From IT to Cybersecurity – learnings from a former IT Manager

Written by Jonas Berggren, Information Security Consultant @ Combitech

The sun sits high in the sky and the thermometer shows 29 degrees for the seventh day in a row. It is summer and the year is 2007. The front door is open, and the alarm is constantly beeping because a hose has been pulled from outside, via the stairwell, and down to the server room where the cooling (AC) is broken. So now the server room is cooled, as best it can be, with a giant fan dating back to the Early Bronze Age, i.e. a temporary solution until cooling technicians replace the broken unit. Which was promised to happen next week.

The alarm that should have notified the property technician on call that the server room's heat was rising, turned out not to work, which later turned out to be because the person on duty had changed the phone number, a change not configured in the server room thermometer. Maybe not so clear who was to blame for this, but it resulted in both the firewall and file server crashing. Or as the expression was at the time – FUBAR.

Enter the IT manager, i.e. the undersigned, and the brilliant idea to take care of and upgrade the server park to a greater extent than the de facto broken cans. It is important to strike while the iron is hot, as the saying goes. A formalized complaint was submitted for further processing higher in the organization.

To my surprise, getting attention at the top was less of a problem than I thought, so maybe should have added event more. But in the end, the IT unit was happy with the money bag. Once again, IT had gotten its way. What I didn't know then, was that this was to be a turning point.

Let's go even further back in time. Many of you probably remember the millennium bug. Great resources and efforts were put into securing systems to prepare for the transition from 1999 to 2000. For most, the change was an anticlimax. New Year was celebrated, and everything was as normal. However, what was more standard practice then, and not so much today, was that IT controlled and provided everything related to IT.

IT-policies, -strategies and -security programs were created everywhere. Network products, servers and software were purchased from IT, and the latest trend was to integrate email and calendar functions with your telephone. This was also the first real sign of life from the users. They wanted this function, and the Telecoms industry quickly adjusted and arranged for tailor-made solutions. IT, of course, still decided what was allowed to run in their environments.

This rapid development reached a milestone when Steve Jobs launched his iPhone in 2007. Users’ wishes transformed to requirements and IT across the country started to sweat.

Naturally, most IT departments wanted nothing to do with the iPhone. It didn't work in the IT environment, it was far too expensive, and more. We all know how it turned out – the iPhone won (or end-user value won), and with it the golden era of the IT Manager (as a central part of the management team) was over. Which takes us back to that hot summer day and the server crash and burn.

You see, one of the reasons the servers were so appealing was precisely that they would support integration with the iPhone email server. And with this, the digitalization journey had begun (although we didn't know it at the time).

This is just one example of the difference in how IT was used then and now. There are many other examples that combined illustrate that yesterday's life causes problems for today's activities. This is even clearer to me now, after 20 years as an IT Manager, as I have moved diagonally to the field of information security.

Whatever assignments I carry out in my new role, I find traces of my previous decisions, as brake pads preventing the smooth flow of information security within the organization. So, whilst risking being banned for life from the National Confederation of IT Managers, I want to send a message to my ex-colleagues – IT cannot act as it did at the turn of the millennium and decide the organization’s IT-support needs. Neither should the cybersec team consider IT as cowboys (or girls) without any concern for risk. There is a need for an open dialogue between the two camps, and they must address the organization together. Because history has proven to us that only those collaborating can prevent excess damages when attacked.

The organization cannot point to whomever or whatever they want or blame the “stupid IT unit” or the “difficult-to-work-with infosec team”. The organisation´s information security (and IT operations) is not owned by a single entity, we all manage it together.

That invention of 2007 had a remarkable effect and made consumers happy (as they now had the iPhones they did not know they needed). It also made communication much more secure, even those of us who at the time just loved open-source solutions (read me), must admit that this true. You could say that we achieved a “new degree of cyber security awareness” (as I said, I am very openminded) when we all worked together.

And what about the crash? Well, the new server was top of the line. Best of the best. And it had a long, healthy, and good life. After twelve years of loyal service, it retired with honor (yes, it´s irony – twelve years for a server is not recommended but that story is for another day...).