When IT and Security Don’t See Eye-to-Eye: A Security Professional’s Viewpoint

We’ve all been there and if you’re reading this article you know exactly what I’m talking about: the classic battle between IT and Security. Both of these groups think they’re right and have their reasons behind it, but if you’re not seeing each other’s point of view, you’re both losing. When looking at this from a high level you notice that these are two very different groups working in the same realm with very different ideologies (this brings up flashbacks from West Side Story’s Shark versus Jet scenes again! These two gangs need to play nice with each other or catastrophe and hilarity (depending on how you look at it) will ensue.

Without communicating the goals and concerns of each group, there will be a cycle of failure with each team tripping over the other. The information technology department needs to understand that security is here to stay and that we’re not trying to point fingers or spy on them. Calling the security team “big brother” is one of the common misnomers that security is labeled with from the start. The infosec department is monitoring the security of the enterprise and when an event or concern is brought up to your department, it’s being done for a reason.

With security taking a much larger role in companies over the past 5 years, having a team of people “watching over you” is understandably annoying for IT. However, IT has to understand that security is not something you can bolt on to technology – it has to be a mindset. Until IT understands the importance of security and what our goals are we’ll never be taken seriously.

I can remember one issue of classic non-communication between groups which put one of my past clients at risk. An admin who was trying to be helpful, set up a FTP share for a client to upload files in a hurry. The client uploaded the necessary files and the FTP account was left up and unsecured. Within about a day of creating the FTP account, the security team noticed larger spikes of inbound traffic to this server. It turns out that the insecure FTP site was compromised and being used to host pirated movies.

When you have a culture where IT is trying to be helpful, but in doing so going around security to get something to work, we have an issue. Security needs to provide awareness and enforce the policy, while IT needs to abide by these guidelines. If this isn’t happening we’ll have a dysfunctional relationship with our IT counterparts. Simple change control and education could have prevented this server from being compromised… and ultimately would have saved us from having to engage in a sticky conversation with the client.

It all comes down to seeing the company from the standpoint of risk. IT sees security as hindering them from their projects or giving them more work. Security can sometimes think of IT as lazy or single-minded. The fact is that we’re both on the same team. IT needs to understand that we’re a compliment to their technology, not a hindrance. And it’s our job as security professionals to appropriately prove this point.

Here are some tips to bridging the gap between the two groups:

1. Knowing when to pick your battles in security is something that needs to be considered. If security throws a fit over every issue, it’s going to be viewed by the IT counterparts as crying wolf.
2. Budget to have the IT department sent out to security training within their particular field.
3. Provide internally driven lessons and security awareness for the IT department.
4. Use compliance as a way to build your department and group the respect of other IT members.
5. Be a walking security evangelist. It’s our job to promote security as a culture within the organization – and that means speaking about it at every chance.
6. After you’ve built a solid foundation with your IT operations counterparts, it’s important to follow through with all tasks and policy. People are going to look for you to slip up, so staying on your game and “walking the walk” keeps everyone honest.
7. Establish weekly or monthly meetings with IT to review risks and issues that have come up. This creates awareness among the two departments and provides actionable datapoints to enable collaboration.
8. Many times this is overlooked, but using soft skills in dealing with members of each department can go a long way.
9. Grab lunch or get to know your IT admins on a personal level – this will tangibly improve your teams’ relationship going forward.

At the end of the day, we need to be allies… to deter the real “bad guys” and to improve the business.