There are a growing set of essential business processes for which security and IT operations teams share accountability. Unfortunately, their ability to partner often falls short of what’s needed. Conflicting priorities, cultural differences, and process blind spots have led to systemic inefficiencies, IT risk, and at times, friction between the two teams. Given their growing set of joint responsibilities, they can’t afford to point fingers and, instead, need to foster collaboration, using process automation to create common ground.
Friction between the two teams arises because security is responsible for setting policies for risk management and compliance with various internal and external mandates. However, because IT ops teams actively manage the IT estate, they are the ones implementing those policies and therefore, indirectly, own policy enforcement. This is why collaboration is so essential, especially for complicated use cases that span multiple organizational silos and technology stacks — use cases such as secure employee offboarding, IT audit and compliance readiness, and SaaS user and life-cycle management.
Secure offboarding is a critical business process that cuts across IT, security, and HR. It’s also one that’s been under constant and intense strain since the pandemic began. Given ongoing layoffs, increased employee turnover and dynamic remote work policies, it’s not looking like it will subside any time soon. All these factors have made secure offboarding processes ripe for automation, to reduce manual overhead, errors, and security gaps — even at companies with sophisticated and/or mature processes in place.
Block, owner of the Square payments system, learned this the hard way when it experienced a breach in which a former employee used still-open access credentials to steal data on millions of users. As did Morgan Stanley, which agreed to pay $60 million (PDF) to settle a legal claim involving improper decommissioning of data center equipment that led to a major data breach. And those are two of many examples of how broken offboarding processes impact a company’s bottom line.
For example, if IT ops is managing offboarding processes, it needs to collaborate with security to identify all the controls that need to be enforced when an employee departs, otherwise security exposures are created. What accounts, applications, and access need to be deprovisioned? What needs to be put on legal hold? What data needs to be preserved to comply with data retention mandates? Furthermore, there’s an increasing challenge with managing the operational tasks and security aspects related to reclaiming and reassigning assets.
How IT Audit and Compliance Fit In
IT audit and compliance is another area that encapsulates a wide set of joint processes that can potentially include dozens of points of failure. Accurate and efficient IT audits require good hygiene around asset management, based on a current inventory of all hardware and software. Even if the company already has asset management tools, it’s a task that, given the highly distributed IT footprint of most companies, is more challenging than ever to accomplish.
For example, let’s say the security team is responsible for enforcing an essential security policy that CrowdStrike and Tanium must be installed, active, and up to date on all remote laptops. However, they are dependent on IT ops to enforce that policy because they own application deployment and patch management.
IT ops may be aware of the policy but have their hands full with other responsibilities. As a result, they don’t assign the same priority to it. And since security teams are ultimately the ones to answer for security incidents that occur due to noncompliance, they may not understand why security is complaining when scrambling to help them.
Managing SaaS Portfolios
A final example is managing growing SaaS portfolios. Business units investing in SaaS move quickly. After evaluating options, a selection is made and rapidly implemented. IT ops might not even know about it. The result of this decentralized purchasing is that roughly half of SaaS apps are purchased outside of the purview of IT.
While this moves the business forward faster, it also creates issues. How does the organization accurately forecast renewals, find wasted inefficiencies with unused licenses, and identify consolidation opportunities to combine different vendor agreements for negotiation leverage and cost savings?
There are plenty of security considerations as well. IT and security need to collaborate to identify which applications require SOC 2 compliance, store sensitive or PHI data, or have compliance-driven refresh cycles. Security and IT need to figure this out together and enforce the appropriate policies for the SaaS portfolio to make sure the business is managing its risk.
Clearly, when it comes to effective operations, IT ops and security can no longer operate only in their own lanes — like it or not, their carts are hitched. The first step to improving their dynamic is to strategically align on what a given process should be and why. Once that is established, they can work together to co-create and implement automated workflows that serve the long-term goal of both teams — separately and together.
This is a clear path IT ops and security can follow to evolve from “unhappily dating” to a match made in heaven — and the enterprise will be the better for it.