I survived the play offs, wondered why anyone watches the Pro Bowl, and then set my focus on the Super Bowl. Who would win – who had the best skills, best coaching, best records, etc. As I wondered I started to see similarities between the relationships of the players and the relationships of security and operations teams. Stick with me for a moment. At the simplest level, the defense is there to make sure that the opposing team doesn’t score. They don’t know what play the offense will use, but as the defense sets up they may be able to see holes in their ability to defend. At that point, the players will call to one another and make adjustments. They are trying to eliminate vulnerabilities. Now, if one player is calling out adjustments (security), but the other players (operations) either can’t take action, are overwhelmed by the number of actions, or are too busy focused on a different problem they see, then what happens? Well, there is a good chance the offense will succeed and breach the line. And if it happens too often the Defensive Coordinator will be the one who gets sacked.
So, what went wrong? Poor communication? Lack of agreement on the priorities? Inability to handle an audible – no rapid way to match adjustments to the opponent. Statistics indicate that most breaches take advantage of known vulnerabilities. If that’s the case, then the security team may point to their vulnerability scans and show that they had indeed delivered the information to operations. They called an audible. The operations team says the reports are huge and don’t give the information needed to identify and remediate problems. So, they either didn’t hear the audible or couldn’t figure out what play they had to run. Teams can’t operate like this…. well, maybe the Browns.
Get your Security and Operations Players Unified and Acting Like a Team
In order to play well together you have to communicate with each other clearly and use a common framework or playbook for a reference point. Calling out play numbers if the other players don’t know what you’re talking about isn’t helpful. Security identifies vulnerabilities then hands off to operations to fix them and make the changes. The operations team doesn’t always use the same reference points as the security team so the reports may lack context and make it difficult for operations to use them. Once operations figures out what to do, they have to weigh these requests against the ones they already have that are is focused on availability and stability. Changes are risky and the operations team is left to decide what is riskier – not patching a known vulnerability or releasing a patch that may impact stability or availability. The conflicting priorities create an unsustainable and less-efficient culture.
SecOps, which is similar to DevOps, is a combination of tools, processes, and culture change that encourage the two organizations to share accountability and work together as a team. To drive the culture change, leaders need to ensure that the teams understand that they are all responsible for security and compliance, and the hand off of tasks does not imply a hand off of accountability. They succeed and fail together. Only together will they have the resources and ability to meet the challenges presented by today’s sophisticated hackers – who ALSO work in teams. When you draft your defense in fantasy football, you don’t do it player by player. It’s as a unit.
Give The Team the Right Equipment to Play
Once you get past the culture change, two of the next big issues will be moving the teams to the same playbook, meaning helping operations to use the data provided by security to tie it to a meaningful set of actions.
Given the volume of data and the manual processes required to tie this data to known remediations, it’s a situation ripe for automation. A comprehensive, policy-based automated approach that identifies, remediates, and tracks vulnerabilities could allow the teams to get some basic plays down so that they are focusing on the bigger issues. Automation should reduce the risk of misconfiguration and improve the system’s stability through granular, role-based access control. It should also enable you to dramatically reduce the time required for logging changes in the change management system and reduce the risk of outages by unifying processes across server platforms.
The Security teams will get real-time visibility into the vulnerability of the health of the IT environment and approach a state of being audit-ready all the time.
Get Your Stars to Unite As A Team
Change is tough under the best of circumstances. Right now, you may have a bench full of star players in their positions, who have little interest in learning about each other or how they can change to work together as a team. I once again think of the Pro Bowl. It’s not interesting because it’s a lot of stars doing what is it that makes them stars. As individuals, they are great, but together they can barely get down the field.
- It starts with the accountability. Create a culture where everyone is accountable for security. Every individual is expected to contribute to the success of the team.
- Redefine the way you communicate. Break down operational siloes and require security and operations to have a discussion about process and discuss requirements. You need to know what the other players on your team are doing and how you can help them be successful.
- Rewrite your playbook. Consider the security challenges of your organization, and build the game plan you need to overcome them using the strengths of your players
- Recruit wisely. Take a good look at where your gaps are – which can be filled by tools, which can be filled by people or partners and then make a pragmatic and data driven choice.
Be the MVP – Lead the Change
Another great thing about football is that the leader of the team can be anyone. The coach is fairly obvious, but who picks the team up and gets them excited about the game? Who is the firecracker, that when they hit the field everyone works just a little bit harder? A very famous football coach is reported to have once said “People who work together will win, whether it be against complex football defenses, or the problems of modern society”. Will you be the one to help your organization work together to win?
By the way, if you find me at RSA Conference 2017 in San Francisco and can tell me who the quote is from – I’ll owe you a coffee.