Maksim Kabakou - Fotolia

Security Think Tank: Security needs to be part of change management processes

How can development, operations and security teams collaborate around change to ensure security is maintained and even improved?

‘Collaboration’ is a buzzword in the world of cyber security. International collaboration is seeing countries working together to successfully bring down cyber terrorists and hackers. Domestic collaboration is seeing leading businesses and governments striving to implement common cyber security practices such as ISO27001, PCI-DSS and Cyber Essentials.

So, if we can all work so well together on a macro level, why is it we seem to struggle at the micro level with our own internal teams? Whether it is for digital transformation, operating system upgrades, new networks, acceptable use policies changes or just introducing a new user, collaboration is a key factor to the success of any project and ensures the security of information assets stored, managed or processed as part of that activity. 

Yet still we do not seem to be singing from the same hymn sheet as our colleagues. So where do the challenges lie?

When data is compromised, it is often because security has not been considered as part of the change and configuration management framework. We build secure technological infrastructures and conduct penetration testing to identify vulnerabilities, but there is often no ongoing security maintenance – and security failures ensue. Failures can be put down to a number of inherent issues:

  • Disparate systems with no oversight or joined up management;
  • Slow change management leading to processes being circumnavigated, ignored or no joined up decision-making;
  • Security not built in, but bolted on after the event;
  • Legacy thinking rather than agile planning;
  • Poor succession planning for legacy platforms;
  • Lack of security process maintenance;
  • Management out of the loop with corporate protection.

Change and configuration management should be a business-centric process that involves all appropriate stakeholders and ensures the maintenance and integrity of security controls. Basically, this means make it secure, check it’s secure and keep it secure.

Read more from the Computer Weekly Security Think Tank about using DevOps to maintain security

All stakeholders need to be involved in discussions about business change. Security teams are often marginalised as they are seen as ‘trouble-makers’, when in reality they are business enablers helping create secure environments and improve asset protection. When collaboration does not occur, that is when breaches occur.

Security needs to change its mindset and be more flexible, working in harmony with the business needs and ways of working – agile working rather than the traditional ‘waterfall’ approach where projects are managed by timescales and milestones. Even if we are working in an agile, iterative manner, this does not mean always mean we do governance and change management right. 

Indeed, the definition of ‘done right’ should always include elements of security, change management and testing. 

In the same vein, Business needs to change its mindset and embrace security, understanding that it is there to deliver a business-centric service to realise benefits, enable business and ensure that change is introduced in a logical, safe and, most importantly, risk-managed manner.

In short, when all teams collaborate, security will be successfully maintained and ultimately improved as teams become more security-conscious and embed it as part of business as usual change management processes.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more on IT risk management