(**Editor’s Note: **Sam Bocetta, a guest author on the VMware Carbon Black blog, is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyber warfare, cyber defense, and cryptography.)
SecOps is not a new idea. Unfortunately, however, it is still too often seen as a buzzword rather than a realistic paradigm for ensuring cybersecurity is built into everyday practice. As such, it remains an under-utilized concept for many firms.
One of the primary reasons for this is the persistent disconnect between IT and security teams. In our 2020 Outlook report, we focused on the behaviors that underpin contemporary cybersecurity and made some surprising discoveries. One of these is that IT and security teams appear to be aligned when it comes to their goals: both types of the team are focused on preventing breaches, improving efficiency, and ensuring rapid incident resolution.
At the same time, 77.4% of survey respondents said IT and security teams currently have a negative relationship. In other words, Sec and Ops teams want the same things, but they are not talking to each other about how to achieve them.
In this article, we’ll look at why. Then we’ll take a fresh look at one (and in reality the only) solution to this: a renewed focus on the implementation of SecOps practices.
Security vs. IT
The apparent disconnect between IT and Security teams has deep historical roots, and this can create huge difficulties for firms looking to transition to SecOps. CISOs have long been aware of this, but it’s worthwhile returning to these issues in order to see why SecOps is difficult for many companies to realize.
Put simple, IT and Security teams see their roles in completely different ways. IT departments build their teams, processes, budgets, and development plans around ensuring ongoing and reliable service delivery. Security teams, by contrast, tend to see all of the systems they work with through the lens of potential threats, risk mitigation, and incident response.
Both of these approaches are necessary, of course: service delivery means nothing if massive attacks lead to data breaches and thousands of hours of retro-active recovery; any cybersecurity program requires strong and reliable underlying systems.
Unfortunately, these priorities can sometimes cause friction between operations and security teams. Many IT departments still see their primary role as ensuring the efficient operation of legacy systems such as help desks, managing outdated code, and manually tuning enterprise applications like ERP. Where and when they attempt to modernize or outsource these functions, security teams block these attempts due to their potential cyber risk level.
These are not new issues, but have often been overlooked by teams – and managers – who have an (understandable) focus on the technical systems they work with, and forget about the “human factor“, as David Lacey’s dated but still relevant book puts it.
The Eternal Skills Gap
These issues are precisely those that SecOps seeks to overcome. However, transitioning to this paradigm is not as easy as simply encouraging open and honest communication between these two teams. In reality, the deep historical roots of the difference between these two teams, the way that professionals in either field are trained, and their consequent outlook on the world, means that hiring staff who are genuinely able to work with both paradigms is extremely challenging.
In other words, there remains a huge shortage of potential employees with fundamental skills in both areas. This was, in fact, another key finding of our Outlook Report, in which nearly 50% of both IT and security respondents reported being understaffed. Security respondents reported that their teams are currently 48% understaffed, and 79% of respondents said finding the right security talent is either “very challenging” or “extremely challenging”. 70% reported the same level of challenge for IT talent.
Even in these findings, the difference between “IT talent” and “Security talent” is visible. Companies that take the idea of SecOps seriously have long sought to hire staff with cross-cutting expertise. Unfortunately, it can be extremely difficult to find staff who have experience in both Ops and Security because historically professionals were concerned to stress their expertise in just one of these areas. Building a SecOps environment – as we will see in the next section – should start with hiring decisions.
Security is Dead, Long Live SecOps
In reality, the only feasible solution to resolving the inherent tension between Ops and Sec teams is a well-developed SecOps process. We’ve previously produced detailed guides on how to move to a SecOps model, which explains all of the technical and managerial tools that you’ll need.
Here, though, let’s take a more human-centered approach. As we’ve seen, one of the primary obstacles that often defeated these transition processes is the lack of cross-cutting expertise and communication between these two teams. This insight points to three critical priorities that should accompany the move to more “technical” SecOps tools:
- The first is to make sure that all prospective staff members, whether they are being hired for security or operations teams, know the basics of both. It’s a long-running joke among security pros that IT guys are better at writing assembly code than setting up strong passwords, but one that is (sadly) based on reality. Everyone in your organization – from your database architect to your receptionist – should have a grounding in fundamental cybersecurity practices.
- Secondly, you need to provide the technical means, and the right environment, so that operations and security teams can communicate. This means providing secure internal communications systems via no-logging VPN services and encouraging even junior members of each team to share their processes and thoughts.
- Finally, take the time to map how the priorities of each team intersect at the highest level and do this in a transparent way. One of the most important elements of this is to ensure those insights into vulnerabilities are shared throughout your organization. Security teams still lag behind in this area, because they feel that admitting vulnerabilities somehow means they are under-performing.
The Bottom Line
Moving to SecOps is not just about making your internal relationships more harmonious, though. If done correctly, it can have a direct impact on the speed of compliance processes, in mitigating the frequency and severity of cyberattacks, and ultimately your profitability.
Despite these advantages, there is still a long way to go when it comes to implementing SecOps. As we’ve previously pointed out, research by Dark Reading has found that 28% of the organizations they surveyed indicated security teams are typically only brought in at the beginning of important IT projects and do not provide ongoing oversight.
This needs to change.
In short, SecOps is still the future, because it is still the only paradigm that can ensure the long-term sustainability of IT operations. And here at VMware Carbon Black we can help you to achieve it.