It's time to break down the silos and build strategy and process as a unified team
IT strategic plan – aligned with the business and coordinated with security
Most organizations maintain an annual strategic plan that aligns IT strategy with the overall business strategy. But just as important, is coordinating your strategic plan with the security team to ensure they are prepared to support your strategies.
New cloud services
I was working with a large financial organization in 2017 when one of their IT infrastructure managers approached me about building security guidelines for new AWS instances they were planning on provisioning. I later learned that the security team had no idea this was in the works. IT leaders, ask yourselves, “have I engaged the security team?” They should be helping you build a list of security feature requirements that the security team will need in order to maintain secure authentication and authorization, logging, instrumentation and visibility. Keep in mind that your security team will need to monitor this environment the same as if it were in your data center.
The same large financial organization would make a handful of acquisitions each year. But their security team had no advance information, but IT would simply connect the acquired entity to the corporate network. AD trusts were created in every direction.
Here’s the thing. You may not be given any prior details about acquisitions. But as you plan for integrating new entities into your infrastructure, your security team needs to be doing the same. They will need to evaluate if they have the resources for a growing environment. And both teams should plan for how you will assimilate foreign technology platforms and outside IT resources. Simply connecting new untested entities is a recipe for more breaches.
I have worked with a number of entities that had to deal with a change in the business that resulted in having to terminate or lay off multiple employees. The security teams rarely hear about these events before the layoffs are announced. Then they scramble to deal with the aftermath of processing the account terminations quickly and effectively.
It’s important to coordinate a plan with the security team (and HR) and make sure the termination process is well conceived and practiced. Your security team will want to be informed of the termination list as soon as it is finalized so they can monitor for any signs of insider incidents.
It’s time to build security into everything we do
It’s past time we moved out of reactive mode. IT professionals need the skills and understanding to build secure systems and code securely. Your security team can be your consultants and Subject Matter Experts and help develop secure architectures, requirements, and consult on implementation. If your security team isn’t doing this today, it’s time to raise the bar on them, or find outside consultants who can help. Your IT folks may need training as well, so be prepared to address that gap.
Another area where IT folks need to jump on the security bandwagon is building and maintaining an accurate asset inventory. The security team needs to know where the sensitive data resides, and which open source libraries (and more importantly, which versions) your applications are incorporating.
Get your security team more involved in everything IT related
It’s time to turn your security team into advisors and mentors for the IT folks to leverage as needed. This will likely mean the security team will need to free up their time to get more involved. To that end, the security team will need to automate more tasks and extricate themselves from tasks that don’t further the security mission.
Technology leaders – you need to understand the attack landscape and communicate the message!
The security message needs to come from more than just the security team and its leadership. And let’s face it, if you’re going to be successful in the areas I highlighted, you’ll need to be better educated on what attackers are doing. You’ll also want to learn how your team can be more proactive in stopping and hampering more of these attacks.
Technology leaders that understand attacker methods are in a better position to help communicate the security message and maintain a unified voice to business leaders and the board. This is essential to combat the perception by many business leaders that security is simply “black magic”.
All of this requires better communication and partnership with the security team. It may require training for technology leaders and professionals, and it will certainly transform the security team and its mission. But most importantly, it will transform the business and how it considers and manages cyber risk.