The 3 Pillars of IT Security: The Synergy Between ITSM, InfoSec & GRC

Many organizations are overly dependent on security tools to protect themselves from threats; proper IT security requires the combined efforts of ITSM, InfoSec, and GRC teams.

At Navvia, we speak with many organizations about their IT Service Management and Business Process Management programs.

We hear time and time again that the ITSM, InfoSec and GRC teams work in silos. This disconnect is a problem because each of these teams plays a crucial role in IT security - and they should be working together.

We're not the only ones saying this. Sources such as Gartner, Forester, ISACA, and industry conferences have been saying that organizations are more focused on IT security tools than the underlying processes and controls.  

This focus on IT security tools is a problem because there are many examples of high-profile breaches where an organization had many security tools but failed to protect itself due to ineffective processes, poor communication, or lack of collaboration among teams.

IT security threats are on the rise, and with AI's looming impact, this will only get worse. Now is the time to get these teams working together to enhance your resilience against IT security risks.

The role of ITSM, InfoSec and GRC in IT Security

Everyone in your organization has a role to play when it comes to IT security, but the foundation rests on the three pillars of ITSM, InfoSec and GRC teams. 

• ITSM focuses on the operational processes at the heart of IT security
• InfoSec for the the technical controls, assessment, monitoring, and and response to IT threats
• GRC for the oversight and ensuring compliance to regulatory and legal requirements 

Let's take a look at each in more detail.

The ITSM Team and IT Security

IT Service Management (ITSM) is the original governance framework for information technology systems. While ITSM initially focused on basic IT operations and support functions, it has evolved to encompass practices and processes that support the entire service lifecycle — from strategy and service design to development, implementation, operation, improvement, and retirement.

Nearly every ITSM process and practice contributes to IT security!

Here is just a few examples:

1. Well-managed IT Asset, Configuration, and Risk management processes help you IDENTIFY and track what needs to be protected.
2. Robust Business Requirements, Software Development, Testing, Release, and Infrastructure management processes help protect your organization from IT security threats.
3. Monitoring and Event Management processes help you DETECT security threats before they cause significant harm.
4. Incident Management and Problem management processes help you RESPOND to IT security threats by logging, responding, containing, and getting to the root cause of IT security incidents.
5. The Service Continuity and Change Management processes help you RECOVER from IT security incidents.
6. The Information Security Management process and Supplier Management process help you GOVERN through the establishment of an Information Security Management System.

ITSM processes provide a structured, repeatable, and governed method to achieve the IT security outcomes your organization needs for robust cybersecurity and risk management.

Check out our article on 5 Ways IT Service Management - ITSM Enhances IT Security for more information.

The Role of the InfoSec Team

As the primary champions of IT security management, Information Security (InfoSec) teams play a vital role in protecting the company's IT assets. The problem starts when they are overly focused on IT security tools.

Let's take a look at the InfoSec role in more detail.

InfoSec teams are instrumental in identifying and evaluating potential risks to IT systems and data using their expertise and external threat data. This risk identification requires them to work closely with the organization's Enterprise Risk Management process and GRC team.

The InfoSec team is also responsible for developing the company's Information Security Management System (ISMS), such as the NIST CSF, which guides the development of the processes, policies, procedures, and controls for effective IT security.

On the technical front, InfoSec conducts penetration tests and vulnerability scans and implements technical controls for Identity and Access Management, Network and Endpoint Security, Application Security, and Physical Security.   These technical activities require close cooperation with the ITSM team.

Monitoring and responding to IT security threats is another key responsibility of the InfoSec team. Staying alert to IT threats also requires them to work with the ITSM team to implement processes like Monitoring & Event Management, Incident, and Problem Management.

InfoSec also plays a crucial role in promoting security awareness throughout the organization — their expertise is essential in creating training.  

The wide variety of tasks handled by the InfoSec team highlights the importance of working closely with the IT Service Management and Governance, Risk, and Compliance teams.

The GRC Team

• Governance: The GRC team helps establish the controls that guide the company's security and risk management efforts, validating them with audits.
• Risk Management: The GRC team stays on top of developing legal and regulatory standards such as GDPR, HIPPA, GDPR, FISMA or SOX. They continuously monitor for compliance to help the company remain compliant and avoid penalties.
• Compliance: Ensuring adherence to legal and regulatory standards, such as GDPR, HIPAA, and PCI-DSS, is a critical function. The GRC team continuously monitors compliance, develops necessary documentation, and helps prevent legal penalties.
• Collaboration: By working closely with InfoSec and ITSM teams, the GRC team gains a wide view of security, ensuring that policies reflect operational realities and adequate controls are in place.

In summary, the GRC team's role is crucial in integrating governance, risk management, and compliance, ensuring that the organization operates within legal frameworks while supporting the operational efforts of ITSM and InfoSec teams.

The Synergy between ITSM, InfoSec and GRC in Supporting IT Security

Each team plays a unique yet complementary role in safeguarding an organization's information assets.
When these teams collaborate effectively, they create a cohesive security framework that meets operational needs and aligns with regulatory requirements.

ITSM provides the structured processes and frameworks for managing IT services, ensuring operational functions run smoothly.

Meanwhile, InfoSec protects these services from cyber threats through risk assessments, technical controls, threat detection, and incident response.

The GRC team, on the other hand, oversees compliance with legal and regulatory standards, offering strategic guidance on risk management.

Improve Collaboration with a Cybersecurity Risk Assessment

Based on our experience, an IT security assessment is one of the best ways to promote collaboration between cross-functional teams. 

Not only is there the benefit of identifying gaps, but it also forces these teams to work together to identify them.

The assessment allows each group to see IT security through the other's eyes, which helps build empathy for the other's situation and a closer working relationship.

We recommend an assessment that combines desired security outcomes, such as those defined by the NIST Cybersecurity Framework, along with an ITSM maturity assessment of the supporting processes.

This type of assessment lets you know if you are focused on the proper security outcomes (e.g. NIST CSF) and have the ITSM processes to sustain them.

One effective assessment option is Navvia's Cybersecurity Risk Assessment, designed to provide actionable insights and help organizations enhance their security posture through collaborative engagement among ITSM, InfoSec, and GRC teams.

By working together, the ITSM, InfoSec, and GRC teams deliver the ultimate in IT security management, safeguarding your organization against financial, operational, legal, and reputational damage.