At many companies, there’s a gap between security and what is generally called operations, or more colloquially, ‘the rest of the organization.’ That gap is becoming an issue, because the days when only the security team needed to know about security are behind us. So, what can you do about that?
In order to answer this question, IDG hosted a workshop co-moderated by Luc van Roey from F-Secure about this topic for the CompTIA Benelux Community in Belgium (pictured right). The workshop covered what the situation is like now, before going on to how the attendees would like it to be, and finally getting to some feasible next steps to tackle it.
The Issue at Hand
It’s virtually impossible to view the gap discussed during the workshop separate from the bigger security trend of shifting focus from prevention to detection. The saying, ‘it’s not if, but when you will be hacked,’ has become more or less received wisdom in security circles. This also means that you have to deal with security differently inside your organizations. Gone are the days when security personnel would focus solely on keeping the bad guys out. They will get in eventually, which means non-security people inside organizations need to know more about security. In order to do that, the gap between both sides needs to become smaller.
The Gap is Real
From the discussion between the participants, it is very clear that the gap between security and operations is a fundamental one. Many noted the lack of alignment between the two sides of the equation, usually in the form of management not understanding why it’s important to bridge the gap. That is, more often than not, little has been done to address the issue to start with. Securing the budget to actually do something about it isn’t easy either, which makes it an even bigger hurdle.
It is clear that there appears to be a lack of awareness in many organizations. But even if there’s awareness, the next hurdle is access to education, which is lacking as well, based on feedback from the group. Over-regulation was also cited as a reason for not being able to bridge the gap, with security teams more or less being forced to operate on an island.
It’s not all about a lack of awareness at the important levels inside organizations though. Technical issues were also regularly cited as factors, including having too many point solutions to make sense of it from that side in the first place, to too much focus on technology instead of the people who had to work with it. A lack of understanding of what mobile phones, mobile workers and what something like Office 365 meant for organizations were also cited as complicating factors.
Bridging the Gap with Better Tech and Management
Asked what would be the best-case scenario to bridge the gap, irrespective of what is feasible and what isn’t, a similar division arose as above. Some focused on things like management, processes and the overall organizational layout, while others focused on specific technical enhancements to tackle the issue. Automation is also seen as something that’s absolutely necessary in security, as is having a 360-degree approach, which obviously clashes with the enormous complexity in security nowadays that was noted in the first step of the discussion.
One wish that came up multiple times, was to have 100% buy-in from management. That’s crucial in any change inside organizations, but perhaps even more so when you wish to bridge a gap as big as the one between security teams and operations.
Education is also something that’s seen as a vital part of the best-case scenario. Not just once, but ongoing. Everyone inside an organization needs a continuous improvement plan. Also, we shouldn’t only focus on awareness. Practicing what happens when there’s a breach, for example, is also very important. Going beyond awareness also means there’s a bigger sense of accountability among the people working across the organization. Without accountability, it’s not possible to bridge the gap.
What We Can Do Now
When it comes to the more organizational next steps, there was broad consensus that stress tests as well as risk assessments is important. That’s where it starts. You need to know first what you have before you can protect it. We know from experience that many organizations still haven’t done that. But by far the most important thing you need to do as an organization, is to just get started and make those first steps toward a good security by design strategy for your entire organization in which everyone is aware of the risks, but also feels accountable for trying to prevent being hacked or breached.
Learn more about the Benelux Business Technology Community.
Sander Almekinders is the editor-in-chief and content strategist at IDG. He co-moderated the session, Make Everyone a Security Expert, at the recent Benelux Business Technology Community Meeting in Brussels. A version of this article was also published on CIO.com.