alphaspirit - Fotolia
Lay the groundwork for a SecOps team structure
A good partnership between IT operations and security teams requires trust, mutual commitment and continual work -- but results in significantly reduced security exposures and a healthier work culture for all.
Enterprise IT and security teams have a history of bad blood; the former is motivated to test and deploy new services as quickly as possible, and often perceives the latter as an external auditor on the hunt for mistakes.
The adversarial relationship is often reflected in a siloed organizational structure in which IT and security teams operate separately. These silos make it impossible to proactively incorporate security measures into IT systems and applications during the planning, design and implementation phases.
But the IT-security divide is untenable in the face of advanced persistent threats, targeted phishing attacks and crippling ransomware incidents. Modern threat environments require the two organizations to break down the walls and become partners throughout the IT lifecycle -- a model known as SecOps.
Editor's note: Organizations that practice DevOps might extend collaboration between the IT ops and security teams to include application developers. This creates a practice called DevSecOps. Sometimes, the terms SecOps and DevSecOps are used interchangeably.
Success starts at the top
The overriding factor that separates IT and security teams is organizational misalignment; the two teams often report up through different management structures. The executives leading each faction -- the CIO and CISO, respectively -- typically have different goals, which are measured and rewarded by disparate key performance indicators (KPIs). In addition, the CIO is often perceived as being higher in the executive pecking order. To create a culture of shared security across the organization, give the CISO and other IT security leaders more status and authority. Include them in the strategy, planning and early development phases of new IT and application projects and treat them as a trusted partner.
Shared authority at the executive level requires shared goals. IT operations and security teams will likely continue to have separate budgets and distinct projects, but hold managers in each organization accountable for common -- or at least comparable and tightly related -- objectives and KPIs. Shared metrics enable both sides to see how each contributes to achieve broader business, financial and security goals.
Extend this team concept to business units and project managers. IT and security execs should proactively seek out and work with business partners to enable new products and services that are functional, on-time and secure.
In the trenches: Be a team player
Being on a team requires a willingness to make personal and workgroup goals subservient to the larger mission. In the case of IT and security, this means building cultural bridges and personal relationships. Management's actions can reinforce these relationships through policies that hold people accountable for team play. To move toward a SecOps team structure, IT should bring security colleagues into new projects and listen to their advice. Conversely, security professionals need to offer constructive suggestions, not gotcha criticisms.
Treat IT systems, applications and cybersecurity as part of a single interconnected system. Adopt systems analysis techniques to holistically analyze system performance, functionality and security. To find security vulnerabilities in the interfaces and data flows between the many components -- containers, serverless functions and API gateways -- in a cloud-native deployment, view IT infrastructure and modern applications as part of a connected security environment.
Operational steps
IT and security departments can take the following operational steps to move toward a SecOps team structure and, ultimately, a DevSecOps model.
- Encourage frequent communication. In addition to regular status updates between teams, hold informal gatherings, such as lunches, and use online collaboration tools such as Slack or Microsoft Teams. Establish collaboration hubs for both projects and broader discussions that promote cross-pollination of expertise between groups.
- Create avenues for cross-training. Ensure security pros learn about the latest development languages, such as Python or Ruby, as well as infrastructure trends like container clusters, multi-cloud and composable infrastructure. Likewise, train IT and developers on threat behaviors and secure coding practices.
- Incorporate security policy into IT infrastructure blueprints, development processes and code libraries. Building secure systems and applications should be the default behavior -- not something that's bolted on after the fact.
- Build penetration testing into DevOps processes. Provide a mechanism for stress testing systems from an attacker's point of view before production deployment.
- Add automated security scans into automated DevOps toolchains. This step will identify vulnerabilities in code libraries or container images during test and development, when teams can fix errors without exposing users to threats.
- Consolidate DevOps and security expertise into a formalized DevSecOps team. This can only occur after establishing a cooperative IT-security relationship. A DevSecOps team has broad responsibility for the overall security design and implementation of new IT systems and applications.