Skip to content

The Chasm between IT and Cybersecurity

Perception is reality in the eye of the beholder

According to a recent article in the WALL STREET JOURNAL, “Half of all IT executives do not tell their Board the truth about breaches… Companies often don’t realize they have been hacked for weeks or months after the fact and in some cases only learn they havebeen breached after being notified by law enforcement. Even then, it’s often difficult for CIOs and their security teams to determine the extent of a cybersecurity breach, let alone figure out how to fix the problem. But that’s not the kind of news that chief executives and boards of directors want to hear, especially after they’ve given IT large budgets to deal with the issue, which goes a long way towards explaining why IT executives obfuscate the truth.”

Seemingly overnight, cybersecurity has evolved from an important enterprise function into a mission critical issue that affects almost every aspect of business and information technology.  The biggest challenge of cybersecurity is the quickly and constantly evolving nature of the various security risks themselves.

Getting a handle on the current environment – including cyber-attacks, employee access, and choosing the right technology tools – is heaping additional pressure on already overwhelmed IT departments.  A data breach is not a matter of if, but when.  With all the ramifications of a data breach, cyber security is much more than an IT issue – it is a Board issue.

IT does not embrace cybersecurity; cybersecurity is counter to what drives IT.  What I mean by this is that IT is measured and motivated to deliver “availability,” up-time, performance and controlled costs.  Cybersecurity has other goals; protecting digital assets, serviceability of the network and protection of clients, employees & stakeholders.  Cybersecurity is inversely related to availability and performance.  The trade-off between performance and security is illustrated by credit card chip & pin technology (slow) versus the magnetic strip (fast).

The C-suite views security like quality; senior executives talk the talk but do not walk the talk; it is expensive to do e.g. time, money, resources. Yes, both impact performance. Only when a fire breaks out, do quality and security get the attention, e.g. Michael’s.   If everyone does a good job, then the executives ask why they need to put money into quality and security when they  can get a much better return on the dollars by investing it into additional functionality where we can make more money.

It’s the same with developers of software and hardware; they develop to deliver availability, up-time, performance and controlled costs.  Although security is considered, it’s not a priority.

Many CIOs don’t want any outside assistance, because they think they have total control of security and don’t need any help and they use as an excuse that they don’t have the budget for an outside firm.  Avivah Litan, an analyst with Gartner Inc. who specializes in cybersecurity, says “CIOs are scared to death of losing their jobs.  People are defending what they have done and all the money they havespent on cybersecurity tools.”  They feel threatened if an outside firm finds something they were unaware of related to their security approach.

Some CIOs don’t place importance on security because they either think their immune to outside threats and in some cases inexperienced CIOs who are putting their company at risk.  Compounding the problem is that many business leaders simply do not understand the cybersecurity risk.

Often times politics get in the way.  How to identify, quantify, and mitigate cyber risks are questions often left to the “techies” in the company. Executives believe that they have hired the right management team, and they in turn have hired the right people to manage cybersecurity risk.

It is a fact that cybersecurity will never be “solved” but will be “managed.” To deal with the current environment, advisory organizations such as the National Institute of Standards & Technology (NIST) and the Gartner Group are promoting a proactive approach to protecting digital assets.  Both recommend an “eyes on” approach as the only way to be one step ahead of hackers along with using outside experts to augment internal skills.

CIOs don’t realize that if they have a breach they are vulnerable and don’t think that they need some other eyes on their security strategy and how they deploy it. Target is a good example; although they were getting notices from their threat prevention platform, they did not have the skill sets in-house to interpret the messages.

I have not found the magic approach that gets all C level folks in a company to sit up and take notice, except fear, e.g. Target, Neiman Marcus, Michael’s and Sally Beauty.

In conclusion, cybersecurity is a business issue and far beyond a technical issue. The cost of utilizing an outside resource to validate your security strategy and operating environment is minimal compared to costs associated with remediation and the consequences of theft of personal information, fraudulent financial transactions, or the theft of pre-patent technology. And last but not least, the reputational damage to their companies.  Cybersecurity overlaps with IT; it is a unique function and should be owned by the CEO.


