Strained relationships between security and IT ops: Is your business at risk?

Australian organisations are in the midst of very difficult times, working out how to navigate the global COVID-19 pandemic. It’s certainly no longer ‘business as usual’ and the way we work is likely to change for good.

Significant changes in work environments, driven largely by the need to do business remotely, is putting added pressure on tech teams and additional strain on the relationship between IT operations and cyber security groups.

Industry experts gathered recently to discuss this vital relationship during a webcast presented by CIO Australia and Tanium. Keynote speaker Jeff Bleich – who served as US Ambassador to Australia from 2009 to 2013 and was special counsel to former US president, Barack Obama – told attendees that this is the time when IT ops and security teams need to be unified.

This is necessary, he says, because organisations need to have confidence in their own data to help them make critical business decisions, particularly when faced with economic uncertainty created by COVID-19.

“This requires visibility and control over what is occurring right now and it requires an unprecedented number of workers who now work from home on every kind of device and program…to be confident about the security of systems and the integrity of the information that is being shared,” said Bleich.

COVID-19 has accelerated the merger between digital and physical worlds faster than organisations ever expected, he said.

“This has put CIOs on the front lines of protecting something that is essential to us for functioning as water and air and that’s our data integrity and security,” he said.

Cyber security is not a tech issue alone

One of the big lessons from the leaking of sensitive government data by whistleblowers Edward Snowden and Chelsea Manning as well as hacks by China into the US Office of Personnel Management and Russia’s interference in the 2016 elections, is that cyber security is not an IT or cyber issue alone, Bleich said.

“Giving Chelsea Manning clearances or leaving him unsupervised was a personnel and management failure along with an IT failure. The exposure of employee records is a legal and HR issue and intelligence issue as well as a cyber and IT issue. And the dissemination of stolen information is a political and communications issue,” Bleich said.

This means that CIOs are no longer in their own domains, they sit in the very middle of management, HR, communications, legal, finance and physical security, Bleich said.

Private sector the biggest target

It’s not just governments that are being targeted by hackers. The vast bulk of digital threats have been directed at organisations in the private sector with billions of dollars lost.

“And their [hackers] activities are getting more creative in terms of their targets and approaches. Rather than attacking companies with hardened systems, they are attacking lawyers, consultants, PR teams and supply chains that you depend on – whatever link is weakest,” he said.

Hackers don’t simply hack, they are distorting and overloading systems, sending out distributed denial of service attacks, creating false messages and followers through their bots, or simply just buying information.

“They [hackers] don’t need to get inside your systems anymore to get inside your head and cause you to make bad decisions, which in many cases, is their ultimate goal,” Bleich said.

“The most important thing to appreciate is that these are now sophisticated organisations that coordinate and collaborate and don’t distinguish between their security and ops teams and neither should we.”

Building trust between IT ops and security

Reducing the strain between IT ops and security teams helps organisations decrease their cyber risk exposure, particularly at the endpoint. This was a key finding of research conducted by Forrester analyst Sam Higgins, who also spoke during the webcast.

Two-thirds (68 per cent) of Australian enterprises responding to the study said that driving collaboration and alignment among their teams is a major challenge.

“Clearly, when we talk glibly about this notion of organisational silos, it is something that organisations recognise and it is something that organisations battle to overcome on a regular basis,” he said.

But when it comes to collaboration and alignment to mitigate cyber security threats, one in two (63 per cent) of Australian firms indicated that IT ops and security groups have good partnerships, compared to 50 per cent globally. Also, more than half said they were more confident their leaders have more focus on security, risk and compliance than they did two years ago.

But unfortunately, the majority (83 per cent) reported that it is still challenging to maintain basic IT hygiene. This is made even more difficult when internal staff are connecting directly to the cloud via a VPN or other means, said Higgins.

He said that any strain between IT operations and security can leave an organisation exposed to known IT vulnerabilities for almost 10 days longer than firms that have a really close working relationship between these functions.

