As the calendar flipped over to a new year, I’ve found myself spending some time pondering questions and trends. Questions that range across the spectrum:
How can I eat more fruit and vegetables? Will a Canadian team actually be a contender for the Stanley Cup? What will life post-COVID look like? Why are we struggling to operationalize concepts like SecOps when we know they are key to business success?
The topic of SecOps is one I’m quite passionate about. As a former CIO, I know first-hand how challenging it can be to create true collaboration between IT operations teams and security teams. I also know, the importance of making it happen – sooner than later. As organizations wrestle with the volume and velocity of business and technology change, keeping your environment secure and risk aware is something you must do to contribute to corporate success.
How to Make it Real
So why is so hard to make SecOps work in the real world? While every organization will have a slightly different set of challenges to work through (a lack of security talent, silos between teams, out-of-date skills etc.,) I wanted to share 5 common keys that I have seen emerge from organizations that have successfully adopted SecOps.
1. Understand where you’re starting from
The journey to secure operations will be full of many twists and turns, and like any expedition, you must know exactly where you are to ensure each step moves you in the right direction and not off a cliff. You will have tools – probably many of them – that provide you reports, lists, maybe even diagrams of what is in your IT environment, but I’ve found most of those don’t give you the actual picture in real time. Remember that story of the workstation under the developer’s desk that brought down production? Don’t be fooled into thinking your existing scanning tools are good enough because you have reports, lists and diagrams.
If you’re not regularly finding those ‘gotchas’ – development servers connected to production systems, new unknown connections from one business application to another, cloud servers connecting to other cloud environments or to your on-premise data centers – then your understanding of where you are is flawed, and your next step could be a very long one.
2. Use a framework to make your plan
Your plan must be tethered to a cybersecurity framework that makes sense for your organization. It provides a necessary map to help you communicate progress, next steps, and current risk to your internal and external stakeholders. Without selecting that common language, deciding and agreeing on the right actions between your security and operations teams will be next to impossible. A great example of a framework we’ve seen adopted successfully is the NIST Cybersecurity Framework 1.1, but there are a handful of others that may be more relevant to the industry you’re in. The key here is to have all plans communicated through the language defined by the chosen framework that considers the needs of the organization, and the goals of each team.
3. Connect to the Business Strategy
Security is not something you add in later. If you are getting a new front door installed in your house, you would never expect to come home and find it installed without a lock. Your executive team will react the same way if an audit identifies a system without proper security controls. I’ve found using the mantra ‘Design with Security in Mind First’ can work wonders in an organization to avoid those nasty surprises.
But that’s still not enough, often vulnerability scanning uncovers a long list of gaps and issues that will overwhelm both security and operations teams in trying to fix everything. You must prioritize this work, and an easier way to do that is to focus efforts on those things that map directly to items in the business strategy. Part of connecting to that business strategy must identify what the “Crown Jewels” of your organization are – what is the most sensitive information that you need to protect? When you do that, you are acting with Security in Mind First, with what matters most in your organization, and you will know where to focus your effort on installing the doors that have locks on them.
4. Communicate, Communicate, Communicate
SecOps is an ongoing practice that requires collaboration across your teams. It’s essential to prepare teams by implementing a Security Awareness Program throughout the organization. Most leaders agree that everyone should be responsible for security, but this principle is rarely being upheld on a day-to-day basis. And that’s bad news. I’ve found one of the most effective communication tactics is through training – we humans remember so much more when we ‘do’ something vs when we just listen or read. So,
- Train your developers on secure development best practices.
- Train your operations teams on basic security practices so they can configure servers securely and adopt a security as part of the configuration management process.
- Train the company on security best practices. Reduce the risk of a breach by making sure that every employee participates in security training.
5. Make sure you plan for shelter
SecOps includes Security and IT Operations; it is not security operations alone. To bring the business, security and IT together, you must have executive sponsorship that understands the benefits of SecOps (namely decreased risk and increased business ability) and will advocate for those benefits in balance. Sometimes you can find one person on the executive that has the understanding and authority to direct business, security and IT operations groups, but most times you have to create a committee with all three areas represented. Security can’t be sacrificed for the sake of business speed, but those decisions need to be made at the top of the organization.
Without Executive support you’ll be standing on shaky ground, without protection – and usually in-between two or three teams that are on a battlefield pointing some pretty high-powered weaponry at each other. Not a comfortable place to be.
I wish I knew the answers to my beginning-of-the-year musings, sadly I don’t.
What I can tell you is that the benefits of a SecOps program are practical, real and measurable. I can also promise you, that if you don’t bring your Security and Operations teams together, the gap will simply increase and your company will continue to struggle to manage risk against the ever-increasing competitive pressures to innovate and evolve. Take a hard look at these keys – are you addressing them? If you need help, let me know.
Feel free to check out a webinar we hosted last year on this topic where many of they keys first originated.