Having been in the industry for longer than I care admit, I have seen the growth pre and post public internet. With that growth, there have been many changes with how organizations address the balance of IT Operations and Security, where tension still exists.
IT Ops must keep the business running by providing reliability, uptime, scalability, and quality while Security must protect and secure these functions. Often times, these teams are at odds and can clash. Some of this is rooted in the organizational structure where, traditionally, the CISO reports to the CIO who, in turn, reports to the board or the CEO. This means that the CIO has power to “kill” a CISO initiative if it negatively impacts the Ops side of the house regardless of its reduction of risk.
In order to continue to help drive this risk profile lower we should stop, step back and look at how we operate and course correct (if we need to) in order to benefit the business. Part of that correction starts with C-Level realignment. CISOs and CIOs should be partners who both report to the CEO or COO. This way, when something needs to be done that impacts business function and security the CEO / COO can be the deciding factor.
The next thing to consider is collaboration at the operator levels. If you find friction, address it immediately and cut it out of the organization. Make sure the security side understands the “why” of the business side and that operations understands the “why” of the security side. For example: “We need to bring the customer a much better experience and quicker service. This means we need to provide XYZ level or access.” What does this level of access do to the risk profile and ability to get at other assets in the company?
Each side needs to understand the other side, and it’s important to know the players making the decisions and involved in the process. When a stalemate occurs, management must step in and do what is right for the business on all fronts.
This all seems logical and straightforward but we still live in this world of “us vs. them” when it comes to operations and security. It may make sense to do cross training, which can bring respect and understanding as well as identify talent on staff. It may also open the door for building a more resilient organization.
Another area where cross training can assist is with projects. Do you have a project planning group that is cross functional involving the other parts of the business? There are times when some “security” projects are actually in the hands of operations. For instance, an email project that involves encryption or threat protection. Because it relates to email, which is traditionally owned by Ops/infrastructure, is this one actually a security project? It makes sense to have teams from both sides work on this as a joint project. How about a cloud project? With data and systems in an external environment you need both operational resiliency and security.
It’s time the walls come down between operations and security groups for the health of the overall business. Egos should be tempered and organization structures need to be realigned. By doing these things, you are allowing the organization to ultimately operate more effectively and preparing for the unknown TOGETHER – from business inefficiency to security breach.
Either way, when operations and security are in line with one another, the organization is in a better place. So, tear down the walls and build something better by working together.
