contact us

Using Risk Assessment to Bridge the Gap Between IT Operations and IT Security Teams

by | Mar 27, 2019

Using Risk Assessment to Bridge the Gap Between IT Operations and IT Security Teams

There is an inherent divide between IT security and IT operations, and it has deep roots.

IT operations focuses on building and implementing systems that make business possible. IT’s job is to keep the business running while building out systems that deliver a competitive advantage and open new opportunities. In recent years, IT teams have been on the front lines of a digital transformation that is changing how businesses engage with markets and how employees work. To accomplish their goals, IT teams have had to adapt to rapidly changing architectures and new technologies such as cloud, edge computing, software defined networking, artificial intelligence (AI), and the Internet of Things (IoT).

IT security teams have a different mission. Their focus is on keeping data and systems safe from hackers, cyber thieves, or anyone who might disrupt business operations. Security teams put in preventive controls and systems, but these are not all full proof. When the preventive controls fail, the security teams must enlist their skills to reactively search for vulnerabilities, track threats, and investigate suspicious activities. When they discover serious vulnerabilities, they specify a remediation. The operations staff, whose function is to serve all the business’s IT needs including security, make the necessary fixes.

This division of labor has created natural differences in perspective. For example, IT operations teams focus on doing what is possible and keeping things running, while cybersecurity teams focus on doing what is safe and stopping dangerous activity. The challenge for both groups in recent years is that each of their domains has become more complex and sometimes find themselves at odds to each other and the business.

On the IT operations side, rapid infrastructure changes brought about by digital transformation call for more specialized knowledge. In addition, continuous adaptation made possible by agile systems has introduced practices such as DevOps and workflow automation. This has made IT into more of a process that addresses endless streams of non-contextualized tasks governed by ticketing systems.

For cybersecurity teams, a changing threat landscape has totally altered their approach to security from attack prevention to emphasizing early detection and rapid response. This has come about because of the unmanageable growth of the attack surface, a rapid increase in known vulnerabilities, and the growing sophistication of cyber attacks. To address these challenges, security teams require more specialized tools and knowledge to help them analyze what is happening in their environment. They also need to consider how to make their detection systems more continuous in nature to ensure the rapid response.

Digital transformation is putting more pressure on IT security. New security technologies are needed to address these challenges that generate tons of incident data that increases the remediation workload on an already stretched IT operations staff. Add to that the more specialized knowledge in each domain, and now you have increasingly siloed domains. Separating IT operations from IT security in this way results in less effective vulnerability management, which ultimately increases cyber risk to the entire business.

One way to overcome this divide is to have a business risk approach to prioritizing vulnerability remediation. By doing this, risk assessment becomes the common ground for collaboration between IT security, IT operations, and business operations. This makes a lot of sense when you consider how digital most business operations have become.

Risk assessment has long been part of business decision-making. With digital operations serving as the foundation for so much of what businesses do, there is every reason to extend the same risk-based consideration to technology decisions. Many argue that when making any strategic business decision, cyber risk belongs right up there with other kinds of business risk, such as investment risk and brand risk. But how do you apply business risk to day-to-day IT operational decisions, especially in prioritizing vulnerability remediation?

That requires using a risk-assessment and prioritization platform as a collaboration tool. The best risk-assessment platforms now collect and correlate data from multiple sources including vulnerability scanners, configuration-management systems, database-security tools, asset-management systems, threat intelligence, and other sources. All of this data is factored into continuous vulnerability assessment and risk scoring. Users, particularly business stakeholders, can set values that specify the business criticality of assets. In this way stakeholders contribute directly to risk scoring and prioritization that is based on technical factors, such as accessibility and exploitability, and business risk factors such as criticality and network risk.

The risk-assessment and prioritization platform becomes the meeting place for stakeholders who understand their business risks, IT security professionals who understand the severity of threats and vulnerabilities, and IT operations teams that need prioritization and context to support rapid remediation. Having continuous risk assessment that automatically factors in business risk makes it possible to go from detection to accurately prioritized remediation in minutes. That capability improves the security posture of the business while easing the remediation burden on IT operations. It also effectively breaks down the walls between IT security and IT operations.

Pull Quotes

  • “Separating IT operations from IT security results in less effective vulnerability management, which ultimately increases cyber risk to the entire business.”
  • “Risk assessment becomes the common ground for collaboration between IT security, IT operations, and business operations.”

Key Points

  • Digital transformation is putting more pressure on IT security. New security technologies are needed to address the latest threats that generate tons of incident data that increases the remediation workload on an already stretched IT operations staff.
  • Overcoming the divide between IT security and IT operations requires a business risk approach to prioritizing vulnerability remediation. Use risk-assessment and prioritization technology as a collaboration tool shared by IT security, IT operations, and business operations.