Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

08:00 AM
Connect Directly

How Security And IT Teams Can Get Along: 4 Ways

Security managers need to change the conversation with IT teams, showing how to secure critical assets without stifling innovation and business processes.

You’ve heard it all before:  there’s a glaring disconnect between the goals of the information security team and the IT group. But the rapid-fire evolution of both technology and cyberthreats could be just what ultimately unites them.

Consider how the IT department must find and deploy technology to enhance communication, drive information-sharing, and support efficient processes so an organization can achieve its goals. So not surprisingly, IT professionals are mainly concerned with availability, ease-of-use, performance, and costs.

As today’s network borders become more porous, the security team, meanwhile, must monitor activity inside the network for suspicious actions conducted by outside attackers as well as unauthorized actions committed intentionally or unintentionally by internal employees. Disruptive technologies such as cloud computing, mobile, Internet of Things, and social media open up more doors adversaries can use to attack or steal critical assets.

This dynamic environment requires more than ever before that IT and InfoSec teams work together to ensure that critical assets are protected, while not stifling innovation and access to the technology that organizations need to fulfill their missions and stay competitive.

“Not taking into account the changing landscape has resulted in friction between the InfoSec and IT teams,” says Javvad Malik, security advocate at AlienVault, a provider of threat intelligence solutions. 

IT teams might feel as though they have lost control, especially with the trend toward mobile computing and bring-your-own-devices in the workplace. Yet, IT still has to ensure that applications are delivered to internal users and external customers, but the mechanisms to deliver IT services have changed, Malik says.

DevOps, which merges software development and software operations, is one example of the type of synergy InfoSec and IT operations need to effectively combat advanced attacks and threats, notes Greg Boison, director of homeland and cybersecurity at Lockheed Martin.

Prior to DevOps, “you had software and application development on one side, and on other side, you had software operations and maintenance,” Boison says.

After completing their work, developers would throw the applications over the transom and the operations and maintenance team would have to accept software like it was and try to run it. DevOps, however, has integrated those two functions, bringing together the interplay and connectivity that is required for effective development and operations, Boison says. 

“That trend towards merging the two entities where people respect the needs and desires of each function is similar to the needs of information technology and security operations and analysis,” Boison says.  

Here are some tips on how to improve and unify InfoSec and IT teams:

1.      Integrate software development and security analysts teams.

Lockheed Martin has had a lot of success in merging the development and security disciplines in the company’s security integration center. The company has combined DevOps and security: Developers are co-located with the security analysts so that as opportunities occur to drive automation, it is built into the security tools.

“If you find yourself doing a function more than once, let’s code it such that a human doesn’t have to make that change or access that tool in the same way more than once,” Boison says.  “Let’s build the tools so that it happens automatically.”

The other side of the coin is having information technology people that know security and are thinking through the security ramifications of their actions, he notes.  An example might be uniform patching of systems that have software vulnerabilities.  “The reality is you have to prioritize your patching,” he says.  

So an IT administrator who knows security would look at the required patching through the lenses of what is external-facing, of what is on the external web and is more vulnerable: Those systems would be patched first.  Or the administrator would flag an executive’s laptop as more important than a server in a closet that is not interacting with anybody.

“So you can get at this through both ways. One is making sure security analysts can affect development,” Boison says.

The other is making IT more aware of security practices. One challenge there is that typically in large companies, IT is stove-piped and sitting in discreet organizational units. Sometimes security will drive that integration; sometimes that integration will occur prior to an imperative for security. 

“One cannot, though, understate the challenge of bringing together disparate IT organizations into one homogenous IT enterprise,” Boison notes.

2.    Focus on the right metrics.

IT has a different set of metrics than security, but both sides of the aisle need to think through how to effectively communicate their needs and the metrics that will serve those needs.  

“Security is well known for having some of the most inappropriate metrics to drive best behaviors,” Boison says. For example, an old-style security enterprise might focus on closing every alert possible in order to get to that fabled white screen where there are no more alerts. 

In reality, the best security action might be to slow down and tune a system to generate fewer alerts. A security analyst could then focus on a given alert and dig deeper into it, conducting more thorough security intelligence.

“It may mean at the end of the day you are not going to burn off as many alerts so that your metrics will look weaker compared to another analyst,” Boison says. 

But that first analyst might gain a more detailed understanding of an advanced persistent threat and build the security to prevent the threat into enterprise tools.

 “So what is the better metric? Is it the number of alerts burned off on a percentage basis or is it reducing the number of attacks on the enterprise? Only a mature enterprise can have effective numbers on that metric,” Boison says.

3. Security teams should operate like a consulting business.

CISOs should approach their job function as if they are running their own consulting business, AlienVault’s Malik says.

That way, they can focus "on packaging activities of their team as well-defined service offerings and selling these services to the business as a paying customer," he says. Plus, they need to provide regular metrics, updates, and reports, to make sure the customer remains well-informed and sees the value of the services.

“One of the common pitfalls of security departments is they don’t clearly articulate what they are offering the customer and the value proposition,” Malik.

A good example is vulnerability scanning and management: On a regular basis, security will drop a vulnerability scan report on the desk of IT with the instruction to go fix it. Defining why it is needed would not only help the customer understand the value proposition, but also what part they should play in ensuring ongoing security, Malik says. Otherwise, the customer might push back on recommendations and security requirements due to a lack of understanding.

A measure security teams can use is to customers two questions: Can you describe the services provided by the information security function? And: Do you know how to contact the security function if needed?

4.      Decouple security controls from IT technology.

“One way to improve the relationship between InfoSec and IT, is to decouple security controls from IT technology,” Malik says. Put them at a higher level where they can be applied to more effectively articulate the desired outcome, and then allow IT to investigate the best way to meet the outcome, he says.

For example, with data classification, there might be a security policy that any information classified as secret should only be on a corporate device. The traditional step would be to issue a corporate laptop or mobile device and encrypt the hard drive. So security might reject the user accessing applications from a BYOD laptop or smartphone because it is not corporate-approved.  

“That is the problem where security is linked to an actual device as opposed to understanding the actual requirement, which is we don’t want data leaking out,” Malik says.

By working together, the IT and InfoSec teams can apply solutions that provide secure access to virtual applications for any device, on any location or apply digital rights management controls for the data. Even though the user is accessing data from a non-corporate device, InfoSec and IT can still retain control and mitigate risks.  

“This completely changes the discussion from a security team coming in with a 10-point plan, saying ‘install anti-virus software’ or ‘have regular vulnerability scans.’  The security team [instead] is saying, ‘Tell us how we can work with you and we will come up with a solution that meets our needs and services your customers better,’” Malik says.

Security is best known for saying “no,” Boison says. But it’s time to change the conversation: security prods should think of the IT implications, and IT pros about the security implications. 

Related Content:



Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...