The ongoing conflict between IT operations and cyber security teams is a bit like politics. Both parties have good intentions, wanting to do what’s best for the organization, yet conflicting priorities and viewpoints make them go head to head.
The cyber security team’s priority is making sure everything is secure which entails regular vulnerability scanning of applications, systems, databases and other assets. They want to configure the environment so that no one can break in, which means performing configuration checks to make sure all devices are connected and secured properly. They track events by looking at logs and use behavioral analytics to track how users are interacting with the organization’s most valuable assets. The problem is that many of these security processes require taking systems offline and locking things down as much as possible.
IT operations’ priority is to ensure the business is up and running. They receive cyber security related mandates such as applying patches, but would approach the task in the context of not bringing down the business. For example, if security identifies 100 machines that need to be patched, IT operations may schedule groups of them to be patched once a month to minimize downtime.
The contention from the security standpoint is that ideally when they find a vulnerability they want it patched yesterday. The longer an exposed vulnerability sits, the greater the chances of it being exploited. Case in point – Equifax. According to
On March 8, 2017, the U.S. Department of Homeland Security Computer Emergency Readiness Team (CERT) sent a notice to Equifax alerting them of the vulnerability and the need to patch it. On March 9, Equifax’s former CEO says the company disseminated the news internally and the security team required the patching to occur within 48 hours. However, administrators did not act until months later when they took the application offline after spotting suspicious activity.
Equifax’s former CEO blamed an employee for not communicating with the team responsible for applying the patch, which shows how much risk is elevated when security and operations are not communicating regularly.
In addition to conflicting priorities and miscommunication, security and IT operations teams are also spending countless hours filling in and emailing spreadsheets. The cyber security team fills in a spreadsheet with vulnerability information, emails that spreadsheet to the operations team who then schedules the patching, updates the spreadsheet when the patching is complete, and emails it back to the security team. Not only are the spreadsheets time consuming and cause a delay in communication thus extending the amount of days the vulnerability is exposed, but they also lack contextual information about why the vulnerability needs to be prioritized.
Bridging the communication gap and aligning priorities between cyber security teams and IT operations boils down to one word – impact. If both sides understood the impact to the organization if an asset at risk were to be exploited, they would most likely agree on prioritizing patching. For example, let’s say the operations team knew if a certain vulnerability were exploited and the asset at risk were compromised, it would cost the business $50 million.
For most organizations, that much damage would not be within their risk appetite, and operations would know to patch the vulnerability immediately. On the flip side, if the operations team received information about a vulnerability that, if exploited, would impact the business minimally (i.e. the vulnerability was on a marketing database with public facing documents), they would know to deprioritize it.
We still await the day when someone creates an operating system that does not require taking application and systems offline for patching. However, until that day comes, cyber security and IT operations teams must realize that at the end of the day they have the same goal – doing what’s best for the business. Understanding impact puts both IT operations and security teams on common ground.