About the Blogger  @TomHulsey

Tom’s passion is leveraging technology to make the world a safer place. Focusing on the intersection of public safety, technology and information, Tom uses his insights and ability to dig in to where actual customer benefits lie to approach the rapidly changing technology landscape. In an evolving marketplace, his focus is always on what any technology actually provides the business. His strengths include his ability to relate with senior management and serve as a critical resource. Evidenced by his commitment to excellence and zeal for security and safety technology, Tom has earned a reputation as a sophisticated and ethical client advocate and effective sales executive. His passion is further illustrated by his involvement with the North Texas Crime Commission (Cybercrime Committee secretary), ASIS (technology chairman), FBI Infragard and ASIS Information Technology Security Council. Tom is a graduate of the FBI, Plano Police, DPS, and District Attorney Prosecutor Citizen Academys.


SWAT School Realty TV Show


Tom “Spinner” Hulsey with Producer Eric Troy

Teaser –


District Attorney’s Citizen Prosecutor Academy

District Attorney's Citizen Prosecutor Academy

Graduation – District Attorney’s Citizen Prosecutor Acadmey; with Collin County District Attorney Greg Willis

Passion – The Difference Maker

In today’s economy – a sophisticated economy increasingly based on design, thinking work, proprietary creativity, and the ability to grasp and apply complex intellectual abstractions – the need is greater than ever for those who can… think.

And thinking work is different from the typical jobs of even a generation or two past. A steel mill manager, a radio set salesman, or a train operator could measure their success in physical quantities: how much steel poured, sets sold, or tons shipped.

In an information economy, on the other hand, the measures of success are increasingly intangible. The iPod was better than other MP3 players not because it had more, but because it had fewer buttons and features – the right buttons and features for music on the go. A restaurant chain displaces a competitor because it feels more (or less) like home. A shoe company thrives because it gives away half the pairs that you buy. Even vacuum cleaners, cars, and backyard grills are made, marketed and sold in ways that were inconceivable in the last century.

The “difference maker” is the employee (“partner”) with a passion for the business. A zeal for the industry. An excitement, an enthusiasm, a zest for the art, and the craft, and the science, of what makes a company in the field succeed.

Finding people who can make those decisions well, and then execute on those decisions, is difficult for bosses.

They have to figure out who is going to understand the customer better, the manufacturing process better, the marketing better, the interface better, and so on.

And what bosses have discovered is that somebody who is passionate about the business is a better employee (“partner”) and a better professional to work with.

Because somebody who is passionate is inherently motivated, and internally driven to succeed, they try harder to find answers. They think up clever stuff on their own. They enjoy the business, and the customers, and the industry so much that they’re always discovering new things or perceiving additional ways that the business could succeed.

In short, passionate people are better employees (“partners”) because they care more than dispassionate people.

Ironman Canada 2011 – “It’s not whether you got knocked down; it’s whether you get back up.” (Vince Lombardi)

IM Canada was the toughest of my seven Ironmans, but the most rewarding. IM is a metaphor for life – all the ups and downs; and how you choose to deal with adversity.

This race threw everything at me; bloody nose (kicked in the swim), bee sting on the bike, 3 aid stations on the bike not having water, including the first station (I knew this would come back to haunt me on the run as it was 94 degrees) and other assorted issues with the bike aid stations. I was fortunate, though, that I did not have to deal with a flat. I have never seen so many flats in my life. Subsequently, I learned that someone threw tacks on the course.

A quarter of a mile into the run, my right hamstring cramped – I knew I was in trouble! At mile 9 on the run, I really did not think I could finish. It was at that point that it went from being a race to somehow getting to the finish line (I refused to have a DNF after my name). I was totally dehydrated. I don’t know if it was because of being dehydrated or the bee sting, but my stomach was doing summersaults; I was afraid to eat. So, it all culminated with a 90 minute visit to the medical tent after the race.

Not just the fact the aid stations ran out of water, but the bike aid stations at this IM were the worst I have ever seen. After bike aid station #4, my strategy went from proactive hydration to conserving liquids. Stunning for a race that has been around for 30 years. I never expected this. This is unfortunate because this is such an incredible venue and great community support. Lauren and I fell in love with Penticton and surrounding area; BC is gorgeous!

FYI, this was the largest IM ever – 2841 started. This made for a very interesting swim! Who said swimming is not a contact sport?!

Life is not a Spectator Sport,