AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Search in comments
Filter by Custom Post Type
Posts

Top Tips to Align IT with the Business

by

There’s a trending thought process that IT isn’t there just to support the business, but to drive the business (see my previous blog on this topic). Either way you look at it, in order for business to run smoothly in today’s environment, IT and the business must be aligned. What does this mean? First, IT itself must be aligned! While IT operations and security teams have unique responsibilities for ensuring that the business can run, there are times when they overlap and if they’re not aligned, business continuity suffers. Then IT as a whole must be aligned with the business. Here’s where things get tricky:

  1. The number one goal for security teams is to protect the business
  2. IT operations department’s goal is to keep systems up and running.
  3. Application owners are focused on the availability and performance of the applications that they manage.

In order to achieve alignment across these teams, organizations must re-examine current security, operations and business processes and identify the areas where to add or enhance the necessary checks and balances -without impeding productivity. Here are a few tips:

Tip 1: Break down the organizational silos.

Application owners, network security and operations staff working in silos is a clear path to trouble and a major contributor to business disruption.

  • Identify areas such as change management and audits where both of these teams play a significant role.
    • Audits bring consternation to multiple teams. Not only do audits raise questions from outside, but they can often lead to distrust amongst different stakeholders if not managed well. A proactive approach and teamwork based on the above steps can make a huge difference. If you can ensure continuous audit-readiness by capturing the required information and being able to access it quickly, you not only increase visibility across all stakeholders but you can also reduce inter-department friction during “crunch time”.
    • Poor change management, where business and IT aren’t aligned, oftentimes results in an outage, either to a critical application or to the network. Document and enforce a formal security change management process that incorporates all of the key stakeholders. This allows for the proper checks and balances and the proper visibility from all angles (application connectivity needs, security and compliance checks, and broader network requirements).
  • Develop or enhance/update a standard operating procedure (SOP) for how these two teams will work together on a typical day when crisis hits. This SOP will address day-to-day situations and will take into account the concerns of all teams. You also want to set up a taskforce with stakeholders from each of the departments. As you know, you can’t predict when users will make requests to the network by adding new applications or devices; however, you can prepare for dealing with those requests. You can minimize security risk from poor change or out-of-band change processes by designing plans with your counterparts that address these situations (or other ‘knowns’ such as network upgrades, change freezes and audits).
  • Define management by objectives (MBOs) and performance targets that include both individual and higher level targets by working with your management and colleagues. Note that everyone will lose if security is compromised due to poorly configured change. Additionally, the business will lose if security requirements are so stringent that SLAs can not be met.
  • Schedule weekly/monthly/quarterly review sessions between the groups that focus on internal process improvements. By building relationships and over-communicating with peers from other teams, it not only creates awareness and enables joint decision-making, but it also will typically have a better reaction/response to friendly faces.

Tip 2: Automate processes.

This goes hand-in-hand with our first tip. Security change management usually falls down due to teams working in silos and due to manual, time-consuming processes, which typically result in a wide range of errors that may introduce risk, break connectivity or cause a wider outage. In AlgoSec’s “State of Network Security Survey 2013,” the findings showed that the biggest challenge of managing network security devices was process. You need to understand where process breakdowns occur so that you can make the necessary improvements. Ask yourself questions such as “Is it a matter of poor process?” and “Are the solutions in place not allowing the process to work as you want?” Identify these issues so that you can map out a plan of attack. By automating business processes, organizations can improve visibility, simplify and streamline the necessary checks and balances and not only improve security but also business agility (Think more changes processed…accurately). Sound process aided by automation enables the different stakeholders to more easily and effectively communicate with each other, respond to changing business needs more quickly and transparently.

Tip 3: Think in application terms when it comes to change management.

Most firewall changes are driven by business applications, but there is poor visibility tying the business needs with the underlying security policy. Make sure you have proper visibility from an application perspective and understand the impact of making an application change – to these applications and to the network – by making sure that you can associate all firewall change requests to the appropriate application. Just as many critical IT functions have evolved to become application-centric (because our networks and organizations are powered by business applications), so too must security policy management. You can read more on this in a recent SecurityWeek column “It’s All About the Applications“.

Tip 4: Find a common language.

The process of sharing, interpreting, and accurately translating the disparately stored application connectivity information into effective security policies essentially creates a gap between the network, security and the application teams. Opportunities to maximize application availability, reduce risk from unauthorized access and to unlock greater degrees of IT agility are often held back. IT departments have their own objectives and language that are used. Meanwhile, the networking team focuses on routing and connectivity while communicating in terms of subnets, IP addresses, etc. These different responsibilities and terminology result in the great divide with key requirements getting ‘lost in translation’. As a result, application and network outages are all too common, security is unreasonably compromised and network performance is negatively impacted.

Tip 5: Reduce complexity.

Complexity is a killer of security and agility. Today’s enterprise network has more business applications with complex, multi-tier architectures, multiple components, and intricate, underlying communication patterns that are driving network security policies. An individual “communication” may need to cross several policy enforcement points, while individual rules, in turn, support multiple distinct applications. This complexity typically involves hundreds, or even thousands of rules, with many potential inter-dependencies, configured across tens to hundreds of devices, which equally supports as many business-critical applications. The sheer complexity of any given network can lead to a lot of mistakes, especially when it comes to multiple firewalls with complex rule sets. Simplifying security management processes through automation and an application-centric approach is a must.

Subscribe to Blog

Receive notifications of new posts by email.