Information security has become such an integral part of IT that at a growing number of organizations, the two are virtually indistinguishable — from an organizational standpoint.
Many companies are attempting to more tightly integrate IT security strategy with IT strategy. That can mean blending departments, changing leadership structures, and embedding security earlier in the development pipeline, among other tactics.
About two thirds of organizations say their IT security strategy and IT strategy are tightly integrated, with IT security being a key component of IT roadmaps and projects, according to CIO’s 2019 State of the CIO survey.
But looking ahead, the two become even more indistinguishable, with 83 percent of organizations expecting to tightly integrate IT security strategy into their overall IT strategy within the next three years.
“I think we’ll be seeing IT and security strategies be woven together, but in a different way than we’ve seen in years past,” says Nathan Wenzler, senior director of cyber security at Moss Adams, a security consulting firm.
“Where information security has commonly been regarded as just a subset of the IT department and was just where the security tools like firewalls and spam filters were managed, now it’s becoming more common to see InfoSec teams be regarded for what they really are: risk management functions,” Wenzler says.
And it is in risk management and mitigation where IT and security strategies most closely align. A common example is application security. Security teams today are much more concerned about how code is being securely moved from a developer’s testbeds all the way to production, with proper testing and controls along the way, Wenzler says.
Security strategies will identify areas where code can be compromised or lose integrity due to human error or mistakes, and provide recommendations for what should be done to mitigate or eliminate those risks, Wenzler says.
“IT teams then step in to identify what tools will best sit on the existing infrastructure, will integrate with existing development tools and processes, and implement the right technology to provide these controls,” Wenzler says. “This is where modern strategies align best, without expecting security teams to be the IT experts and vice versa.”
Here are some tips on how to more tightly integrate security practices into your IT strategy.
Empower the top security executive
Bringing IT and security closer together should not mean taking authority away from security executives; in fact, they should be given more say in strategic planning.
At Park Place Technologies, a provider of maintenance services for storage, server, and networking hardware, IT strategy and IT security strategy are tightly integrated and cyber security leadership plays a key role, says CIO Michael Cantor.
“Our director of information security has a seat at the table for all strategic discussions, including the yearly budget cycle,” Cantor says. “He has created a five-year security roadmap, which embeds goals for each of the security functions to ensure that expected progress is made during the course of the year.”
For instance, one of the director’s goals is to increase internal competences around vulnerability scanning so that Park Place Technologies can scan more frequently at lower cost. That goal, in particular, is integrated into the infrastructure function’s 2019 goals. And it’s translated into the implementation of internal scanning technology and a project focused on using that technology to scan on a more frequent basis, Cantor says.
The security function needs to be at an appropriate level of the organization, at least reporting to the CIO if not the CEO, Cantor says. “Independence is necessary to ensure the security voice is heard without being suppressed inside other IT functions, such as infrastructure,” he says.
Get support for integration from senior executives
How many initiatives go off the rails because of a lack of support from the most senior people in the organization? IT and security integration can face the same fate.
“Gain buy-in from the board, C-level, and leadership teams,” says Joe Cardamone, privacy officer at Haworth, a global furniture design and manufacturing company. “Much information exists on the internet around the benefits of early integration of information security architecture and strategy.”
Showing the benefits and gaining the acceptance and support of leadership helps to break down barriers, Cardamone says. Also, if senior executives understand the value of security, they might be more inclined to see the value of IT and security integration.
“Show how information security can enable business, not just be another bump in a workflow,” Cardamone says.
It’s even better when IT and security each have a direct line to senior executives.
At Rosendin Electric, an electrical contractor, this direct line is imperative, says James McGibney, senior director of cyber security and compliance. “Fortunately, our cyber security group is within our IT organization and reports directly to our CIO and CEO,” he says. “They, along with all of our executives, are very supportive with respect to our ongoing IT and security efforts.”
