Endpoint

5/14/2018
05:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Smashing Silos and Building Bridges in the IT-Infosec Divide

A strong relationship between IT and security leads to strong defense, but it's not always easy getting the two to collaborate.

The relationship between IT and information security can be difficult to navigate: there are traditionally conflicting interests and perspectives between IT, which is responsible for making sure tools and systems work, and security, which must make sure they're protected.

Finding the right balance between accessibility and security is "a key part of the modern organization's success," said Juliet Okafor, senior vice president of global security solutions at Fortress Information Security, in an InteropITX presentation on the topic this month. Rigid silos between IT and security have become "a clear point of attack" leaving organizations vulnerable.

The dynamic between the two groups has changed along with technology. Back in the 1990s, security was considered a function of IT. Corporate networks had a hard perimeter; firewalls were the foundation of security. Modern enterprise computing environments have since become global, borderless, fully mobile, and more complex than ever before.

This evolution has driven new sets of challenges for both groups, said Okafor. IT is worried about data availability while security prioritizes data protection. IT focuses on system uptime; security works on system safety and control.

Culture also varies between the two. IT tends to be more agile, with shorter and more frequent maintenance windows. Operational technology, and sometimes security, typically require more time with longer maintenance periods. They don't want systems down for periods of time, she noted; they're operating in an environment where things have to stay up and running.

Companies are figuring out how to best position the two. An upcoming Dark Reading study on the relationship between IT and security found 37% of businesses surveyed have a distinct security department, with its own staff, within a larger IT department. Twenty-one percent have one or two security people in IT; 21% said they don't have any people who are dedicated to security full-time. This is just a peek at the study, which will be published in July.

Thirty percent of 120 technology and security professionals report IT and security work well together and their relationship is improving. The majority (38%) says while their dynamic is generally good, it "needs some work here and there." About one-quarter say miscommunication between the two has led to continuity or security issues.

Turf Battle

"The disparity between how IT operates, and how infosec operates, demands we take a closer look at how they're working together," Okafor explained. "Due to budgets, reporting structure, IT and infosec often have a tough time with competing and sharing turf."

The CISO and security team should be given a seat the table when decisions are being made, she noted. Oftentimes they aren't: Only 15% of respondents in Dark Reading's study say security is at the table for the beginning of every new project, and their views are always considered critical. Twenty-eight percent say security is brought in at the start of most important projects and they have a strong voice.

However, nearly the same amount (27%) reports security is "consulted sometimes" and is usually heard "if it's a legitimate concern."

Technical knowledge is important but it's not the only answer to the problem, said Okafor. What's critical here is communication: the ability to understand and engage with the person you're talking to. "The biggest issue with security and technology tends to be people," she pointed out.

A key trend in bridging silos is having different team members work on problems together, she added. Give IT workers a sense of what security projects are like, for example, so they can learn about requirements and needs from the infosec side and apply those skills to other projects.

More and more, Okafor continued, success in security means knowing and understanding the business. Security professionals with business and/or liberal arts backgrounds can and should work with their IT colleagues, who have more technical expertise, to come up with more comprehensive solutions to problems. IT employees may also bring technical contributions to security teams, which may not have the same level of proficiency in Java or C++.

"The more we can bring IT people into infosec, the more the IT team, and the entire security department, benefits," said Okafor.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6691
PUBLISHED: 2019-01-23
phpwind 9.0.2.170426 UTF8 allows SQL Injection via the admin.php?m=backup&c=backup&a=doback tabledb[] parameter, related to the "--backup database" option.
CVE-2018-19019
PUBLISHED: 2019-01-22
A type confusion vulnerability exists when processing project files in CX-Supervisor (Versions 3.42 and prior). An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.
CVE-2019-6260
PUBLISHED: 2019-01-22
The ASPEED ast2400 and ast2500 Baseband Management Controller (BMC) hardware and firmware implement Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC's physical address space from the host (or from the network in unusual cases where the BMC console u...
CVE-2018-19011
PUBLISHED: 2019-01-22
CX-Supervisor (Versions 3.42 and prior) can execute code that has been injected into a project file. An attacker could exploit this to execute code under the privileges of the application.
CVE-2018-19013
PUBLISHED: 2019-01-22
An attacker could inject commands to delete files and/or delete the contents of a file on CX-Supervisor (Versions 3.42 and prior) through a specially crafted project file.