SecOps from the IT infrastructure operations perspective

The CrowdStrike incident should be a sign that it's time for SecOps and IT infrastructure operations teams to cooperate on more resilient ways to operate IT security tools, according to one industry veteran.

As with other guests who have appeared on IT Ops Query Season 2: The State of SecOps, Rich Lane, IT director for the City of Medford, Mass., has seen a widening rift between the two subdisciplines over the last 10 years during his varied career in tech. He previously served as vice president of digital operations strategy for data security software vendor Netenrich from 2021 to 2022 and as a Forrester Research analyst from 2018 to 2021. Before that, Lane worked as a professional services consultant for observability vendor Splunk and as IT infrastructure and operations manager at Bain Capital.

It was at Bain Capital, in the aftermath of a high-profile data breach at Sony Pictures, that Lane saw this divide begin to grow significantly, he said.

"Everybody panicked all at once and said, 'Why aren't we investing way more in security?'" Lane recalled. "Security had always been an arm of operations, but it became abstracted even more away from operations and into its own discipline. We started to see the CISO role [emerge]."

From Lane's perspective, the global CrowdStrike outage in July reflected this organizational disconnect at many companies between the IT security teams that choose tools and the infrastructure operations teams that must support those tools in production.

In that case, the incident wasn't caused by a cyberattack, but a glitch in testing a file update sent automatically to users' machines that crashed certain versions of the Microsoft Windows OS. In other words, the kind of incident that falls into the lap of IT infrastructure operations, despite the fact that they didn't choose to have such a tool in the environment.

How do we tie the CISO and CIO [organizations] together? ... How do we bridge that gap and make what they're trying to accomplish on the security side workable for us?

"[It reflects] this divide between ... what security's trying to do and what they're communicating to the top of the company, and what operations do, trying to run the business and not be in the way of people doing that," Lane said. "In my last few roles, we were exploring ... 'How do we tie the CISO and CIO [organizations] together? ... How do we bridge that gap and make what they're trying to accomplish on the security side workable for us?'"

Now, he said, CrowdStrike should prompt the two groups to get together and come up with more resilient ways to operate security tools, demand better communication from vendors during incidents, and better account for the human factor in both cyberattacks and IT outages.

Which isn't to say all the responsibility falls on enterprise IT buyers, according to Lane.

"Software vendors need to do a better job at owning it when it happens, and not try to hide it from their customers, and not send out emails to their customers with a legal disclaimer that is bigger than the actual message," he said. "They have to be more honest and say, 'Yeah, we screwed up. We're going to figure out how this happened. We're going to communicate with you.'"

Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.