Security and IT teams need to put aside their differences and focus on a common ground to deal with the rise of cyber security threats, writes Servicely’s founder and CEO Dion Williams.
Despite rising security awareness, breach numbers and messaging of the inevitability of being targeted – a matter of “if not when” – incident response mechanisms lag in many organisations.
Response processes aren’t granularly mapped out. In addition, the division of roles and responsibilities between individuals, teams and departments isn’t well understood.
The end result is often lack of visibility or delays in response to critical incidents taking place.
Recent research by Ipsos shows only 19 per cent of businesses have a formal incident response plan, and “39 per cent have assigned roles should an incident occur. In contrast, businesses show a clear reactive approach when breaches occur, with 84 per cent of businesses saying they would inform the board, while 73 per cent would make an assessment of the attack”, the research shows.
This runs clearly counter to best practice.
The Australian government cyber security guidance is for a clear, well-defined and CISO-led response to cyber security incidents, “including how internal teams respond and communicate with each other during an incident”.
“In the event of a major cyber security incident, the CISO should be prepared to step into a crisis management role,” the Australian Cyber Security Centre (ACSC) counsels.
“They should understand how to bring clarity to the situation and communicate effectively with internal and external stakeholders.”
Bridging the divide
So why don’t incident response mechanisms match up to known best practice? In many cases, the answer lies in the structure and placement of the security function, and particularly how tightly integrated it is with IT and other stakeholders in the organisation.
While cooperative models such as SecOps are driving closer alignment, security in some organisations is still very much siloed and operated autonomously, hampering the ability of the broader organisation to address and respond to security threats they may encounter.
Security was traditionally separate from other parts of the organisation. It may or may not have had a dedicated leadership role. It certainly had its own specific and focused suite of security tools, and was often seen as a self-contained, elite unit that would be called upon for code review or to address a specific and targeted threat against the organisation.
To an extent, that remains true: it is still a domain that requires the presence of specialist skills and tools. However, organisations increasingly recognise that security cannot sit outside of – or to the side of – core operations. Instead, security must be tightly integrated with operations, such that there is an interplay between IT and security, and their interests and tooling are aligned to keep key business services operational.
The operationalisation of security is increasingly carried out under the banner of SecOps or security operations. However, even among adherents, there’s a current lack of maturity in the way SecOps teams and IT intersect.
As a recent survey shows, while there’s broad agreement that IT and SecOps should share responsibility for security, one-third of SecOps teams see collaboration with IT as “not strong” and one in 10 go “so far as to call it “weak”. In addition, 40 per cent of respondents say collaboration levels between the two groups have stagnated, despite the clear and obvious need for greater cooperation to combat growing attack volumes.
Service management as the ‘missing link’
To step past these differences and establish a common ground, the entire organisation needs to come together on a single, well-defined incident response process, where system ownership and responsibilities are clearly laid out, and there is a cadence of agreed steps and actions that can be initiated in the event of a suspected incident or breach.
Ideally, this should all come together in a single centralised system that codifies the workflow and can be used to manage the process from the start of the security breach right the way through to resolution.
When security teams and tools are allowed to run in isolation, they often are not across the full landscape of systems and business service dependencies. The reality is that security teams need to have full organisational and environmental visibility in order to properly define and take remediation or mitigation steps. They also need an open channel and running dialogue with the organisation to initiate a recovery process that minimises downtime and material impacts.
A service management platform is well-suited to this purpose. For a start, it likely exists already in some form within the organisation, mapping the relationship between assets and systems and keeping track of configuration changes and feature additions. This is of obvious value as a key input into security incident response.
But service management platforms can also be used to map out and automate the coordination of multi-stakeholder incident response as well. It is this augmentation of service management that many organisations are now pursuing.
By setting up service management as a single system of record, all teams involved in an incident response can see the same information: system specifications and versioning; who owns the system and needs to be notified if a breach is detected; and who is responsible for customer communications or regulatory disclosure. The result is clearer decision making and a more efficient incident response all round.
Dion Williams is founder and CEO at Servicely.