Today's business and threat landscapes are both dynamic and complex. Business needs are constantly evolving and network environments are sprawling with more apps and devices, and must support an increasingly remote and mobile workforce. Threats are more advanced and focused with intellectual property often the target, whether company trade secrets or classified government documents.
Inevitably all of this leads to more complex network security policies, consisting of hundreds, if not thousands, of rules and objects that must be managed across traditional and next-generation firewalls and devices, from multiple vendors, spanning numerous geographical locations. All of this must be continuously managed due to the high volume of change that the business desires. And you must be ready for those looming compliance audits, which are no longer once-a-year activities.
Breaking down the silos
One major challenge to dealing with all of the above is that many organizations today still have IT security and operations teams working in silos. With more work than resources available to manage, these teams typically work with the blinders on as they must check off as many tasks as possible to keep up with the forever growing “to do” list.
This is no fault of the organization, as each group will focus on their own priorities. However, from the broader IT perspective and the ultimate goal of keeping the business running smoothly, this siloed approach is wrought with failure. IT operations and security teams approach this goal differently as they have different sub-concerns. Protecting the company and keeping systems running should be hand-in-hand, but too often they are not.
Too often, these teams find themselves in the situation where there are unexpected, quick-fix changes, often requested by board-level staff, for access to specific resources or capabilities. In some cases, the change is made in a rush (after all, who wants a C-level exec breathing down their neck because he wants to access the network from his new tablet right now?). However, sufficient consideration of whether that change is allowable under current security policies, or if it introduces new exposure to risk, might be bypassed. Audits are another area where there is often friction between these two teams, where there is sometimes distrust or fingerpointing.
To ensure business agility while maintaining an appropriate level of security, a top-down approach must be taken and the segregation of IT security and operations teams must be re-examined. Barriers need to be broken down because at the close of the day the end goal is the same, it's just how each team is trying to get there. Alignment of these teams requires a mutual understanding and respect and, most importantly, a standard operating procedure for how they work might together and conduct business, especially when this type of situation arises. MBOs and performance targets should have individual and higher-level targets – if security is compromised due to poorly configured change, everyone loses.
You can't always predict exactly when users will make requests to add new devices to the network, but you can certainly prepare a routine for dealing with those requests as they arise. Bringing both teams together to design plans that address these situations – and for other ‘knowns,' such as network upgrades, change freezes and audits – helps to minimize the risk of these changes causing security gaps.
Here are some practical recommendations for addressing this organizational challenge:
IT and security teams need to work in tandem to achieve that proper balance of security while keeping the business profitable. It is possible if you make it a priority.