All War and No Play: Align Your IT Organization to Eliminate End-User Frustration

Welcome to the fifth blog in our special series, Mitigating Gartner’s Network Security Worst Practices.

In my last post, I talked about insufficient focus by IT teams on users and business requirements. In addition, it’s also important to remember that groups within the IT organizations are often misaligned as well, which Gartner refers to as “warring factions” or “us versus them”[1].

According to research, “Within many IT organizations, security is seen more as a bolt-on appendage to IT rather than an integral component that should be baked into all architectures. This leads to end-user frustration and fosters kingdom-building versus deep integration between teams” [2]. “The end results of both intrasecurity and IT organizational misalignments are unhappy users; reduced security; and architectures that are more complex, costly to operate and difficult to scale.”[3]

One area where this misalignment is clearly visible is between the networking and security teams. Many of our customers report frequent “blaimstorming” meetings where these two teams blame each other when things are not working or not progressing quickly enough.

If you have followed my previous posts you have probably noticed I am a big advocate of examining solutions from both a processes and a tools perspective. Although AlgoSec is a software provider, I am the first to acknowledge that a good tool will not fix a bad process. (A well designed software solution can however, force you to rethink and redesign your processes). On the flip side, a good process which can’t be enforced will not go very far either.

So let’s first examine what you can do from a process perspective to address organizational misalignment:

1. Align Incentives – Aligning incentives to create shared goals may be common knowledge, but it’s hardly common practice. In many organizations there is an inherent conflict between the goals of networking team and the goals of the security team. The networking team may be concerned with maintaining network availability which is obviously hindered as security and access restrictions pile up, while the security team resists any architectural changes if they can potentially introduce new risk. So consider defining both security and networking goals for both teams.
2. Align Reporting Structures – In some organizations, the CISO reports outside of the IT department (e.g. to the CFO). In the absence of a common boss – inter-team tension can quickly escalate.
3. Foster Collaboration – There are many ways in which an organization can foster better collaboration between teams. Simple things such as joint social events or locating the teams in close proximity can go a long way. Another common approach is to have “overlays” where the networking team has a representative in the security team and vice versa.

From a solutions perspective, here are some things you should look at to improve alignment:

1. Single pane of glass – All too often the security team’s view of the network and risk are different to that of the networking team due to different tools that are used by each team. It is imperative that both teams use the same solution for provisioning and making changes to network security devices.
2. Holistic Process Analytics – Without good data and visibility, it’s not easy to understand where you may have made mistakes or introduced bottlenecks. Tracking each stage of the network change process (which team requested the change, how long did it take to analyze it, approve it for risk, provision the change etc.) can help you identify and resolve inefficiencies.
3. Automation – First and foremost, automation can eliminate mistakes which create tension. Automated tools are also better than human beings at “translating” requests that may be communicated in one language (e.g. the language of networking) into another language (that of security). Finally, whenever a person has to say no to a request, there is a potential for friction. However, if an automated solution does not allow something, it creates a sense of fairness: “the system won’t let me approve this” to “I don’t allow you to do this”..

At the speed of today’s business, and with increased focus on automation, the lines are quickly blurring between operations and security teams – aligning these teams is therefore quickly becoming an imperative – if your factions are warring, don’t delay doing something about it.

About the Mitigating Gartner’s Network Security Worst Practices Blog Series

In this special blog series we’re taking a deeper dive into the network security worst practices identified by Gartner, and are examining how each of the 9 worst practices that we specifically address can be mitigated using automated security policy management.