From Blocker to Partner: The Changing Role of Cyber Security
For the past 25 years I have been working in the cyber security field with it originally being technical IT security (Firewalls, email/web content scanning, intrusion detection/prevention and anti-virus) through a focus on blocking access to/from the bad guys on the internet and malicious content.
Unfortunately this blocking mentality also found its way into how IT security professionals historically engaged with their IT colleagues and the wider business, with this driven by a confrontational “them and us” approach. Us (the security team) taking the fortress approach, whilst “them” were treated sometimes as much as an enemy as the malicious threat actors seeking to compromise IT systems and corrupt/steal data.
This mentality meant that IT security professionals were kept at arms length from projects and infrastructure teams and only generally engaged when a penetration test was required, which frequently resulted in significant findings that impacted the potential go-live of a new system and the perception that security was once again a blocker.
In one organisation I joined, the Security and Infrastructure teams approached patching every month in an adversarial manner — the security team would highlight deficiencies in patching status, whilst the infrastructure team would perceive the security team as finger pointing that made the infrastructure team look bad. The bottom line though was that patching compliance wasn’t at the level expected as the two teams weren’t pulling together.
To turn this around the Head of Infrastructure and I worked together to generate a positive environment where both teams were pulling in the same direction — the Security team provided near real time reporting through creation of patching compliance dashboards, this enabled the Infrastructure teams to know which systems weren’t compliant before the deadlines, and where there were gaps the two teams worked together to understand why patches hadn’t been applied as expected and to resolve identified issues.
Over a year the patching compliance across the business improved exponentially, with compliance levels at or close to 100% most months. And for those months when sometimes a handful of servers were out of compliance due to unforeseen circumstances, there was a tangible collective disappointment across all teams along with a drive to understand why and improve next month.
The improvements we made together in that one security control domain, by security and infrastructure working together, was just one of a number of ways the security function was able to get closer to the infrastructure, application and end user support teams. Ultimately though, the positive and collaborative approach resulted in improved security and reduced risk for the business.
Over the past decade the Information and Cyber Security domain has continued to evolve into a much more holistic one, embracing the People, Process & Technology triad with an increasing focus on Governance, Risk and Assurance activities. In addition the growth in disruptive and extortion driven cyber attacks means the Information/Cyber Security domain is increasingly recognised by business leaders as a key business risk, with most large corporation annual reports including this as one of their top risks each year.
These changes have meant that security professionals have had to significantly change their approach to improving security through the embedding of security champions within IT functions and programme/project delivery teams.
Security leadership are now much more proactively and positively engaging with their counterparts across not only the IT function, but also the wider business, gaining an understanding of how security is both protecting, and in some cases hindering, business operations and therefore being able to optimise security controls to provide the most appropriate protection based upon risk appetite. This change can only be a good thing as security leaders become more integrated and actively engaged by Boards and Executive Committees.