The following is a guest post by a 2016 Secure360 Twin Cities Gold Sponsor BMC Software.
The plot of the humorous and silly Twix ad campaign, Left Twix, Right Twix, has the two brothers who “invented” the Twix bar involved in a family spat, split up as enemies, and each now runs his own company that makes half the Twix bar. The companies are reluctantly tied together with the common goal of producing a full Twix bar, but they do not view themselves as a team and have no visibility into one another’s actions – all they can do is bitterly spy on one another from across their shared driveway. Each company thinks they are exactly the opposite of their rival, but to the outside observer they are exactly the same.
In an ironic way, this is reminiscent of the dynamic between Security and Operation, two teams who share a common goal, but are often at odds with each other, each with their own point of view. When it comes to vulnerability management, Security is very focused on finding every vulnerability there is, and then handing their findings over to Operations for action. From the Ops Team’s point of view, it seems as though Security considers their job done once they have found the vulnerabilities. Security feels Operations takes too long to action the threats, and they don’t understand why. Despite sharing a common goal of protecting the company, each team works in a silo and does not understand the other.
The Formation of the “Gap”
In a recent Survey of IT Executives from Forbes, this dynamic played out. 60% of executives said that operations teams have only a general or little understanding of security-staff requirements, and on the flip side, 60% also believe that security personnel have only a passing understanding of operations requirements. This perception is driven from how the teams are judged. Security teams are judged by how well they block and remediate threats, not how installing a new security patch impacts uptime, and operations professionals are judged by how well they keep vital business systems up and running, not on speeding the implementation of an update
This dynamic is called the SecOps Gap, and results from a misalignment of security and operations, which can have significant business consequences due to the time and effort it takes to fix issues. The SecOps gap is now getting focus due to the increased threat of cyber-attacks, as well new pressures organizations are under to transform and thrive in the digital economy. On average it takes 193 days to resolve a vulnerability, and 44% of execs say it takes organizations weeks to fix high-impact vulnerabilities once a patch is available. Additionally, when patches are applied, half of enterprises experience outages and poor performance in IT systems due to poorly applied security patches. For organizations trying to adapt their IT to support new digital services and revenue streams, this situation can put their transformation at risk.
To solve the SecOps Gap, a solution of people, process, and technology is required, where strategies for each are reworked in conjunction with the other two.
Organizational dynamics and rewards must be reviewed and aligned towards securing the business so that the entire team is incented on a common goal. If Security and Operations have the same explicit goal, there will be organic improvements in their working relationship and the impact they have securing the business. In some cases, new roles or reporting structures should be considered.
Traditional silos that teams work in must be integrated and processes standardized to the extent possible. More stakeholders integrated into the process and greater visibility across the teams will improve efficiency and help the business get better results.
Technology must change and adapt with more highly automated systems that can execute corrective actions across platforms, replacing manual, often error prone processes. Reducing the bottle necks of tribal knowledge through more intelligent systems, and automating as much of the process as possible will enable faster more predictable results.
Reducing the SecOps Gap
While the focus of the SecOps gap is primarily about infrastructure security, the Gap also represents a critical bottle neck to IT transformation. Operations Teams are typically only able to spend between 5-25% of their time pushing the business forward (transformational work) vs keeping the lights on. Audit and compliance activities are a significant and increasing share of an Operations team’s time. Aligning Security and Operations can decrease the operational effort expended to secure the infrastructure, positively impacting both the IT organization’s ability to transform and the health of the business itself.
Don’t be caught without a plan to reduce the SecOps Gap.
Download The Game Plan for Closing the SecOps Gap, a new research paper by Forbes Insights and BMC Software.