“That’s nearly a 30 per cent difference in terms of the impact that collaboration and alignment has on being able to respond to incidents as they occur,” Higgins said.

Clearly, organisations are making significant investments in cyber security by increasing budgets and awareness and literacy of their executives. But Higgins questioned why only 51 per cent of Australian firms said they were confident of their visibility into cyber risks.

“What we found is that people are extremely confident in their ability to respond to a breach, to respond to a vulnerability but they have very low confidence as to whether or not they’re able to identify those exposures and those risks.

“So we are relying on our response to a breach knowing that we don’t have complete visibility into the vulnerabilities, knowing that we can’t identify vulnerabilities faster and finally, and that we have little visibility into the hardware and software assets connected to our IT environment,” he said.

This means that IT operations and security teams do sit in a pretty difficult position, he said. Despite investments being made and processes being improved around cyber security, they know in their ‘heart of hearts’ that they can’t possibly see everything that is coming, he said.

So what is keeping IT ops and security teams from reducing hygiene risks and how can trust be improved between these groups?’

Higgins said there are three factors that are driving a wedge between them: external diversity and internal complexity; conflicting missions and difficulty communicating; as well as different tools and disparate data. 

Higgins said organisations believe that if they address the issue of too many tools and silos of data (the third factor), if they use technology to create a single truth, then trust improves as communication increases and teams collaborate more often.

“And by making an effort to reduce the number of endpoint management tools, we see firms reporting that their ability to operate faster and at scale improves,” he said.

“From a technical perspective, the fast response times to issues is also improved…if we actually address the visibility, we will have even more improvement in our ability to execute those faster response times to vulnerabilities from a process perspective.”

Working towards one goal

Orion Hindawi, co-founder at Tanim agrees with Forrester’s findings, saying that security and operations teams at many of the endpoint security and systems management company’s customers were highly fragmented.

“They didn’t talk a lot in many cases and when they did, it was pretty adversarial. When we looked at their reporting structures, there were a lot of disparities. Sometimes, the security [teams] would report to the board of directors and the operations [teams] would go to the CIO.

“There would be a cleave in management style and in some cases, you saw very different levels of importance between those two teams. You would see security in some organisations not getting the attention that it needed and operations being less respected,” he said.

But almost every one of Tanium’s customers has broken through many of these logjams as staff shift from the office environment to their homes.

“Whereas a lot of companies had the opportunity to academically argue about things, practically most of the teams that we are working with are working sometimes 14 hours a day, seven days a week just trying to get laptops into the hands of users. When you have no choice, I think a lot of people set aside their differences and really work to one goal,” he said.

A consistent theme from customers, he says, is how amazing it has been to watch their teams coalesce to save their companies and, in some cases, move hundreds of thousands of laptops out the door so people could do their jobs.

“What they found after they ship all those laptops, go into closets and find anything that you can that will turn on and get it into people’s hands, is that basic manageability is often completely broken.

“If you take a step back and work out what ‘work from home’ over a VPN or not over a VPN means relative to on-premise tools, you’ll see that [these tools] are really struggling, they weren’t designed for this,” he said.

“In many cases, our customers are realising that tools that usually would work on-premise don’t work very well and as a result, things like patch and configuration management fall away.”

He added that customers are now realising that if they can’t rely on their basic tooling, they have to make a change because if you’re not patching for a couple of weeks, especially in crisis, “no-one is going to fault you for that.”

“But if it goes on for months and months, that exposes the organisation to unacceptable risk,” he said.

Finally, Hindawi said that many customers believe that ‘work from home’ is here to stay. He said that staff productivity is improving in a lot of areas as staff don’t need to commute or deal with distractions that occur when they are working in an office.

“If that’s true, I would encourage people to realise that this is a problem we need to solve not temporarily but permanently. Every one of the systems that are falling over right now, when you look at a lot of the basic tooling that people have relied on for a long time and they are fundamentally broken, we as technologists need to be able to solve these problems for the long term,” he said.