Why operations and security don’t mix — and why they should

October 31st, 2012

Too often, executives in charge of operations aren’t on the same page as their colleagues charged with keeping a company’s network and data secure, argues Dr. Avishai Wool, CTO of AlgoSec.

 As IT gets ever more complex, with the integration of smartphones, tablets, applications and network devices, along with the growing use of virtualization and cloud services, each group clamors for more resources while hunkering down to focuses primarily on their specific roles and responsibilities. In this LastWatchdog guest essay, Wool outlines an approach to running smoothly and efficiently in the face of ongoing change.

Wool

By Dr. Avishai Wool, CTO, AlgoSec

IT operations and security groups are ultimately responsible for making sure an organization’s systems are functioning so that business goals are met. However these teams approach business continuity from different perspectives. The security department’s number one goal is to protect the company, whereas the IT operations team is focused on keeping systems up and running. Oftentimes, IT operations and security teams must work together and be on the same page because both have an ownership stake. This is easier said than done.

To achieve this alignment, organizations must re-examine current IT and security processes and identify areas where to add or enhance the necessary checks and balances, without impeding productivity.

We work in a business environment that demands change. In turn, enterprise networks are constantly evolving – new applications are added/requested; more smart phones, tablets and laptops are needed as workforce mobility continues to grow. All of this change involves multiple departments (IT operations, security, audit, HR, etc.). And if network changes are not effectively managed, they can introduce gaping security holes.

Research conducted by AlgoSec on “The State of Network Security 2012: Attitudes and Opinions” shines a light on the significant impact of poorly managed internal security processes. Poor processes or altogether lack of processes leads to out-of-process changes. And out-of-process changes can oftentimes lead to your business being out-of-service.

  • Almost 55 percent of survey respondents indicated that an out-of-process firewall change resulted in a system outage.
  • Out-of-band changes resulted in a data breach roughly 20% of the time (this number is most likely deflated as many data breaches are unknown).
  • These out-of-process changes resulted in a failed audit roughly 26% of the time.
  •  It’s not uncommon for IT to be hit up for a change (by an executive perhaps) that is needed “Immediately”. In some cases, due to the urgency of the request (i.e. the CEO needs to access an application on the network from his new iPad), the change is conducted in a rush job – without sufficient consideration of whether that change is allowable under current security policies, or if it introduces new exposure to risk. This is an unfortunate situation where IT has to respond to the business need so quickly that the proper checks and balances do not occur.

The Dreaded Audit

IT admin and security teams dread audits because they introduce lots of questions and require information gathering that take time away from other strategic initiatives. Trying to manage an audit in a vacuum, and relying on manual processes is as Forrester Research put it “nearly impossible.” This is an area where IT and security teams can help each other – and ultimately the business. By working together and leveraging each group’s knowledgebase, time spent on audits can be dramatically reduced and there is a much better chance for producing accurate information, which is also important.

Five Tips

Organizations can ultimately ensure a more secure and agile business by improving communication with IT operations and security teams. Some key recommendations to consider:

  • Re-examine the roles and responsibilities within the Infosecurity team as well as with the IT operations team and identify areas – such as change management and audits – where both teams play a significant role.
  • Set up a taskforce with stakeholders from both departments and develop or enhance a standard operating procedure (SOP) for how the teams will work together on a typical day and when crisis hits. This SOP should take into account the concerns of both teams and address day-to-day situations. You can’t predict when users will make requests to add new devices to the network, but you can prepare for dealing with those requests. Bringing both teams together to design plans that address these situations (or other ‘knowns’ such as network upgrades, change freezes, and audits) helps to minimize the risk of these changes causing security gaps. Communicate the agreed upon SOP with both teams and ensure continuous training of these procedures. This proactive approach will ensure a proper response during high pressure situations.
  • IT and business leaders should define management by objectives (MBOs) and performance targets for their staff that include both individual and higher level targets. If security is compromised due to poorly configured change, everyone loses. And if requirements are so stringent that SLAs cannot be met the business also loses.
  •  Build relationships and force over-communication. Encourage team building outings such as lunch and learns, retreats and off-site events to build relationships amongst the departments. Plan some fun, IT organizational events to break down the silos and build relationships amongst the staff. Additionally, set up weekly/monthly/quarterly review sessions between the two groups that focus on internal process improvements (poor internal security processes were identified in our survey as the greatest security risk). Not only do these activities create awareness and enable joint decision-making, but people generally respond better to friendly faces.
  • Support both teams by implementing technology in addition to the newly developed or refined processes to facilitate collaboration and make their lives easier – having holistic visibility will lead to improved network availability and security.

At the end of the business day, it’s about finding the right balance for each organization between security and productivity. One should not have to come at the expense of the other.

 About the essayist: Dr. Avishai Wool is co-founder and CTO, AlgoSec, a network security management company. He has published more than 40 research papers and holds 10 US Patents with many more pending. He is an associate professor in the School of Electrical Engineering, Tel Aviv University. He holds a B.Sc. (Cum Laude) in Mathematics and Computer Science from Tel Aviv University, and a M.Sc. and Ph.D. in Computer Science from the Weizmann Institute of Science.