Bridging the divide between the information security and operations teams would benefit both sides, the IT department and the business as a whole
For too long IT operations and IT security managers have had a stressful and priority-challenged relationship.
Most security managers see their job as defending the organisation from fast-moving surprise attacks from outside sources. They often bombard operations managers with abrupt demands for change actions that range from installing the latest operating system patches to implementing new network access policies.
Operations managers, on the other hand, strive for 24x7 service availability and regard any change - especially immediate ones - as threats to the smooth running of mission-critical infrastructure.
But the pressure on operations and security staff to integrate and harmonise their activities is rising.
Security that takes no account of business impact can impact overall corporate agility by gumming up the works of business operations that are increasingly distributed and dependent on IT. And senior managers are unwilling to write blank cheques to fund kitchen-sink approaches to infosecurity, especially since the return on investment is notoriously hard to measure.
After all, how do you place a value on disasters that don't happen? Or, to put it another way, how do you measure something that never happened because your security prevented it happening?
Most organisations simply cannot afford to support two teams focused on a single yet adversarial task - maximising IT investment value - but using different tools, processes and definitions.
The overarching goal for both operations and security is to gain visibility and control across all IT assets in as close to real time as necessary. Given the similarity of many of their tasks at an automation level, new and more intelligent convergence tools are coming into focus.
Security patch installation is awfully similar to software updates - so why not use the same tools to do both? Similarly, asset discovery and inventory tools that identify and remove vulnerabilities can generate useful information for software licensing and asset management, compliance reporting and capacity management.
If security becomes manageable, it also becomes measurable through many of the techniques common in operations management.
A good security system creates a shield behind which organisations are able to automate and reduce the cost of previously sensitive operations such as confidential client record keeping. Customers and suppliers strongly prefer to do business with organisations with visibly sound security. And nothing damages reputation more than a security blowout that gets extended airtime on television.
New approaches to converged security and operations management are not only emerging, but racking up solid value in real-world applications.
The things to look for here are not point-upgrade tools that "slice and dice", but architectures that enable detailed real-time visibility into all corners of an infrastructure and the ability to drive an expanding range of management services from a common, future-proof core platform.
Security managers are in a good position to take the first step towards operationalising security. Teams should look for points of convergence it may not seem a natural fit, but given the changing face of security threats, it will benefit them in the long run.
Organisations should consider integrating security teams more closely with IT operations management and even transferring some of the operational aspects of the work. As this occurs, operations and security people need to build a deep understanding of how much their work complements each other's.
Yes, the security people demand sharp turns at a moment's notice, but this can help IT organisations become more agile overall. And although operations people can seem inflexible, greater sophistication in recognising the business benefits of security can quell the "What have you done for me lately?" interrogations at budget time.
Every step you take towards operationalising your security also securitises your operations, with accompanying benefits in brand equity, agility and the speedy delivery of new products and services.
Howard Schmidt is chief executive at R & H Security Consulting and international president of the Information Systems Security Association. From 2001 to 2003 he was the US president's special adviser for cyberspace security
2006 Infosecurity retrospective
Comment on this article: [email protected]