Reduce the conflicts between IT administrators and information security personnel

Current Job Listings

Sometimes the simplest solutions to problems evade us because we cannot see the forest through all the trees. In this case, the forest and trees I'm referring to are the people and policies that are in place to manage the operations and the information security of business networks. A few common-sense practices can reduce the conflicts between teams with a shared mission but disparate approaches.

Most large organizations tend to separate the routine administrative and operational tasks and teams from the risk assessment and security tasks and teams. Though both groups are ultimately responsible for the same thing -- making sure a company's computer systems work well so the company can meet its business goals -- the teams approach the end goal from different stances.

Sometimes their tasks are at odds with each other, and this creates conflict. For example, the operations team might want to put smart devices into workers' hands so they can access their business applications anytime, from anywhere. The security team, however, wants to restrict such usage in order to mitigate risks the mobile devices introduce.

SURVEY: Surging mobile use creating big security headaches

The conflicts can be compounded when the two groups report into different organizations; for example, the IT operations/admin group may report to the CIO while the IT security team reports to the CISO which has dual reporting into the CIO and the compliance department under the CFO. When conflicts arise, office politics often determine the outcome.

Ironically, regulations such as Sarbanes-Oxley and PCI may have forced a split between IT administration and IT security in many organizations. Nevertheless, administrators often have the ability to perform tasks that security personnel believe they should have purview over. Here's the rub: Regardless if an organization has regulatory oversight considerations or not, in order to facilitate timely responses to network problems, administrators need access and/or tools that have the appropriate access to effectuate change that is both auditable and approved by policy.

Unfortunately, many organizations have experienced changes that have gone through their approval processes only to end up causing more issues. Then the question becomes, were they appropriately reviewed with the information security team for potential risk? It's one thing to have a change approved, but yet another to have it verified for risk.

A recent blog post from AlgoSec focused on holiday change freezes highlighted this theme that IT administrators and information security teams don't always see eye-to-eye, despite working closely together. IT administrators are tasked with maintaining business continuity by keeping systems online, while security teams are tasked with maintaining business continuity by keeping systems secure. Perhaps it is because these tasks are so similar that there can be so much friction between these teams.

As a follow-up to that blog post, I had a conversation with Avishai Wool, the CTO of AlgoSec and a professor at Tel-Aviv University, about the issues many IT administrators and information security professionals face in properly addressing today's network challenges. Wool says that a solution to the conflicts is not rooted in technology, but rather in some simple best practices that many organizations tend to forget in their efforts to provide timely resolution to problems they face daily. Here's what he recommends:

Plan ahead. Codify policy for working together. Try to identify potential sources of friction ahead of time and have a plan in place for how to deal with the situation. Prepare together for events like change freezes and audits so that neither team is taken by surprise.

Increase visibility. Transparency into change processes and workflow can alleviate tension. Knowing who looks at what and how to handle exceptions (again the importance of planning) is a good policy.

Get educated. Learn from opposing points of view. Take the time to learn how and why certain conditions exist within system environments.

Conduct team bonding. Simple acts like grabbing lunch or a drink or going bowling together can go a long way toward fostering a healthy team spirit.

By forgetting these common-sense practices, the journey through the forest could be one of well-meaning professionals finding themselves falling into the trap of dealing with symptoms of a problem when they arise instead of proactively addressing the root cause(s) of the issues at hand via a coordinated team approach to address them.

Brian Musthaler is a principal consultant with Essential Solutions Corporation. You can write to him at Bmusthaler@essential-iws.com.

______________________________________________________________

About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT