Have you ever seen the show The IT Crowd? It was a British comedy series set in the offices of fictional Reynholm Industries. In this series, a prospective employee Jen puts on her CV that she has “a lot of experience with computers” and lies her way through a job interview getting the job as the head of the IT Department. In the IT department, it quickly becomes apparent that she doesn’t know the first thing about computers. Hilarity ensues.
This series has become an excellent caricature of the modern business world today. So many of us that got a start in IT didn’t start off looking for a job in IT. Rather, it’s because we understood technology better than the rest of the group that we became the designated tech guy, the guy that solved the problems when things didn’t work. Many IT professionals are pigeonholed in that role, not intentionally seeking it.
I remember my first exposure to SharePoint. I was asked to design a complicated SharePoint site and workflows for collecting data for an organization. They sat me down in a conference room and explained everything they wanted me to create and told me I had until the end of the month to build it. I told them I was happy to look into it, but I wanted to get some SharePoint training to help me figure it out and asked if there was budget for me to get what I needed. The response was, you’re a smart guy, you’ll figure it out, and no training was offered. No guidance, nothing but an admin login and a pat on the back saying you can do this. And the sad thing is, I don’t think this experience is unique in IT. I am sure many of you reading this are nodding your head and laughing because it happened to you or to someone you know.
A disconnect at the top
There is a real disconnect between leadership and what is perceived as IT. It’s not imagined. In a board effectiveness survey performed by Harvard Law School in 2025, executives were asked about board effectiveness. In the survey, 94% of CEOs rated their board’s effectiveness as good or excellent. 72% of CFOs rated their boards as good or excellent while only 21% of CIO/CTOs rated their boards as good or excellent.
I think a big reason for this disconnect is the technical complexity in the field. I think the best analogy I can think of is comparing it to the field of medicine. In the field of medicine, you have a wide variety of expertise and roles. You have nurses, doctors, surgeons, pharmacists, and even within each of those roles, you have many other layers of specialties and focuses. A brain surgeon is very different from a heart surgeon in what they need to know and the type of operations they need to perform. Still, for any of us uninitiated on the outside, medical is medical and we group it all together. If we have a problem and we start feeling sick, we’ll even ask the vet for advice on how to treat what is wrong with us. If someone has any kind of medical experience or training, they become the resident expert for everything even remotely related to that field. It’s the same frustration that software engineers face being asked to help with hardware issues, or SOC analysts being asked to hack into someone’s social media accounts. Some things generally apply, but too many times we are using the screwdriver as a hammer and disappointed that our experience isn’t as smooth as the next guy using the right tools for the job.
The logic feels airtight
Cybersecurity seems like an IT problem. It deals with computers and technology, so it gets lumped together with IT and checked off the list. My IT team handles my technology. Security is a technology concern. Therefore, my IT team handles security. The logic feels airtight, but are we missing something?
The paper and the editor
The best way I can translate this issue to plain-speak would be to compare IT to writing a paper and cybersecurity to reviewing it. The complexity of modern IT is not a one-page memo. It’s a technical dissertation. There are hundreds of configurations, thousands of permissions, constantly changing vendor landscapes, and threat surfaces that shift daily. No one writes a dissertation and submits the first draft without review. Not because the writer isn’t talented, but because the process demands a second set of eyes.
Whenever I review my own work, I always miss things, and it’s not just me. It’s human nature. You don’t see your own mistakes. Not because you’re careless, but because your brain fills in the gaps. You read what you meant to write, not what you actually wrote. The more time you spend with the document, the worse it gets. You’re too close. That’s not a flaw in the writer; it’s how the human brain works. It’s why every serious publication has editors, why every academic paper has peer reviewers, why every set of financial statements has auditors.
IT builds the systems. They configure them, deploy them, maintain them. And they’re good at it. But you are also expecting them to get it all right 100% the first time without giving their work any review. They are going to read what they intended to build, not necessarily what they actually built. They’ll look at the firewall they configured and see the policy they meant to enforce. A second set of eyes, especially independent eyes whose job is specifically to question everything, sees the rule that is too permissive, the port that shouldn’t be open, the access that was granted temporarily and never revoked.
And just how a published paper goes out to the world to be digested and mistakes picked at and torn apart, if you don’t have your IT work reviewed, the independent eyes of hackers are waiting to review their work and pick away at it and pull it apart as well.
Different jobs, different incentives
Critically, the focus of the two roles, IT and cybersecurity, is fundamentally different. IT needs to make things work. When something breaks, IT gets the call. Their success is measured by uptime, by availability, by how quickly they can get the system back online and people working again. That’s not a weakness, that is their core function.
Cybersecurity has a different core function. Not just, “does it work?” but “does it work safely? Is the data being protected? Can only the right people access it? If the system fails, what information is exposed?” These core functions often come at the cost of availability. They often make IT’s job harder, not easier. Security slows things down, adds steps, says “wait, let’s think about this before we deploy it.” That’s not a popular answer when management wants the new system live on a tight deadline.
When both priorities live under the same roof, which priority wins?
The horse that wouldn’t stop
As a kid, when I was learning to ride a horse, the horse owner taught me that if I were to panic, my natural reaction would be to squeeze my legs tight around the horse, digging my knees in which is a signal to the horse to accelerate. And if I pulled the reins trying to stop it, I wouldn’t be as effective. It would be like tapping the brakes while flooring the gas. The accelerator would always win.
That’s what happens when IT and cybersecurity live under the same authority. It’s a question of incentives. IT’s job is to keep things running, the accelerator. Security’s job is to keep things secure, slow down, check this, don’t deploy that yet like pumping the brakes. Both reactions are legitimate. But when they’re happening at the same time, in the same body, acceleration wins. Not because IT lacks integrity, but because that’s how incentives work.
Even with an IT department, or a third party IT solution, if cybersecurity is handled by the same people handling your IT with the same pressures and incentives to keep things running, who’s reviewing the work? You wouldn’t let your accounting department audit themselves. You wouldn’t let a writer publish without an editor. Why would you let the people who built your systems be the only ones who evaluate whether those systems are secure?
Back to the conference room
Think back to that SharePoint conference room. I built what they asked for. It worked. Everyone was happy. But nobody ever came back and asked whether the workflows I built exposed data they shouldn’t have, whether the permissions were scoped correctly, whether the site was configured in a way that couldn’t be exploited. And honestly? I didn’t know what I didn’t know. I was the smart guy who figured it out. If you had asked me at the time whether it was secure, I probably would have said yes because I didn’t know enough to know what I was missing.
That’s IT without cybersecurity. That’s the paper without the reviewer. And your organization deserves better than a first draft.