How to tackle the gap between security and operations?

How to tackle the gap between security and operations?

At many companies, there’s a gap between security and what is generally called operations, or more colloquially, ‘the rest of the organization’. That gap is becoming an issue, because the days when only the security team needed to know about security are behind us. So, what can you do about that?

In order to answer this question, we were asked by CompTIA (see at the bottom of the page for more information about this non-profit organization) to host and moderate a workshop co-moderated by Luc van Roey from F-Secure about this topic for the CompTIA Benelux Community in Belgium. Approximately 30 business leaders attended, and discussed the issue. The set-up of the workshop was to first get an idea about what the situation is like now, before going on to how the attendees would like it to be, and finally getting to some feasible next steps to tackle it.

Before we start: the issue at hand

Before going into what was discussed during the workshop, let’s first briefly outline for the sake of clarity why this gap is becoming an increasingly bigger issue.

It’s virtually impossible to view the gap discussed during the workshop separate from the bigger security trend of shifting focus from prevention to detection. The saying, ‘it’s not if, but when you will be hacked,’ has become more or less received wisdom in security circles. This also means that you have to deal with security differently inside your organizations. Gone are the days when security personnel would focus solely on keeping the bad guys out. They will get in eventually, which means non-security people inside organizations need to know more about security. In order to do that, the gap between both sides needs to become smaller.

The gap is real, that’s for sure

From the discussion between the participants, it is very clear that the gap between security and operations is a fundamental one. Many noted the lack of alignment between the two sides of the equation, usually in the form of management not understanding why it’s important to bridge the gap. That is, more often than not, little has been done to address the issue to start with. