It’s not surprising that network and security teams aren’t always on the same page. After all, networks need to be fast and efficient, while security is about slowing things down and implementing extra steps to help meet security measures. While both teams are a part of the IT department, and need to work together in the event of a breach, each group has its own objectives and expectations. But when a data breach or security threat strikes, businesses need both teams working together to help get it fixed as soon as possible, especially as networks become more intricate.
“It’s more important to get these two teams on the same page than it has ever been in the past. Enterprise networks are becoming more complex, and at the same time security issues are more common,” says David Vigna, Cisco practice director at Softchoice.
One of the biggest reasons these two teams aren’t known for strong communication and teamwork, according to Vigna, is their “conflicting goals.” Network teams are focused on network availability and usability, while security teams are focused on potential risks and vulnerabilities. And security measures can often slow things down — adding things like two step authentication, firewalls or other precautions that might hinder how fast networks can get up and running. So, for a team focused on speed and availability, security can often be seen as a roadblock in reaching those goals — and vice versa.
“This becomes a problem when network professionals feel that security measures are red tape getting in the way of their processes, and security professionals feel that network team’s expansion and development of complex architectures are opening up the system to potential attacks,” says Vigna.
It’s not that security isn’t important to networking professionals, it’s just that it isn’t necessarily their focus. And the same goes for security pros. They don’t want things to run slower or to create more steps for people, but it is their job to keep things as secure as possible. And as it becomes increasingly important for businesses to avoid any security breaches — both teams will need to shift their priorities.
“In some cases, security may not be the highest operating priority of the team versus network latency, availability or other metrics. In addition, the security team may not gain real-time access to critical log information or telemetry that is crucial to threat analysis,” says Eddie Schwartz, CISA, CISM, CISSP-ISSEP, PMP, board director of ISACA, chair of ISCACA’s Cybersecurity Advisory Council and president of COO and WhiteOps, Inc.
The best solution to this problem? Start communicating, says Vigna. The time to communicate isn’t after something bad has happened; it’s before. “Both network and security teams should proactively reach out to one another and discuss trends and issues on a day-to-day basis in order to be prepared for the worst,” he says.
That means, when embarking on new projects, get both teams in on the conversation. At the very least, Vigna says that network teams should be proactive in giving security workers a heads-up about new projects. He suggests inviting security professionals into the early concept stages, to give input where they might find security issues before any time, money or energy is invested by the network team. Similarly, he says security teams should be “consistently responsive in sending risk assessments to network teams.”
Vigna suggests assigning a point person on each team, whose job it is to bridge communication between the two groups. These liaisons can help bring about unity through transparency, he says, allowing both groups to have better insight into each other’s goals and objectives.
Hire the right people
Hiring the right tech workers might seem obvious, but if you want your network and security teams to get along, include it in your hiring process. While network and security professionals have different skillsets, you can still emphasize during the interview process that you encourage collaboration between the two teams, so they come in knowing what to expect.
If you know you’ll need someone who can be flexible and open with other IT teams, find people with well-rounded backgrounds who express an openness to the changing landscape of IT. You might even find network professionals emerge with security skills, says Vigna, especially as networks become more complex, which increases potential risks.
Schwartz also points to the CIO as a guidepost for the rest of the department. As the CIO, he says, you need to encourage both teams to understand one another’s priorities and goals. You can’t expect your teams to understand how they can help one another if they don’t even know how the other operates on a day-to-day basis.
“It’s important for IT leaders to see these departments as part of one larger team, rather than separate factions. Though some organizations are quick to see their security teams as supplements to the IT department, IT leaders need to fully integrate security teams,” says Vigna.
Inline Video Detail: Security Sessions: How to transition from tech professional to a business leader
Summary: Many security pros came up through the career ranks with a solid tech background. But security leadership demands more business acumen and expertise today. Lorna Koppel, Direction of Information Security for Tufts University, has been through this process in her career and shares her tips for making the transition smoothly and effectively.
Publication Date: Wed Mar 30 08:37:00 PDT 2016
Source Publication: IDG.TV
Download Source File: mp4
Original Article URL: