Over the last few years, I’ve written several articles and blogs about how critical collaboration is to the success of a security organization. I’ve also worked very hard in my job to practice what I preach. Security will not work in a silo and unless we, as security practitioners, understand our business and its core assets, it will be pretty difficult for us to successfully ensure their security.
For me, it’s all about reaching across departmental lines, learning the business and how each unit adds value to the overall business strategy. If I understand the core function of a department, I will be in a much better position to implement a security program to protect it and help manage risk effectively.
During the last 10 years, IT departments have become the engines that drive our businesses. Technology is at the heart of every company with which I’ve worked. But if IT is the engine, then security is the oil that keeps the engine running smoothly. Now, I’m no mechanic, but I’m sure there are some folks out there who might prefer to compare security to the hood of a vehicle. However, if you’ll bear with me, I’d like to explain my analogy and, in the process, hopefully demonstrate why collaboration is essential to managing risk in your organization.
Security, up until a few years ago, was all about defense in depth and protecting the perimeter. We used the old castle with the drawbridge, moat and circling killer alligators to depict what “good” security looked like. This type of comparison would imply that the hood protecting the engine from external threats was the most critical security feature on a car, but as they say, “we’ve come a long way, baby.” Today the perimeter no longer exists and things like cloud, BYOD and a mobile workforce have blurred the lines of where one company ends and another begins. So how do we manage risk and protect against threats in a perimeter-less environment? The answer is: We must embed security into our company’s DNA. We need to become the oil that runs throughout the organization, protecting the key working parts seamlessly. But no part of the business is more critical than our IT departments that design, develop, manage and maintain the technologies that run our most critical business functions.
While we were all diligently trying to get up to speed on risk management, cyber terrorism and APTs (Advanced Persistent Threats), something strange happened. Many of the business functions that traditionally resided within Security, Facilities and Human Resources departments were transitioned to IT. The processes and procedures, which had previously been fairly manual and relied on a particular skill set housed in one of the aforementioned departments, were migrated to a single or multi-purpose appliance and relocated into the data center or server farm. Responsibility for the management, maintenance and ongoing support of those appliances was given to the IT department as they now required a technically adept owner to perform routine updates, patch management and backups.
Functions such as identity and access control now sit within the IT department in most larger organizations. Although you might still have physical identification badges for your employees, they now contain a special chip that allows access to both the company offices as well as the corporate network by inserting the ID badge into the laptop or computer. The software can determine if the person trying to log onto the corporate network from a particular location has actually scanned their badge at the main entry door to that facility to ensure proper access control. The policies, logs and maintenance of these systems now fall to IT. The security has been dramatically improved and risk reduced by using technology in this fashion; but unless security and IT are collaborating on the creation of policies and the monitoring of system alerts and logs, the value of the system is minimal.
Continuing with physical security – most of the security video systems are now IP-based and instead of VHS or DVR devices sitting in the Facilities department’s closet, the video, stored on servers in the data center, can be viewed immediately from anywhere in the world if required by an investigation. But again, the maintenance and support of these systems now belong to the IT department – so without proper agreement and coordination of the backup and deletion policies, the data you need to perform a proper investigation might not be available.
What about our phone systems, which were clearly under the control of Facilities historically? Today many companies are moving to IP telephony where the server and handsets are connected to the corporate network, and voice messages and phone logs are stored on servers. And where are these servers? You guessed it, in the data centers under the watchful eye of the IT department.
There are more examples which I think illustrate how critical the IT department is to the day-to-day business operations. Things such as mobile devices, which are a huge liability to the company, both from a cost basis as well as the protection of corporate data, have now become part of a company’s BYOD (Bring Your Own Device) policy. Access control to corporate data from a personally-owned device as well as the ability to locate a lost device or immediately wipe a suspected stolen device both fall within the management of IT. So creating a good working relationship between IT and security to respond quickly and effectively to the loss of a mobile device is critical to managing risk, as these devices are now able to hold more data than many desktops and laptops did just five to 10 years ago.
And what about social media? Websites like Facebook, LinkedIn and Twitter are all used for sharing and collaborating with peers around the world and across industries to allow an employee’s network of professional contacts to act as an asset in helping them solve technical and business problems more efficiently and effectively. But who controls access to these sites and ensures that sensitive corporate data isn’t leaked to the public? Yes, of course, you guessed it: IT.
Now I’m not saying that IT owns the corporate and security policies that are enforced. That should still fall to the Security, HR and Facilities departments. But unless you are working closely with your colleagues in the IT department who manage those enforcement devices, your ability to manage risk in your company will be tremendously hampered and your responsiveness negatively impacted. Since security’s role is to manage and mitigate risk for the company, it is imperative that you work closely with the IT department to ensure that – when the alarm bells go off and you need to be able to react – you have a process and plan in place to coordinate with your IT colleagues to get access to the systems and data to facilitate a speedy and fruitful investigation.
Collaboration is more than just communication. It ensures you are involved in any new projects from the outset so that security is included in determining the technologies implemented to perform critical business functions and the location and security of the devices installed; defining the policies that will be enforced; agreeing the schedule of system data backups, retention and removal; and most importantly, creating the processes that will be used to respond to incidents when they occur. This could be as basic as shutting off access to corporate facilities and networks via the identification badge of an employee who has gone rogue to accessing the video recordings of a particular location to investigate the theft of a corporate asset. Without plans in place and a good working relationship with the IT department, your ability to properly reduce risk in this new corporate structure will be difficult at best.
So in the end, why should you care about collaborating with your IT colleagues? It’s because as security professionals, our main function is to help the company manage its risks. And in today’s highly connected and technologically advanced society, those assets most critical to our businesses are those managed and maintained by our IT organizations. By collaborating with IT, we can ensure that the business functions most essential to our company’s success have been designed and developed with security embedded to ensure our ability to manage and mitigate risk in a high-risk environment.