Some rivalries are well-known to be irreconcilable – like The Montagues and the Capulets, or The Sharks and The Jets. Here’s another well known rivalry – Security and non-security teams, like IT, DevOps, Infra, and R&D. Thing is, the Sharks and the Jets didn’t have to work together. But Security and the aforementioned teams (which we’ll refer to as non-security teams from here on in) do.
So, what if you could change this traditional rivalry into a well-oiled efficiency machine?
But before we jump into the how, let’s examine the why – or the roots of the issue. The fractious nature of the non-security-Security rivalry comes down to priorities. Non-security teams generally prioritize stability and availability – making security a priority only inasmuch as it affects these holy grails. For security teams, the top goal is to lock down systems, reducing attack surface and overall risk. If a system needs to go down for patching immediately to achieve this, so be it. A survey of some 1500 CIOs and CISOs conducted by Forrester confirms this. It found that the top three IT priorities and top three Security priorities were:
Preventing data breaches
Preventing data breaches
Despite these seemingly irreconcilable differences, the fact is that in many organizations Security and non-security teams have been able to learn to love (or at least tolerate) each other.
To find out how this can happen and what each side stands to gain from making the effort, we sat down with several of our in-house experts, Shay Siksik – VP Customer Success, Dan Anconina – CISO, Shahar Solomon – Customer Success Team Lead and Gali Rahamim – Customer Success Manager, to get their advice:
10 Tips to Get Security and IT on the Same Page
Security needs to justify non-security teams’ effort by explaining the risk and the potential impact of changes requested on the business. It’s not good enough just to provide a to-do list. You need to sit with the relevant teams and demonstrate security solutions so that they have a proper understanding of the goal of each.
- To smooth interdepartmental cooperation, define operational processes that facilitate collaboration between Security and non-security teams. This should include joint committees, mutually-recognized KPIs, and limits that ensure these teams can manage the workload – while ensuring that Security remains focused. Help non-security teams justify headcount for remediation team vis-à-vis management.
- Nobody likes major change. So Security and non-security teams need to work together and agree on changes that will improve security, while minimizing adjustment to procedures. Together, non-security teams and Security can weigh the impact of changes against the effort involved. And once you’ve decided what needs to be done, work together on how to make it happen: delineate milestones, define resources required, track business goals.
- Since many attacks are based on outdated versions of desktop applications (Adobe, KeyPass, Office, etc.), one small way non-security teams can help Security is by educating users to update these applications and managing the updates or patches centrally if possible.
- A strong Non-security-Security alliance in the company leads to safer infrastructure. To make this happen, a wise CTO will educate the other department on security – helping them understand why they need to apply that patch or reduce those permissions. They should work to integrate security into IT processes – rather than leaving it as a separate function.
- It’s crucial to eliminate the competition between IT security and non-security teams. Says Dan, “I see how this is happening in our IT operations clients, who use our platform proactively. The people responsible for servers, for example, have set up some of their own scenarios and solve problems better than in the past. People are seeing that their actions make their area of responsibility more secure.”
- Ongoing, meaningful conversations between Security and non-security team operations facilitate laying out what exposures should be addressed and getting buy-in from all sides to take action. For example, when you understand together that you lack compensating controls in certain areas, you can decide together that new priorities are needed.
- Make sure Security deeply understands the network. Security can learn from non-security teams what the network looks like, what infrastructure is critical, and which assets must be protected. You may even discover assets you didn’t know about – simply because no one thought it was important enough or just overlooked telling you.
- When non-security teams and Security teams collaborate, they can respond more quickly and effectively to cyber incidents, minimizing the impact on business operations. When creating incident management policy, for example, IT should take an important part in the flow. Once you understand how exactly non-security teams should act in case of a cyber incident, the policy can be updated based on this knowledge and deeper understanding of capabilities.
- And finally, be nice: give kudos when other teams accomplish goals and make sure management knows, too.
The Bottom Line
While some counterparts will likely never work well together, non-security teams and Security can and do work well together, under the right circumstances. Once non-security teams and Security start to work together in this mutually-informed and aligned way they are able to identify risks to the company systems and prioritize them according to a common criteria of calculated risk. With the goals aligned, and a willingness on both sides to put the welfare of the organization first, the sky’s the limit on the non-security and Security love (or at least not-hate) story.