by Sander Almekinders

How to tackle the gap between security and operations?

Mar 04, 2020

Is it about reskilling, retooling, or something else?

At many companies, there’s a gap between security and what is generally called operations, or more colloquially, ‘the rest of the organization’. That gap is becoming an issue, because the days when only the security team needed to know about security are behind us. So, what can you do about that?

In order to answer this question, we were asked by CompTIA (see at the bottom of the page for more information about this non-profit organization) to host and moderate a workshop co-moderated by Luc van Roey from F-Secure about this topic for the CompTIA Benelux Community in Belgium. Approximately 30 business leaders attended, and discussed the issue. The set-up of the workshop was to first get an idea about what the situation is like now, before going on to how the attendees would like it to be, and finally getting to some feasible next steps to tackle it.

Before we start: the issue at hand

Before going into what was discussed during the workshop, let’s first briefly outline for the sake of clarity why this gap is becoming an increasingly bigger issue.

It’s virtually impossible to view the gap discussed during the workshop separate from the bigger security trend of shifting focus from prevention to detection. The saying, ‘it’s not if, but when you will be hacked,’ has become more or less received wisdom in security circles. This also means that you have to deal with security differently inside your organizations. Gone are the days when security personnel would focus solely on keeping the bad guys out. They will get in eventually, which means non-security people inside organizations need to know more about security. In order to do that, the gap between both sides needs to become smaller.

The gap is real, that’s for sure

From the discussion between the participants, it is very clear that the gap between security and operations is a fundamental one. Many noted the lack of alignment between the two sides of the equation, usually in the form of management not understanding why it’s important to bridge the gap. That is, more often than not, little has been done to address the issue to start with. Securing the budget to actually do something about it isn’t easy either, which makes it an even bigger hurdle.

It is clear that there appears to be a lack of awareness in many organizations. But even if there’s awareness, the next hurdle is access to education, which is lacking as well, based on feedback from the group. Over-regulation inside organizations was also cited as a reason for not being able to bridge the gap, with security teams more or less being forced to operate on an island.

It’s not all about a lack of awareness at the important levels inside organizations, though. Technical issues were also regularly cited as factors for not being able to bridge the gap, including from having too many point solutions to make sense of it from that side in the first place, to too much focus on technology instead of the people who had to work with it. A lack of understanding of what mobile phones, mobile workers and something like Office 365 meant for organizations was also cited as complicating factors.

Better technology and management is the answer

Asked what would be the best-case scenario to bridge the gap, irrespective of what is feasible and what isn’t, a similar division arose as above. Some focused on things like management, processes, and the overall organizational layout, others on specific technical enhancements to tackle the issue. Automation is also seen as something that’s absolutely necessary in security, as is having a 360 approach, which obviously clashes with the enormous complexity in security nowadays that was noted in the first step of the discussion.

One wish that came up multiple times, was to have 100 percent buy-in from management. That’s crucial in any change inside organizations, but perhaps even more so when you wish to bridge a gap as big as the one between security teams and operations.

Education is also something that’s been seen as a vital part of the best-case scenario. Not just once, but ongoing. Everyone inside an organization needs a continuous improvement plan. Also, we shouldn’t only focus on awareness. Practicing what happens when there’s a breach, for example, is also very important. Going beyond awareness also means there’s a bigger sense of accountability among the people working across the organization. Without accountability, it’s not possible to bridge the gap.

What can we do now?

The most important step of the discussions during the workshop is also the most difficult one. It’s not so difficult to identify what’s wrong with the current state of affairs, or what you would ideally like to have. Coming up with feasible next steps is a different kettle of fish altogether. First, because it’s hard to generally state what can be done everywhere, and by everyone, irrespective if you’re an end-user, MSP doing it for a customer, or vendor trying to incorporate it into their offering.

The attendees at the workshop, however, managed to come up with some interesting and good points, again divided between technological approaches and organizational ones. So we had very specific technological recommendations like having a very good back-up strategy, but also more general ones like adopting a zero trust model of security.

When it comes to the more organizational next steps, there was rather broad consensus that doing stress tests as well as risk assessments is important. That’s where it all starts. You need to know first what you have before you can protect it. We know from experience that many organizations still haven’t done that. By far the most important thing you need to do as an organization, though, is to get going, and take those first steps towards a good security by design strategy for your entire organization, in which everyone is aware of the risks, but also feels accountable for trying to prevent being hacked or breached.