Ask any top-level security bod and they’ll tell you that they’re sick and tired of their part of the company appearing at odds with the rest of it – despite their shared goals and incentives!
So we took a seat with David Cramer, Vice President at BMC Software to get his take on why this seems a natural part of doing business today and what differences we can make in how we work and communicate to ensure security within the business is functional and practical. Here’s what he said:
ITSG: Why does the security team not operate in harmony with the other departments of so many organisations?
“It is undeniable that a lack of alignment on priorities will lead to tension as groups are focused on different goals. For example, the security organisation may be principally focused on identifying risks and setting policies that protect an organisation, whereas the operations team is solely focused on maintaining uptime and stability. Yet, when a risk presents itself, these teams must collaborate in order to prioritise the necessary patches or fixes without impacting availability. If they fail to work together, then conflicts will inevitably arise.”
ITSG: Is there a way to improve the cohesion between security and the rest of the company?
DC: “Without a doubt, the operations team needs to be able to quickly consume the information provided by the security team so they can prioritise risks together, fixing the most important ones first. At the same time, the security team must have visibility into the operations team’s plans so they can understand when risks will be addressed, and which ones remain a concern”.
ITSG: Or does security need to speak the language of business i.e. KPIs etc.?
DC: “The security organisation certainly needs to have a solid understanding of the key KPIs to the business and the impact of their policies and procedures on those metrics. Yet, at the same time, the rest of the organisation must become familiar with security threats and risk scores and consider those as they look at the overall health of their organisation”.
ITSG: How does the friction between security departments and IT lead to security risks?
DC: “The risk that is created is increased exposure to attacks, because the friction slows down the ability to respond to threats.”
ITSG: Why is patching not enough?
DC: “Patching without visibility into the risks, is like blindly throwing darts at a board. You might hit something important and you might not. You have to have a strategy in place that combines security and operations – which includes patching – and then operationalise that strategy. Proactively pursuing vulnerabilities will help organisations manage their risk exposure.”
ITSG: What is the number one factor that’s keeping organisations open to attacks?
DC: “Known vulnerabilities that remain unaddressed are the number one factor keeping organisations open to attacks. In the BMC/Forbes Insights survey released in January, executives reported that most security breaches occur even when remediations are identified.”
ITSG: How, if at all, can automation help boost security?
DC: “Automation can help boost security from a number of angles. Indeed, automation will increase the speed and consistency of addressing vulnerabilities because manual processes will have been removed, which are error prone and time consuming. They also provide a much needed audit trail, for when you need to see what went wrong, or changed”.