Endpoint

5/14/2018
05:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Smashing Silos and Building Bridges in the IT-Infosec Divide

A strong relationship between IT and security leads to strong defense, but it's not always easy getting the two to collaborate.

The relationship between IT and information security can be difficult to navigate: there are traditionally conflicting interests and perspectives between IT, which is responsible for making sure tools and systems work, and security, which must make sure they're protected.

Finding the right balance between accessibility and security is "a key part of the modern organization's success," said Juliet Okafor, senior vice president of global security solutions at Fortress Information Security, in an InteropITX presentation on the topic this month. Rigid silos between IT and security have become "a clear point of attack" leaving organizations vulnerable.

The dynamic between the two groups has changed along with technology. Back in the 1990s, security was considered a function of IT. Corporate networks had a hard perimeter; firewalls were the foundation of security. Modern enterprise computing environments have since become global, borderless, fully mobile, and more complex than ever before.

This evolution has driven new sets of challenges for both groups, said Okafor. IT is worried about data availability while security prioritizes data protection. IT focuses on system uptime; security works on system safety and control.

Culture also varies between the two. IT tends to be more agile, with shorter and more frequent maintenance windows. Operational technology, and sometimes security, typically require more time with longer maintenance periods. They don't want systems down for periods of time, she noted; they're operating in an environment where things have to stay up and running.

Companies are figuring out how to best position the two. An upcoming Dark Reading study on the relationship between IT and security found 37% of businesses surveyed have a distinct security department, with its own staff, within a larger IT department. Twenty-one percent have one or two security people in IT; 21% said they don't have any people who are dedicated to security full-time. This is just a peek at the study, which will be published in July.

Thirty percent of 120 technology and security professionals report IT and security work well together and their relationship is improving. The majority (38%) says while their dynamic is generally good, it "needs some work here and there." About one-quarter say miscommunication between the two has led to continuity or security issues.

Turf Battle

"The disparity between how IT operates, and how infosec operates, demands we take a closer look at how they're working together," Okafor explained. "Due to budgets, reporting structure, IT and infosec often have a tough time with competing and sharing turf."

The CISO and security team should be given a seat the table when decisions are being made, she noted. Oftentimes they aren't: Only 15% of respondents in Dark Reading's study say security is at the table for the beginning of every new project, and their views are always considered critical. Twenty-eight percent say security is brought in at the start of most important projects and they have a strong voice.

However, nearly the same amount (27%) reports security is "consulted sometimes" and is usually heard "if it's a legitimate concern."

Technical knowledge is important but it's not the only answer to the problem, said Okafor. What's critical here is communication: the ability to understand and engage with the person you're talking to. "The biggest issue with security and technology tends to be people," she pointed out.

A key trend in bridging silos is having different team members work on problems together, she added. Give IT workers a sense of what security projects are like, for example, so they can learn about requirements and needs from the infosec side and apply those skills to other projects.

More and more, Okafor continued, success in security means knowing and understanding the business. Security professionals with business and/or liberal arts backgrounds can and should work with their IT colleagues, who have more technical expertise, to come up with more comprehensive solutions to problems. IT employees may also bring technical contributions to security teams, which may not have the same level of proficiency in Java or C++.

"The more we can bring IT people into infosec, the more the IT team, and the entire security department, benefits," said Okafor.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3937
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
CVE-2018-3938
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
CVE-2018-12537
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2018-12539
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
CVE-2018-3615
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.