For Security to Succeed We Need More Silo-busting
In my role as editor-in-chief of DevOps.com I hear, read and write a lot about the need for all of the various constituents of IT to work more closely together. As such, I’m always happy to hear about a company’s efforts at silo-busting. So when I saw Javvid Malik’s report (can we give link) on FireMon’s new Policy Optimizer and its ability to bust down silos, I’ll admit it brought a smile to my face.
Malik’s report talks about Policy Optimizer breaking down existing silos across different sectors of IT in determining what firewall rules are either out of date, no longer necessary or even security risks. Much of this silo busting is accomplished via automation. Again, this is music to a DevOps advocate’s ears.
Why is all of this silo busting and automation so important? The short, real world answer is that today’s speed of business will accept nothing less. A more detailed answer is in a world:
- where changes – including changes to code – happen multiple times a day,
- where “web-scale IT” measures servers and instances in the tens of thousands
- where security must keep up or be left behind,
- where automation and working closely with developers, operations and QA is no longer an option, but a necessity
Breaking down silos is a key ingredient in success.
I’ve been hearing that we need security to be “built in, not bolted on” almost since I first became involved in the security industry over 15 years ago; that security needs a seat at the IT table. Policy Optimizer is just the kind of solution that fulfills this specific need. It provides the means for security to work with the rest of the IT team in a way that makes sense and allows business to move forward with the velocity it needs.
Now before we declare “mission accomplished”, let’s not get ahead of ourselves. We still have a long way to go to better integrate security into IT and truly bust down the involved silos. We need developers to have a greater sense of ownership when developing secure applications. Just thinking firewalls for a second, it would be great if developers gave some thought as to who, when and what types of access users will require when building an application. Giving developers a say in setting firewall rules, for instance, makes sense.
Beyond the development team, how about working closer with the Ops folks too? Who knows the network better? Far too often the Ops team resides in a different silo than security teams and they thereby seem to work at loggerheads.
Again, this is why I like tools like FireMon’s Policy Optimizer and Risk Analyzer. They give Ops insight into security decisions and policies. Ops shouldn’t feel that security and risk strategies are devised using black magic. Shining a light on why security decisions are made, giving Ops input into the process is how you get buy in, how you really break down silos. Most importantly how we can tangibly change our security posture for the better.
For some organizations this is still a very alien concept. Security teams are almost thought of as audit teams and are purposely set apart from the rest of IT. To me, this perpetuates a culture of failure around security. All you have to do is glance at the headlines on a regular basis to see that the old way of separate security teams is not working. We need new, more effective solutions. These solutions have to take into account the new way of business. Megatrends like Big Data, the cloud and mobility have fundamentally changed the equation for many businesses. If security is to be relevant, it must adapt and evolve.
For me, breaking down the silos around the security team sounds the death knell of standalone security teams. I look forward to the day when instead of having a standalone security team, everyone in the IT department is part of the security team. I don’t know if that will happen in my lifetime, but every step along the way, such as Policy Optimizer, is a step in the right direction.
As Editor-in-chief of DevOps.com, a regular contributor to Network World, manager of the Security Bloggers Network and Chief Executive Officer at The CISO Group, Alan Shimel is attuned to the world of technology, particularly cloud, security and open source. Prior to his current positions, Alan was the co-founder and Chief Strategy Officer at StillSecure. Shimel is an often-cited personality in the security and technology community and is a sought-after speaker at industry and government conferences and events.