Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Don't miss out! Join us for the free, virtual Global AI Symposium from October 22nd - 24th—register today!

Rowing the Same Direction: 6 Tips for Stronger IT and Security Collaboration

Published 10/16/2024

Home
Industry Insights
Rowing the Same Direction: 6 Tips for Stronger IT and Security Collaboration

Originally published by Dazz.


The Olympians make it look easy, but make no mistake: rowing is a more difficult sport than meets the eye.

Changing conditions in the water and weather, exhaustion, and even a head tilt in the wrong direction can send the boat off course or cause the team to lose time. And perhaps the biggest (and first) lesson a team can learn is that no one person can control the boat single handedly. It requires a team fully focused and in unison to win.

The correlation between the experience for rowers and that of IT and security teams is clear. Differing priorities (protecting data and systems vs. UX, and availability), inadequate communication and context amidst the complexity and rapid pace of day to day operations, and lack of understanding of the other group’s roles and goals all hinder teams from rowing in the same direction.

Other common top-of-mind challenges both teams are experience today are:

  • Secure use of GenAI
  • Continued shift to cloud
  • Supply chain risks
  • Zero-day vulnerabilities

So how do we get our posture straight, our vision aligned, and our paddles stroking in unison?

We recently had a conversation with cybersecurity expert John Boyle, former Director of Platform and Portfolio Strategy - Cybersecurity, Manageability, Supply Chain Security at Dell (who happens to be very passionate about this topic), to get his vision of how IT and security can work better together.

We’re here to share the top 6 tips he gave us with you, complete with video clips from the conversation.


Tip #1: Know what’s in your environment

Whether you’re a small, medium, or large business, you need to get leaders together from different groups to see what the mission for cybersecurity is across the organization. Then you need to assess what you have in your environment—from devices to licenses to software to people and roles in place. We all know that IT environments and fleets have a mix of Chromebooks, Linux flavors, and Apple devices. So your weakest endpoint is your worst defense posture. Knowing what's in your environment helps security and IT collaborate to achieve zero trust—that can’t happen in silos.


Tip #2: Align on policies

Once you know what you have, you can create policies based on expectations of how technology will be used and secured, creating “red lines” on policies such as types of devices that must have security agents on them, firewall rules, infrastructure as code, and default configurations for cloud resources (and monitoring around that), and then adjust policies as time goes on and needs change.

Policies are ingrained and embedded in many solutions we all know and use for zero trust. Getting security and IT groups together to talk about what will protect your mission and not just your PNL inside the company is very important. What is IT’s policy on performance?

Align your policies but do it together. Focus on the mission first—the people and data you’re protecting— then align on policies that provide sustainability, performance, and all the pieces teams want in their fleet.


Tip #3: Measure and improve MTTD

Improving mean time to detection (MTTD) is a major focus for IT and security.

Whether it’s detecting potential attacks or IT failures, reducing MTTD is essential. For instance, if a switch goes down, it impacts the business—whether it’s an attack or just a bad switch. Lowering MTTD is a key metric that IT and security can work on together to ensure quick response to threats and issues. Ask about capabilities to detect known bad actor behavior, but also things that can lead up to a kill chain concluding successfully.

Note: This is not a one and done; there should be a security review every quarter with the company where IT and security assess events that happened, and how fast they were detected.


Tip #4: Measure and improve MTTR

Equally important to MTTD is improving mean time to respond or remediate (MTTR). These metrics are critical, and you likely don’t want to focus on improving both simultaneously if aiming for meaningful gains. MTTD is heavily reliant on technology for real-time detection and flagging, while MTTR involves both technology and processes. Enhancing MTTR offers significant benefits, like reducing downtime and risk exposure. Being able to quickly close out vulnerabilities means less chance of impact on the organization, highlighting the importance of fast and efficient response processes.


Tip #5: Continuously review ownership

Here’s a warning: This might be the biggest challenge to overcome in rowing the boat together.

