Guardrail Definition (InfoSec): Mandate that all AWS accounts must have AWS Config rule `s3-bucket-public-read-prohibited` enabled and compliant.
- Infrastructure-as-Code Enforcement (IT Security): Embed this rule in the organization’s Terraform “account baseline” module, which provisions all new accounts.
Terraform snippet for AWS Config Rule resource "aws_config_config_rule" "s3_public_read" { name = "s3-bucket-public-read-prohibited" source { owner = "AWS" source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED" } } - Continuous Compliance (InfoSec): Use the GRC platform to pull compliance data from AWS Config monthly, generating reports for management without relying on the engineering team’s word.
What Undercode Say:
- Governance Drives Technology, Not the Other Way Around. A tool-centric security program, often born from merged roles, is reactive and full of gaps. A governance-first program, enabled by separation, ensures every technical control ties directly to a business risk.
- Independence is Non-Negotiable for True Assurance. The ability to audit and assess the effectiveness of security controls is compromised if the auditors are the same people who implement them. Separation provides the checks and balances required for mature risk management.
Analysis: The post correctly identifies a critical flaw in many organizational structures. The analogy of “Law vs. Police” is apt. In practice, this convergence often leads to “checkbox security” where the focus is on deploying the latest tool rather than solving business risk. The separation forces rigor: InfoSec must articulate requirements clearly, and IT Security must demonstrate measurable effectiveness. This dynamic is crucial for navigating complex regulations like GDPR or NIS2, where demonstrating due care requires clear documentation of this decision-making chain. Failing to separate these functions doesn’t just create operational inefficiency; it constitutes a fundamental governance failure that auditors and attackers are equally skilled at exploiting.
Prediction:
The increasing complexity of regulatory landscapes and the escalating cost of data breaches will force a formal separation of InfoSec and IT Security roles in all medium to large enterprises by default. This will be accelerated by the adoption of AI in security. AI-driven attack simulation and threat hunting will fall under IT Security’s operational mandate, while the governance, ethical use, and risk assessment of these same AI systems will become a core, and necessarily independent, function of Information Security. Organizations that maintain a merged model will find themselves unable to keep pace, both legally and technically, turning this structural best practice into a baseline survival requirement.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Ouardi Mohamed – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


