Blog / The Role of IT
The role of IT in your organization is not just to help make sure your computers are up & running. Making sure your devices are secure, is an important job for them too.
They can’t do this on their own. It takes support from upper management for proper staffing, official policies & procedures promoting good Security, user education, etc.
Two things IT departments need to deal with on an ongoing basis include applying patches and doing vulnerability remediation. While they can overlap, these two activities have very different purposes.
Patches and Updates
Some software can update itself automatically (I.E. Windows, AntiMalware software, etc.), but a lot of software has no automatic update functionality. There are plenty of good reasons why automatic updates might not be available. This means your IT department needs to actively monitor the vendors for all of the software your organization makes use of.
There are lots of reasons that patches come out. Sometimes it’s to add a new feature, or fix a bug, correct a vulnerability, etc. When a new patch becomes available, your IT department needs to read up on what that patch does and act accordingly. If the patch simply adds a new feature, that’s one thing, but if it addresses a vulnerability, that’s something else. Your IT department needs to look into the specifics of the vulnerability, in order to evaluate how to prioritize the patch. Sometimes patches can be installed live without any loss of service. Other times it requires a reboot or other activity that interrupts service temporarily. Weigh the potential cost of not applying the patch vs. the downtime and schedule the update accordingly.
Some vulnerabilities can’t be fixed by applying a patch. They require making some kind of setting/configuration change. The root cause of the vulnerability isn’t a flaw in the software/hardware, it’s a flaw in the configuration. Some products have a default configuration that is intended to make them more flexible or easier to use. Some default settings are intended to be changed by the administrators. Whatever the reason, some configuration settings create vulnerabilities and should be changed.
Take the example of weak passwords for users on a Windows Domain Controller. This is a vulnerability, but there’s no patch or update that can be applied, in order to fix the situation. It requires changing the configuration to force passwords, so as to conform to various limits, such as minimum length, complexity, reuse, etc.
Some configuration changes can be made by your IT department without any kind of input from management. This is because those changes do not impact the users in any way. Other changes (like making rules about passwords) cannot just be imposed by IT. They require support from upper management in the form of policies that require users to conform to various behaviours.
Examples of this would be setting-up password requirements, or filtering/monitoring web activity, because certain things are disallowed by company policy. These kind of changes can’t be made solely by your IT department. They need to have an official policy explaining to staff what is being performed and what is required from them.
The role of IT is to help keep the equipment in your company running smoothly. It is the role of the company to keep the IT department running smoothly. This can mean more equipment, staff, training, policies, etc. It’s a two way street and don’t forget that IT can’t do their job properly without management support.