Family Dysfunction: IT Ops vs. Sec Ops
Another article that made me smile thinking about past lives and the inherent mistrust I witnessed between IT operations and security operations. If the public truly knew what went on internally at an average company, they would know how breaches happen every day. I am specifically thinking about large companies, although SMB’s have similar challenges, it is normally a resource issue for them. However, large companies have budgets that go into people, process and technology for cyber security, yet (on average) we are no more secure today than we were 5, 10, or 15 years ago. That’s why security vendors keep showing up to fix it, our house is dysfunctional and in need of repair.
Let’s take my favorite subject, vulnerability management, you see time and time again, after a breach, an executive says something about the hundreds of thousands of vulnerabilities and the inability to patch them all. To the public this is a failure of the security team, right? But is it really?
NEWS FLASH: Yes, the responsibility to identify vulnerabilities in an environment belongs to the security team however, the responsibility to actual press execute and patch those vulnerabilities resides with IT operations. There’s the dysfunction. A CISO could be screaming, WE NEED TO PATCH THIS, but if IT Ops disagrees there is a chance that it may not happen. The typical IT Ops line is “We don't want to disrupt the business.” This is one of the reasons I believe the CISO should not report to the CIO, if under the CIO IT can trump security which sets the improper tone for the security team. Why do my job and identify all of our holes if no one cares enough to plug them up? Do not get me wrong security professionals are not doing themselves any favors, vulnerability management should not send a report to IT will 100,000 vulnerabilities and say, “here you go patch them,” that is one sure way to get your request ignored!
The time has come for the relationship between both IT Ops and Sec Ops to heal and work together, it does not have to be a contentious relationship, we should all be working together to accomplish a specific goal. I can guarantee that criminal organizations that are attacking your company are not going through internal bickering about who knows the best way to steal whatever it is they are after!