Why enterprise IT and security teams should talk more
Josh Shaul, VP of product management, Trustwave
Enterprise businesses hold a treasure trove of valuable data that can easily be monetized with the right connections on the internet's black markets. Cybercriminals have long been drawn to enterprises for that reason – money. Yet, too many enterprises continue to believe they are not a target. According to our “2015 Security Pressures Report,” 72 percent of enterprise respondents believed their organization was safe from cyber-attacks and data compromises. Considering 43 percent of companies experienced a breach in the past year, clearly many organizations have a false sense of security.
The “It won't happen to me” mentality combined with communication gaps between the IT and security teams greatly increases enterprises' risk of being breached. Too often, when working with enterprise organizations, our Trustwave experts see security and IT groups misaligned, creating lapses in security that cybercriminals can easily exploit.
For example, the typical goals and incentive programs for IT operations teams revolve around operational metrics such as up time and responsiveness. Their job is to run the systems that support various business processes and keep them running. They are not security experts. They are not focused on vulnerabilities and cyber threats unlike the security team's objectives for better controls, more auditability and attack detection and prevention.
Because of the difference in objectives, some operations teams resist new security controls because of concerns they may introduce potential roadblocks, such as slowing down system performance and preventing other business projects from getting done. The concerns are legitimate, particularly around systems that run the business and carry SLAs that require 99.9 percent availability. Almost every seasoned IT pro has the battle scars from some kind of change that breaks a system that's finally working and none of them want to live that again. In their view, their systems are not broken and don't need to be fixed.
On the flip side, security teams resist the pushback from the operations teams. They are focused on vulnerabilities and threats facing the enterprise and don't understand the challenges the IT operations team faces. Security pros generally have not suffered a slowdown of systems or applications; they have not been through nightmare upgrades where everything stops working; and they have not felt the pressure of something breaking down completely, even if only for a few minutes. The security team sees risk in droves. They see exactly how an attacker would break in. They see broken systems that need to be fixed.
Without a common understanding of security risks and operational challenges, these groups tend to make limited progress, with the operations team almost always winning out – because after all, they run the business and are under the “Nothing bad has happened yet so it probably won't happen in the future” (or “We fixed all the security holes after our last problem”) mentality.
Enterprises that close the gap between security and operations dramatically raise the bar on their own defenses and therefore reduce their risk of being breached. Oftentimes the best approach is to establish working groups that combine security and operations with a common goal, such a bringing a new application to market or refactoring an inefficient business process. With a common goal in mind, and a joint effort from the beginning of a project through the end, these teams quickly learn from one another and can design solutions that are both operationally robust as well as properly secure.
Another effective approach involves rotating operations and security leaders into each other's roles. The swap forces leaders to learn a new perspective and fully appreciate what happens on the “other side of the fence.” Businesses can also partner with a third-party team of multi-disciplinary experts to play an advisory role in major IT projects. The right team needs to have a mix of security and operations skills, and can serve to independently assess risks and make recommendations on viable solutions.Enterprises can choose any or all of these approaches. Most importantly, they should identify any gaps that exist within their organization, and then take steps to close them. They also need to replace the “It won't happen to me” mentality with “It can happen to me. It just hasn't happened yet.”