Security managers need to change the conversation with IT teams, showing how to secure critical assets without stifling innovation and business processes.
You’ve heard it all before: there’s a glaring disconnect between the goals of the information security team and the IT group. But the rapid-fire evolution of both technology and cyberthreats could be just what ultimately unites them.
Consider how the IT department must find and deploy technology to enhance communication, drive information-sharing, and support efficient processes so an organization can achieve its goals. So not surprisingly, IT professionals are mainly concerned with availability, ease-of-use, performance, and costs.
As today’s network borders become more porous, the security team, meanwhile, must monitor activity inside the network for suspicious actions conducted by outside attackers as well as unauthorized actions committed intentionally or unintentionally by internal employees. Disruptive technologies such as cloud computing, mobile, Internet of Things, and social media open up more doors adversaries can use to attack or steal critical assets.
This dynamic environment requires more than ever before that IT and InfoSec teams work together to ensure that critical assets are protected, while not stifling innovation and access to the technology that organizations need to fulfill their missions and stay competitive.
“Not taking into account the changing landscape has resulted in friction between the InfoSec and IT teams,” says Javvad Malik, security advocate at AlienVault, a provider of threat intelligence solutions.
IT teams might feel as though they have lost control, especially with the trend toward mobile computing and bring-your-own-devices in the workplace. Yet, IT still has to ensure that applications are delivered to internal users and external customers, but the mechanisms to deliver IT services have changed, Malik says.
DevOps, which merges software development and software operations, is one example of the type of synergy InfoSec and IT operations need to effectively combat advanced attacks and threats, notes Greg Boison, director of homeland and cybersecurity at Lockheed Martin.
Prior to DevOps, “you had software and application development on one side, and on other side, you had software operations and maintenance,” Boison says.
After completing their work, developers would throw the applications over the transom and the operations and maintenance team would have to accept software like it was and try to run it. DevOps, however, has integrated those two functions, bringing together the interplay and connectivity that is required for effective development and operations, Boison says.
“That trend towards merging the two entities where people respect the needs and desires of each function is similar to the needs of information technology and security operations and analysis,” Boison says.
Here are some tips on how to improve and unify InfoSec and IT teams:
1. Integrate software development and security analysts teams.
Lockheed Martin has had a lot of success in merging the development and security disciplines in the company’s security integration center. The company has combined DevOps and security: Developers are co-located with the security analysts so that as opportunities occur to drive automation, it is built into the security tools.
“If you find yourself doing a function more than once, let’s code it such that a human doesn’t have to make that change or access that tool in the same way more than once,” Boison says. “Let’s build the tools so that it happens automatically.”
The other side of the coin is having information technology people that know security and are thinking through the security ramifications of their actions, he notes. An example might be uniform patching of systems that have software vulnerabilities. “The reality is you have to prioritize your patching,” he says.
So an IT administrator who knows security would look at the required patching through the lenses of what is external-facing, of what is on the external web and is more vulnerable: Those systems would be patched first. Or the administrator would flag an executive’s laptop as more important than a server in a closet that is not interacting with anybody.
“So you can get at this through both ways. One is making sure security analysts can affect development,” Boison says.
The other is making IT more aware of security practices. One challenge there is that typically in large companies, IT is stove-piped and sitting in discreet organizational units. Sometimes security will drive that integration; sometimes that integration will occur prior to an imperative for security.
“One cannot, though, understate the challenge of bringing together disparate IT organizations into one homogenous IT enterprise,” Boison notes.
2. Focus on the right metrics.
IT has a different set of metrics than security, but both sides of the aisle need to think through how to effectively communicate their needs and the metrics that will serve those needs.
“Security is well known for having some of the most inappropriate metrics to drive best behaviors,” Boison says. For example, an old-style security enterprise might focus on closing every alert possible in order to get to that fabled white screen where there are no more alerts.
In reality, the best security action might be to slow down and tune a system to generate fewer alerts. A security analyst could then focus on a given alert and dig deeper into it, conducting more thorough security intelligence.
“It may mean at the end of the day you are not going to burn off as many alerts so that your metrics will look weaker compared to another analyst,” Boison says.
But that first analyst might gain a more detailed understanding of an advanced persistent threat and build the security to prevent the threat into enterprise tools.
“So what is the better metric? Is it the number of alerts burned off on a percentage basis or is it reducing the number of attacks on the enterprise? Only a mature enterprise can have effective numbers on that metric,” Boison says.
3. Security teams should operate like a consulting business.
CISOs should approach their job function as if they are running their own consulting business, AlienVault’s Malik says.
That way, they can focus “on packaging activities of their team as well-defined service offerings and selling these services to the business as a paying customer,” he says. Plus, they need to provide regular metrics, updates, and reports, to make sure the customer remains well-informed and sees the value of the services.
“One of the common pitfalls of security departments is they don’t clearly articulate what they are offering the customer and the value proposition,” Malik.
A good example is vulnerability scanning and management: On a regular basis, security will drop a vulnerability scan report on the desk of IT with the instruction to go fix it. Defining why it is needed would not only help the customer understand the value proposition, but also what part they should play in ensuring ongoing security, Malik says. Otherwise, the customer might push back on recommendations and security requirements due to a lack of understanding.
A measure security teams can use is to customers two questions: Can you describe the services provided by the information security function? And: Do you know how to contact the security function if needed?
4. Decouple security controls from IT technology.
“One way to improve the relationship between InfoSec and IT, is to decouple security controls from IT technology,” Malik says. Put them at a higher level where they can be applied to more effectively articulate the desired outcome, and then allow IT to investigate the best way to meet the outcome, he says.
For example, with data classification, there might be a security policy that any information classified as secret should only be on a corporate device. The traditional step would be to issue a corporate laptop or mobile device and encrypt the hard drive. So security might reject the user accessing applications from a BYOD laptop or smartphone because it is not corporate-approved.
“That is the problem where security is linked to an actual device as opposed to understanding the actual requirement, which is we don’t want data leaking out,” Malik says.
By working together, the IT and InfoSec teams can apply solutions that provide secure access to virtual applications for any device, on any location or apply digital rights management controls for the data. Even though the user is accessing data from a non-corporate device, InfoSec and IT can still retain control and mitigate risks.
“This completely changes the discussion from a security team coming in with a 10-point plan, saying ‘install anti-virus software’ or ‘have regular vulnerability scans.’ The security team [instead] is saying, ‘Tell us how we can work with you and we will come up with a solution that meets our needs and services your customers better,’” Malik says.
Security is best known for saying “no,” Boison says. But it’s time to change the conversation: security prods should think of the IT implications, and IT pros about the security implications.
Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the … View Full Bio