The modern enterprise IT environment is extremely complex. A myriad of smartphones, tablets, applications and network devices, along with the growing use of virtualization and cloud services, all present an increasing volume of management and security concerns.
Next-generation security devices present new, more granular controls, but add to the complexity. Both IT Security and IT Operations teams are strained with managing, supporting and securing these environments, often clamoring for more resources to get the job done. As the work piles up, each organization hunkers down and focuses primarily on their specific roles and responsibilities.
What sometimes gets lost in the shuffle is the bigger picture, which is to make the business run more smoothly and efficiently.
IT operations and security groups are ultimately responsible for making sure an organization’s systems are functioning so that business goals are met. However these teams approach business continuity from different perspectives. The security department’s number one goal is to protect the company, whereas the IT operations team is focused on keeping systems up and running. Oftentimes, IT operations and security teams must work together and be on the same page because both have an ownership stake.
This is easier said than done.
To achieve this alignment, organizations must re-examine current IT and security processes and identify areas where to add or enhance the necessary checks and balances, without impeding productivity.
Here are 5 Tips to Improve Communication and Alignment with Your IT Operations Colleagues
1. Re-examine the roles and responsibilities within the Information Security team as well as with the IT Operations team and identify areas - such as change management and audits - where both teams play a significant role.
2. Set up a taskforce with stakeholders from both departments and develop or enhance a standard operating procedure (SOP) for how the teams will work together on a typical day and when crisis hits. This SOP should take into account the concerns of both teams and address day-to-day situations. You can’t predict when users will make requests to add new devices to the network, but you can prepare for dealing with those requests.
By designing plans with your counterparts that address these situations (or other ‘knowns’ such as network upgrades, change freezes, and audits), you can minimize security risk from poor change our out-of-band change processes. Communicate the agreed upon SOP with both teams and ensure continuous training of these procedures. This proactive approach will ensure a proper response during high pressure situations.
3. Work with your management and colleagues to define management by objectives (MBOs) and performance targets that include both individual and higher level targets. If security is compromised due to poorly configured change, everyone loses. And if security requirements are so stringent that SLAs cannot be met, the business also loses.
4. Build relationships and force over-communication. Encourage team building outings such as lunch and learns, retreats and off-site events to build relationships amongst the departments. Plan some fun, IT organizational events to break down the silos and build relationships amongst the staff. Additionally, set up weekly/monthly/quarterly review sessions between the two groups that focus on internal process improvements (poor internal security processes were identified in a State of Network Security 2012 survey as the greatest security risk). Not only do these activities create awareness and enable joint decision-making, but people generally respond better to friendly faces.
5. Support both teams by implementing technology in addition to the newly developed or refined processes to facilitate collaboration and make their lives easier – having holistic visibility will lead to improved network availability and security.
At the end of the business day, it’s about finding the right balance for each organization between security and productivity. One should not have to come at the expense of the other.