At many companies, there\u2019s a gap between security and what is generally called operations, or more colloquially, \u2018the rest of the organization\u2019. That gap is becoming an issue, because the days when only the security team needed to know about security are behind us. So, what can you do about that?\nIn order to answer this question, we were asked by CompTIA (see at the bottom of the page for more information about this non-profit organization) to host and moderate a workshop co-moderated by Luc van Roey from F-Secure about this topic for the CompTIA Benelux Community in Belgium. Approximately 30 business leaders attended, and discussed the issue. The set-up of the workshop was to first get an idea about what the situation is like now, before going on to how the attendees would like it to be, and finally getting to some feasible next steps to tackle it.\nBefore we start: the issue at hand\nBefore going into what was discussed during the workshop, let\u2019s first briefly outline for the sake of clarity why this gap is becoming an increasingly bigger issue.\nIt\u2019s virtually impossible to view the gap discussed during the workshop separate from the bigger security trend of shifting focus from prevention to detection. The saying, \u2018it\u2019s not if, but when you will be hacked,\u2019 has become more or less received wisdom in security circles. This also means that you have to deal with security differently inside your organizations. Gone are the days when security personnel would focus solely on keeping the bad guys out. They will get in eventually, which means non-security people inside organizations need to know more about security. In order to do that, the gap between both sides needs to become smaller.\nThe gap is real, that\u2019s for sure\nFrom the discussion between the participants, it is very clear that the gap between security and operations is a fundamental one. Many noted the lack of alignment between the two sides of the equation, usually in the form of management not understanding why it\u2019s important to bridge the gap. That is, more often than not, little has been done to address the issue to start with. Securing the budget to actually do something about it isn\u2019t easy either, which makes it an even bigger hurdle.\nIt is clear that there appears to be a lack of awareness in many organizations. But even if there\u2019s awareness, the next hurdle is access to education, which is lacking as well, based on feedback from the group. Over-regulation inside organizations was also cited as a reason for not being able to bridge the gap, with security teams more or less being forced to operate on an island.\nIt\u2019s not all about a lack of awareness at the important levels inside organizations, though. Technical issues were also regularly cited as factors for not being able to bridge the gap, including from having too many point solutions to make sense of it from that side in the first place, to too much focus on technology instead of the people who had to work with it. A lack of understanding of what mobile phones, mobile workers and something like Office 365 meant for organizations was also cited as complicating factors.\nBetter technology and management is the answer\nAsked what would be the best-case scenario to bridge the gap, irrespective of what is feasible and what isn\u2019t, a similar division arose as above. Some focused on things like management, processes, and the overall organizational layout, others on specific technical enhancements to tackle the issue. Automation is also seen as something that\u2019s absolutely necessary in security, as is having a 360 approach, which obviously clashes with the enormous complexity in security nowadays that was noted in the first step of the discussion.\nOne wish that came up multiple times, was to have 100 percent buy-in from management. That\u2019s crucial in any change inside organizations, but perhaps even more so when you wish to bridge a gap as big as the one between security teams and operations.\nEducation is also something that\u2019s been seen as a vital part of the best-case scenario. Not just once, but ongoing. Everyone inside an organization needs a continuous improvement plan. Also, we shouldn\u2019t only focus on awareness. Practicing what happens when there\u2019s a breach, for example, is also very important. Going beyond awareness also means there\u2019s a bigger sense of accountability among the people working across the organization. Without accountability, it\u2019s not possible to bridge the gap.\nWhat can we do now?\nThe most important step of the discussions during the workshop is also the most difficult one. It\u2019s not so difficult to identify what\u2019s wrong with the current state of affairs, or what you would ideally like to have. Coming up with feasible next steps is a different kettle of fish altogether. First, because it\u2019s hard to generally state what can be done everywhere, and by everyone, irrespective if you\u2019re an end-user, MSP doing it for a customer, or vendor trying to incorporate it into their offering.\nThe attendees at the workshop, however, managed to come up with some interesting and good points, again divided between technological approaches and organizational ones. So we had very specific technological recommendations like having a very good back-up strategy, but also more general ones like adopting a zero trust model of security.\nWhen it comes to the more organizational next steps, there was rather broad consensus that doing stress tests as well as risk assessments is important. That\u2019s where it all starts. You need to know first what you have before you can protect it. We know from experience that many organizations still haven\u2019t done that. By far the most important thing you need to do as an organization, though, is to get going, and take those first steps towards a good security by design strategy for your entire organization, in which everyone is aware of the risks, but also feels accountable for trying to prevent being hacked or breached.\n\nWho are CompTIA?\nCompTIA, a not-for-profit organization dedicated to \u2013 among other things \u2013 make relevant connections between people in the IT industry, entered the Benelux market last year. Besides the two meetings in Belgium, there have also already been two in the Netherlands. Initial response to the meetings has been encouraging, from only a handful of registrations for the first meetings in Belgium and the Netherlands to approximately 80 for the second ones. The goal is to have one meeting every quarter. The meetings are aimed at business leaders, IT professionals, MSP\u2019s and vendors. IDG has been supportive of this initiative from the beginning in the Benelux region.