It’s winter.
There’s snow in the mountains and fog in the valleys and I could barely see the building next door this morning as I sat in our headquarters out in Santa Clara, CA.
During times like this, there is often an opportunity to pause and reflect on what you’ve seen over the past year and think about what you’d like to improve over the next period. I’ve been working with clients who are looking at their network security in a new way as threats continue to shift and grow, and their options for defense expand.
A primary challenge is to make security measurable and then closely watch trends as you apply various efforts to improve your security.
As I’ve thought about what it takes to make lasting improvements, I’ve considered the many threats to security success and obstacles to improvement that I see in the field every day.
One of the issues I see most consistently may be a surprise to you until you unpack it a bit: Security is a cross-organizational activity that often bumps into the many silos of an organization. In fact, the greatest challenge in getting a complete picture of what’s happening across your network in terms of security is the functional communication challenge existing between security, risk, server management and network management teams.
As I mentioned in an earlier blog post entitled The Hardest Work, communications between these different groups is often challenging when crossing organizational boundaries. This is also true among members of the same organization. In fact, I think it’s fair to say that sometimes internal politics among various groups can be harder to overcome than those existing between partner organizations.
When two companies come together to try to make things work from a security perspective there’s a known requirement to attempt to be open and work together. Inside an organization? Network operations versus security operations? This can be a serious turf war and there are often hard lines drawn about how much they are willing to work together. Even when management intervenes, sometimes it can still be hard to get everyone on the same page.
One of the challenges RedSeal faces in general is helping these two groups within any organization to work together, from the procurement process, through deployment and of course in everyday life. Our interest is at least partly self-serving. Yes, ultimately our goal is to help customers move the needle in reducing risk. But, we also know that in order to convince organizations to buy, and then use our product to the fullest and buy more of it, we need these types of people on the same page, working together.
However, as self-serving as that may be, it highlights a serious issue that is one of the biggest challenges we all face in security in terms of making progess. If we cannot team effectively and let down our defensiveness over who runs what, who makes what decisions, who is the smartest person in the room… we are all destined to continue to struggle.
I’ve authored a few of these blogs now that underline this same theme: improving security is often challenged as much by our inability to team effectively, share information and put aside personal/group/organizational issues in the name of achieving the common goal.
I’m sure we’ll hear a lot more this week during the annual RSA Conference in San Francisco about pervasive industry issues such as the need for stronger integration between vendors, and the demand for a closer relationship between the federal government and private organizations if real progress is to be made in advancing IT security any time soon.
The place to start is within our own environments. Security is about people and process and technology. If people cannot work together effectively, all the process and technology in the world isn’t ever going to be enough.
