Everything you ever wanted to know about security policy management, and much more.
We’ve all been there and if you’re reading this article you know exactly what I’m talking about: the classic battle between IT and Security. Both of these groups think they’re right and have their reasons behind it, but if you’re not seeing each other’s point of view, you’re both losing. When looking at this from a high level you notice that these are two very different groups working in the same realm with very different ideologies (this brings up flashbacks from West Side Story’s Shark versus Jet scenes again! These two gangs need to play nice with each other or catastrophe and hilarity (depending on how you look at it) will ensue.
Without communicating the goals and concerns of each group, there will be a cycle of failure with each team tripping over the other. The information technology department needs to understand that security is here to stay and that we’re not trying to point fingers or spy on them. Calling the security team “big brother” is one of the common misnomers that security is labeled with from the start. The infosec department is monitoring the security of the enterprise and when an event or concern is brought up to your department, it’s being done for a reason.
With security taking a much larger role in companies over the past 5 years, having a team of people “watching over you” is understandably annoying for IT. However, IT has to understand that security is not something you can bolt on to technology – it has to be a mindset. Until IT understands the importance of security and what our goals are we’ll never be taken seriously.
I can remember one issue of classic non-communication between groups which put one of my past clients at risk. An admin who was trying to be helpful, set up a FTP share for a client to upload files in a hurry. The client uploaded the necessary files and the FTP account was left up and unsecured. Within about a day of creating the FTP account, the security team noticed larger spikes of inbound traffic to this server. It turns out that the insecure FTP site was compromised and being used to host pirated movies.
When you have a culture where IT is trying to be helpful, but in doing so going around security to get something to work, we have an issue. Security needs to provide awareness and enforce the policy, while IT needs to abide by these guidelines. If this isn’t happening we’ll have a dysfunctional relationship with our IT counterparts. Simple change control and education could have prevented this server from being compromised… and ultimately would have saved us from having to engage in a sticky conversation with the client.
It all comes down to seeing the company from the standpoint of risk. IT sees security as hindering them from their projects or giving them more work. Security can sometimes think of IT as lazy or single-minded. The fact is that we’re both on the same team. IT needs to understand that we’re a compliment to their technology, not a hindrance. And it’s our job as security professionals to appropriately prove this point.
Here are some tips to bridging the gap between the two groups:
At the end of the day, we need to be allies… to deter the real “bad guys” and to improve the business.
Receive notifications of new posts by email.