How should IT and security work together?
IT and security clearly need to work well together, but that will be difficult if they don’t understand each other. “It is impossible to have both IT and security function well without each having the context of the other,” says Thomas. Just passing security vulnerabilities “over the wall” to the IT team is an inefficient process that no longer works, he adds. Thomas cites organizations having success embedding security in core operations. “You see some success in the devops world where some innovators look at how they build security into the development process.”
“Security cannot be successful separate of IT. The ability to have an integrated view and apply security and IT operations closer together is key to having success,” Thomas says.
Thomas believes that communication and collaboration between IT and security are important, but cautions against seeing that alone as a solution. “In some ways, [focusing on communication and collaboration] is a distraction, because it gives in to this notion that you can treat security as an appendage,” he says. “I can have IT processes that are inefficient and don’t work. I can have escalating vulnerabilities in my environment because my attack surface continues to expand as I deploy technologies faster than I manage them. And it’s fine because I just need to communicate technologies that are deploying into the security team.”
“If you have not designed a process that allows you to update and maintain secure technology as it’s deployed, even if you communicate, you’re still going to be behind. Communication and collaboration are absolutely important, but they are not the root cause of the problem.”
What can an integrated IT/security organization do to foster innovation?
In his United 2017 keynote address, Thomas lists four skills that an integrated IT and security organization needs to excel at:
- Mastery of data is required to understand the environment, the service experience, the risk profile, and identify attacker behavior.
- Mastery of user and customer experience is about understand not just the needs of the organization but the type of experiences that make those needs not just achievable but highly likely.
- Mastery of integration is the realization that we don’t create experiences from scratch, but rather extent, leverage, and from other products and services
- Mastery of automation is about developing the capacity to manage and maintain systems that expand and morph at fast rates.
“This is a very different set of skills than what our organizations thrive at today,” Thomas said in his keynote address, “but many of our society's biggest challenges have demanded that we think differently and try new approaches.”
He notes that the same data used to troubleshoot an environment from a security perspective—collect log data, do forensics across the environment, identify what applications and users are affected—is the same data used to troubleshoot performance issues or which of your assets need to be updated. “An integrated view of the environment will ensure that you have the right data to serve all those domains well,” Thomas says.
Sign up for CIO Asia eNewsletters.