Balance: Operational IT <-> IT Security <-> Data Protection

Weight distribution – basic concepts

Crises like Covid-19 are forcing companies to rethink their processes and adapt their IT structure to these processes. Companies need to maintain a balance between the different functional areas within their organizations. The specialist areas discussed here involve providing technical support for the execution of business activities (operational activities – IT), protecting the personal data of customers and employees (data protection) and, at the same time, ensuring that the IT infrastructure required for this purpose is adequately protected on an individual basis (IT security).

Applied corporate practice often consists of maintaining operational business through the use of “operational” IT. In this context, the implementation of data protection is now regarded as a legal requirement and, although perceived as a nuisance, is mostly implemented through appropriate staffing. The constant loser in this process is the area of classic IT security.

Structures are often set up in such a way that the “IT” area takes care of all three areas with joint responsibility. Historically, legal requirements, such as data protection, were often pushed to the “IT specialists” by company management. From today’s perspective, such a blending of the different areas turns out to be unwise. To understand this, one must look at the objectives of the different areas.

IT operations -> execution of business operations IT Security -> Security of the IT infrastructure Data protection -> protection of personal information

The cornerstone is always the general use of IT-based systems to carry out the company’s purpose. The focus here is on achieving corporate goals. Here, solutions are sought and implemented that enable the company’s work and, if necessary, make it more efficient. In a hypothetical optimal environment, the operational units of the IT structure are free to develop and can support corporate processes according to current technical possibilities. This should be the focus of an active innovative IT department. In contrast to this, IT security and data protection are in some way opposed; for a simplified view, I will leave financial aspects out of the equation at this point.

The main task of IT security is to ensure that the systems operated in the operational business are not stopped or manipulated by external influences. In this context, it is important to be familiar with the current state of the art in the industry and to implement it accordingly. Legal requirements often play only a subordinate role here for the time being. Although there is an increasing number of legal standards today, these are mostly limited to certain industries (e.g. critical infrastructure, healthcare, etc.). In addition, there are regulations in the area of trade secret protection, but these allow for entrepreneurial leeway and are probably more relevant among the companies themselves.

Data protection, on the other hand, is today based almost exclusively on narrowly defined legal requirements, which must be complied with under penalty of mandatory sanctions. The sensitivity with which personal data is handled means that compliance is demanded not only by government controls, but also by the individuals concerned themselves. Often, violations of these requirements are “easy” for public authorities to trace, and sanctions can follow immediately and with considerable financial consequences.

The balancing act

Corporate management has the task of deciding, among other factors, on a risk-based basis how to deal with the weighting of the fields of work outlined here in schematic form. This often leads to the following reasoning and result:

Operational IT is provided with the minimum strength necessary to keep the required IT processes in operation for support. In addition, operational IT is entrusted with the task of testing the feasibility of new procedures and implementing them if necessary. Due to the increased risk assessment in the area of data protection as a result of the GDPR, regulations have been implemented in most cases to ensure that all new procedures are properly documented and that information can be provided quickly to those affected. Often, IT security is carried out in a staff unit with operational IT due to lower legal relevance, and complete ignorance of operational risk. – The picture is, of course, somewhat exaggerated and abbreviated.

The problems here present themselves quite obviously: An area of IT that is responsible for “keeping things running” is not suited to enforcing analyses regarding the security of individual applications and processes. The objectives of these areas are fundamentally contradictory. Moreover, the setup is not only questionable in terms of security, it also has the effect of slowing down innovation. When new projects are introduced, too often the thought is “we can’t do that because, …”. So IT departments often become “preventers” instead of “inventors.” Most technical solutions today can be implemented with the right approach and compromise. However, this requires a “ball game” between the IT, IT security and data protection players on the same technical level. By merging the areas, the respective “core competence” of the technically conclusive person responsible is often placed in the foreground.


In my opinion, this leads to a significant slowdown of innovative solutions in most companies. It is not the task of the specialist departments to make these decisions and considerations conclusively and to anticipate them for the decision-makers. A modern digital enterprise must have these decision-making competencies at the highest level. At the END, there is an entrepreneurial decision as to which weighting is selected. This can be very individual from application to application. However, it must always be made consciously and with knowledge of all circumstances. This is only possible by neutral independent reporting of the different departments.

The goal remains the achievement of entrepreneurial success while complying with the legal framework and taking calculated risks. – It is important to maintain a balance.

Comments are closed.