IT and Security – A Love Story

The Montagues and the Capulets. The Sharks and the Jets. Security and IT. Some rivalries are well-known to be irreconcilable. But the thing is, the Sharks and the Jets didn’t have to work together. But Security and IT do. So, what if you could change this traditional rivalry into a well oiled efficiency machine?

But before we jump into the how, let’s examine the why – or the roots of the issue. The fractious nature of the IT-Security rivalry comes down to priorities. IT teams generally prioritize stability and availability – making security a priority only inasmuch as it affects these holy grails. For security teams, the top goal is to lock down systems, reducing attack surface and overall risk. If a system needs to go down for patching immediately to achieve this – so be it. A survey of some 1500 CIOs and CISOs conducted by Forrester confirms this. It found that the top three IT priorities and top three Security priorities were:

Despite these seemingly irreconcilable differences, the fact is that in many organizations Security and IT have been able to learn to love (or at least tolerate) each other. To find out how this can happen and what each side stands to gain from making the effort, we sat down with several of our in-house experts, Shay Siksik – VP Customer Success, Dan Anconina – CISO, Shahar Solomon – Customer Success Team Lead and Gali Rahamim – Customer Success Manager to get their advice:

10 Tips to Get Security and IT on the Same Page 

1. Security needs to justify IT’s effort by explaining the risk and the potential impact of changes requested on the business. It’s not good enough just to provide IT with a to-do list. You need to sit with the relevant teams and demonstrate security solutions so that they have a proper understanding of the goal of each.
   
   
2. To smooth interdepartmental cooperation, define operational processes that facilitate collaboration between Security, IT and DevOps. This should include joint IT/Security committees, mutually-recognized KPIs, and limits that ensure IT can manage workload – while ensuring that Security remains focused. Help IT justify headcount for remediation team vis-à-vis management.
   
   
3. Nobody likes major change. So Security and IT need to work together and agree on changes that will improve security, while minimizing adjustment to procedures. Together, IT and Security can weigh the impact of changes against the effort involved. And once you’ve decided what needs to be done, work together on how to make it happen: delineate milestones, define resources required, track business goals.
   
   
4. Since many attacks are based on outdated versions of desktop applications (Adobe, KeyPass, Office, etc.), one small way IT can help Security is by educating users to update these applications and managing the updates or patches centrally if possible.
   
   
5. A strong IT-Security alliance in the company leads to safer infrastructure. To make this happen, a wise CTO will educate the IT department on security – helping them understand why they need to apply that patch or reduce those permissions. He or she will strive to integrate security into IT processes – rather than leaving it as a separate function. A platform like XM Cyber really facilitates this, since it shows IT both the attack vector in question, and how a single patch can reduce the risk. It also offers multiple remediations, so they can choose the one that works best for them.
   
   
6. It’s crucial to eliminate the competition between IT security and IT operations. Says Dan, “I see how this is happening in our IT operations clients, who use our platform proactively. The people responsible for servers, for example, have set up some of their own scenarios and solve problems better than in the past. People are seeing that their actions make their area of responsibility more secure.”
   
   
7. Ongoing, meaningful conversations between Security and IT operations facilitate laying out what exposures should be addressed and getting buy-in from all sides to take action. For example, when you understand together that you lack compensating controls in certain areas, you can decide together that new priorities are needed.
   
   
8. Make sure Security deeply understands the network. Security can learn from IT what the network looks like, what infrastructure is critical, and what assets must be protected. You may even discover assets you didn’t know about – simply because no one thought it was important enough or just overlooked telling you.
   
   
9. When IT and Security teams collaborate, they can respond more quickly and effectively to cyber incidents, minimizing the impact on business operations. When creating incident management policy, for example, IT should take an important part in the flow. Once you understand how exactly IT should act in case of a cyber incident, the policy can be updated based on this knowledge and deeper understanding of IT capabilities.
   
   
10. And finally, be nice: give kudos when IT teams accomplish goals and make sure management knows, too.

The Bottom Line

While some counterparts will likely never work well together, IT and Security can and do. Once goals are aligned, and there’s a willingness on both sides to put the welfare of the organization first – the sky’s the limit on the IT and Security love (or at least not-hate) story.