The concept of ownership is seldom 100% accurate, especially when it comes to cloud workloads, cloud systems, and things that are ephemeral, making this process extremely hard. You can get data from many different places to infer ownership: directories, cloud systems, and source code management systems.—but actually confirming it is different.

Nonetheless, reviewing ownership in both the IT and security context is also extremely important. It’s an ongoing dialogue that IT and security teams need to have—even holding a biweekly meeting on new assets, new applications, or new code repos that we found, and who owns them wouldn’t be overkill. Upleveling the accuracy on ownership will trickle down into those meantime to detect and meantime to respond metrics from tips 3 and 4.

On the flip side of ownership, teams—especially during challenging times at companies—should not turtle and stay in survival mode. Ownership can be a bad thing too, like saying, "I own this, you don't." That’s where collaborative ownership comes into play.

According to John:

“I know who my go-tos are for federal fleet management as well as the commercial part of fleet management. I know what they own. However, I am a stakeholder there and keep their mission in mind for what they’re trying to accomplish. Sometimes we get so caught up in our little fiefdoms, goals, objectives, org structure, and P&L. But you have to understand, people need to have ownership of things for the good of the company because the company serves your customers.”
“When we talk about critical infrastructure, energy, healthcare, financial services, transportation, and food, those are important outcomes to people in this world. Everybody has ownership of security in the sense that we need to be up to speed on policies, take part in training and awareness, and report anything suspicious.”

It's also important to make it clear who in IT and security owns the choices for the partner ecosystem. It doesn't help to have five fragmented divisions with everyone using a different XDR.

Ownership should mean knowing who's the primary driver—but not to the point of creating silos for the wrong reasons.


Tip #6: Continuously assess your tech stack

We’re in an industry replete with great technology at your fingertips, but you need to size up your objectives, mission, common goals, and long-term strategy for the company and customer. Regularly assess this stack particularly when it comes to the possibility of introducing new “shiny objects” like GenAI. Get IT and security teams together to talk through the benefits and risks and ripple effect of adding in new technology.

Keeping with the AI example, introducing more automation brings greater scalability for your organization. But guess who else gets greater automation and scalability? The bad actors. This is where IT and security teams need to respect each other. IT is trying to ensure users in the organization can work effectively and efficiently while security simultaneously is trying to match that pace in protecting the organization and the organization’s data. All while delivering critical services to customers.

It's vital to balance enabling innovation with safeguarding the organization and its services. Regular tech stack assessments with candid team input ensure everyone feels invested in the technologies that enhance security and overall success.


Conclusion

The TL;DR of all of this? Collaboration. Go back to that rowboat. If someone looks sideways instead of focusing on the primary objective, it upsets the boat enough to lose a tenth of a second. In racing, and for your customers, that matters.

Cloud Security Services ManagementCyber Incident SharingDevSecOpsEnhancing cloud security strategy

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Access the Cybersecurity Awareness Month Bundle
Download the NIST CSF v2 Cloud Community Profile
Upskill Employees with CSA’s Team Training
Trending This Week
#1 What is a Feistel Cipher?
#2 The 5 SOC 2 Trust Services Criteria Explained
#3 Mechanistic Interpretability 101
#4 Top Takeaways From the Gartner Innovation Insight: Data Security Posture Management
#5 AI Safety vs AI Security: Navigating the Commonality and Differences
Level up with Cloud Infrastructure Security Training
Related Articles:
Navigating Cloud Security: A Shared Responsibility

Published: 10/17/2024

Unleashing the Power of Managed Endpoint Security: Crafting Effective SD-WAN and SASE Strategies

Published: 10/15/2024

App-Specific Passwords: Origins, Functionality, Security Risks and Mitigation

Published: 10/11/2024

Top Threat #3 - API-ocalypse: Securing the Insecure Interfaces

Published: 10/09/2024