This report process works “flawlessly,” McGibney says, “and our senior executives fully understand the importance of maintaining a strong security posture. If we have a pressing need with respect to getting a security solution deployed, they always provide us with unwavering support.”
Communicate frequently and build relationships
The need for good communication among IT and security people cannot be overstated, and is vital for effective integration.
Communication between the two disciplines is vital at Rosendin Electric.
“The human element is the biggest risk facing any IT organization today,” McGibney says. “A successful phishing campaign can easily bring a company to a screeching halt. To provide true defense in depth, IT and security need to work together to implement solutions across the attack surface, whether it be on-[premises] solutions or cloud-based. What the security group implements effects infrastructure and what infrastructure implements effects security. They truly go hand-in-hand.”
IT and security teams need to understand what they are both trying to accomplish, and why it’s important to the organization, Wenzler says. “It’s easy to get risk strategies out of alignment with technology goals when the two sides don’t talk to each other,” he says. “While separate functions, they are integral to each other’s success, so without constant communication they’ll remain out of sync.”
It’s also important for the two disciplines to build better relationships with each other. Information security people are sometimes seen as roadblocks to projects and hindering workflows, Cardamone says.
In order to help build bridges, the information security team needs to emphasize team play.
At Haworth, IT engineers and the information security team hold monthly meetings to discuss upcoming changes, projects, challenges, and other concerns that would be beneficial to either party, Cardamone says. “What makes this work most effectively is the leadership teams being on board with supporting this type of behavior, and moving past the siloed behaviors typically seen in IT,” he says.
Leverage security standards and use comparable metrics
Companies looking to integrate IT and security should consider using a standard security framework such as those created by the National Institute of Standards and Technology (NIST) to set goals for the security environment.
“This enables the creation of a security roadmap that can be prioritized effectively and shared with all functions to set yearly targets,” Cantor says.
The use of a framework for standardizing security operations within a company ensures that all aspects of security are identified and can be prioritized for risk and maturity targets. Once a company chooses a framework and deploys the various elements based on how applicable they are to the particular situation, “the company then basically has a security strategy,” Cantor says.
“It’s very rare that security can achieve a particular goal just within its own function.” Cantor says. “It usually takes a combination of the other functions to attain a security goal, so this kind of integration with the overall IT strategy is key to success.”
In addition to standards, IT and security organizations should aim to
use comparable metrics so that there’s no confusion about end goals. Many times, security teams start to measure risk or even success in ways that have no relevance to IT teams or operational functions, Wenzler says.
“Likewise, uptime measurements or help desk responses may touch upon the ‘integrity and availability’ pillars for security, but don’t properly address risk matters,” Wenzler says. “Make sure that everyone understands the metrics being used, and leverage metrics that can reveal risk reduction through technology improvements.”
Build data protection into the company’s offerings
Effective IT and security integration should extend to the products and services a company provides to its customers and uses internally — regardless of the industry.
“Building data protection within our IT offerings is paramount,” McGibney says. For example, when an employee is issued a company cellphone, it’s immediately registered within a unified endpoint management system. If employees bring their own devices, they also must be registered or the devices are not allowed to access any company resources.
“With the ferocious advent of phishing campaigns, any company runs the risk of an employee clicking on an obfuscating link, entering their login credentials — and the rest is history,” McGibney says. “The hacker not only has unbridled access to your Active Directory infrastructure; they also have access to your processes and procedures. That, in turn, usually leads to more focused phishing attacks.”
The internet of things (IoT) expands the attack surface. “Everything that touches the internet becomes a potential point of entry to the enterprise,” McGibney says. “Phones, tablets, laptops, desktops, security cameras, lighting controls, thermostats, VR [virtual reality] devices, etc. All of these devices need to fall under some kind of patch management and vulnerability management process.”
Hackers are arguably some of the smartest people in the world, McGibney says. “When they are determined and focused on infiltrating your environment, they will use any means necessary to accomplish their goals,” he says. “Whether this occurs via social engineering or a phishing campaign, companies must remain vigilant and security conscious.”