Endpoint

5/14/2018
05:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Smashing Silos and Building Bridges in the IT-Infosec Divide

A strong relationship between IT and security leads to strong defense, but it's not always easy getting the two to collaborate.

The relationship between IT and information security can be difficult to navigate: there are traditionally conflicting interests and perspectives between IT, which is responsible for making sure tools and systems work, and security, which must make sure they're protected.

Finding the right balance between accessibility and security is "a key part of the modern organization's success," said Juliet Okafor, senior vice president of global security solutions at Fortress Information Security, in an InteropITX presentation on the topic this month. Rigid silos between IT and security have become "a clear point of attack" leaving organizations vulnerable.

The dynamic between the two groups has changed along with technology. Back in the 1990s, security was considered a function of IT. Corporate networks had a hard perimeter; firewalls were the foundation of security. Modern enterprise computing environments have since become global, borderless, fully mobile, and more complex than ever before.

This evolution has driven new sets of challenges for both groups, said Okafor. IT is worried about data availability while security prioritizes data protection. IT focuses on system uptime; security works on system safety and control.

Culture also varies between the two. IT tends to be more agile, with shorter and more frequent maintenance windows. Operational technology, and sometimes security, typically require more time with longer maintenance periods. They don't want systems down for periods of time, she noted; they're operating in an environment where things have to stay up and running.

Companies are figuring out how to best position the two. An upcoming Dark Reading study on the relationship between IT and security found 37% of businesses surveyed have a distinct security department, with its own staff, within a larger IT department. Twenty-one percent have one or two security people in IT; 21% said they don't have any people who are dedicated to security full-time. This is just a peek at the study, which will be published in July.

Thirty percent of 120 technology and security professionals report IT and security work well together and their relationship is improving. The majority (38%) says while their dynamic is generally good, it "needs some work here and there." About one-quarter say miscommunication between the two has led to continuity or security issues.

Turf Battle

"The disparity between how IT operates, and how infosec operates, demands we take a closer look at how they're working together," Okafor explained. "Due to budgets, reporting structure, IT and infosec often have a tough time with competing and sharing turf."

The CISO and security team should be given a seat the table when decisions are being made, she noted. Oftentimes they aren't: Only 15% of respondents in Dark Reading's study say security is at the table for the beginning of every new project, and their views are always considered critical. Twenty-eight percent say security is brought in at the start of most important projects and they have a strong voice.

However, nearly the same amount (27%) reports security is "consulted sometimes" and is usually heard "if it's a legitimate concern."

Technical knowledge is important but it's not the only answer to the problem, said Okafor. What's critical here is communication: the ability to understand and engage with the person you're talking to. "The biggest issue with security and technology tends to be people," she pointed out.

A key trend in bridging silos is having different team members work on problems together, she added. Give IT workers a sense of what security projects are like, for example, so they can learn about requirements and needs from the infosec side and apply those skills to other projects.

More and more, Okafor continued, success in security means knowing and understanding the business. Security professionals with business and/or liberal arts backgrounds can and should work with their IT colleagues, who have more technical expertise, to come up with more comprehensive solutions to problems. IT employees may also bring technical contributions to security teams, which may not have the same level of proficiency in Java or C++.

"The more we can bring IT people into infosec, the more the IT team, and the entire security department, benefits," said Okafor.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11354
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, the IEEE 1905.1a dissector could crash. This was addressed in epan/dissectors/packet-ieee1905.c by making a certain correction to string handling.
CVE-2018-11355
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, the RTCP dissector could crash. This was addressed in epan/dissectors/packet-rtcp.c by avoiding a buffer overflow for packet status chunks.
CVE-2018-11356
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the DNS dissector could crash. This was addressed in epan/dissectors/packet-dns.c by avoiding a NULL pointer dereference for an empty name in an SRV record.
CVE-2018-11357
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the LTP dissector and other dissectors could consume excessive memory. This was addressed in epan/tvbuff.c by rejecting negative lengths.
CVE-2018-11358
PUBLISHED: 2018-05-22
In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the Q.931 dissector could crash. This was addressed in epan/dissectors/packet-q931.c by avoiding a use-after-free after a malformed packet prevented certain cleanup.