Aligning Operations: IT – Business – Security

In every organization, separate operational groups exist in IT, business and security. These groups often have different priorities, which can lead to conflict. Successful security leaders align the three operational groups to assure security and compliance. Ultimately, this alignment is best achieved when security priorities and goals are driven through business operations, not IT Operations.

Conflicting priorities

While today’s IT environments can be a confusing assortment of infrastructures, networks, and applications, we should not forget why IT exists – to improve business productivity via technology. Job #1 for IT Operations (ITOps) is business enablement and business continuity; the vast majority of their priorities are driven by the businesses they support.

The business operations teams (DevOps) are driven by agile custom application delivery. The development and delivery of business applications is faster and more dynamic than ever before. DevOps is considered by many organizations today as the most critical enabler of business growth. The priority for DevOps is making things happen, and fast, even if it is challenging for ITOps to keep up.

The Security Operations (SecOps) group is often stuck in the middle. SecOps’ never-ending mission is to secure the business and maintain compliance. Where DevOps and ITOps want to deliver fast and furious, SecOps wants time to verify application and supporting infrastructure security to ensure there are no vulnerabilities, that configurations adhere to policy, and that regulatory and compliance requirements are met. Doing this can interfere with near-term business priorities and security can be viewed as a business inhibitor if security leaders are not careful.

Aligning with ITOps alone is not the answer

SecOps often focuses on ITOps to achieve their goals. SecOps establishes policies, identifies vulnerabilities and misconfigurations, and pushes ITOps to apply patches, utilize baseline configurations and drive updates through the change control process. This is good conceptually, but it leaves out the other group that ITOps is beholden to: DevOps. When ITOps must choose between applying patches that SecOps needs and delivering critical apps and infrastructure that DevOps needs, security leaders should expect them to prioritize what DevOps needs! It’s not because security is not important to them, it’s simply a matter of conflicting priorities, limited resources, and supporting business growth.

Get the business to prioritize security initiatives for you!

Successful security leaders know that the key is to align these three operational groups is via DevOps and the business, not ITOps. The real focus should be on DevOps and the business leadership. Using common metrics, including industry benchmarks and identification of cost reduction opportunities resonates with business leaders. SecOps teams are very aware of threats and the consequences of a breach to the organization and its leaders. But for many business leaders, a breach is just a possibility. Their most important goal is business continuity.

So look for security risks and opportunities that positively impact the business goals. An example of this is a cost reduction that can be achieved through standardized configurations, which by the way is more secure and meets compliance requirements. Additionally, when you help the business leadership to understand the risk profile of their new applications and infrastructure and to agree on an acceptable level of risk, the security requirements to address unacceptable risk will most certainly appear in roadmaps. Since ITOps aligns to the business roadmaps and initiatives, they will work to address and mitigate business risk in order to deliver on the business roadmaps. In the end, SecOps will become a partner for, instead of a perceived inhibitor to, the success of both DevOps and ITOps.

For additional reading on this topic, read the Tenable Network Security blog where 15 security leaders answer the question, How have you been unsuccessful communicating security to the business, and how did you turn it around?.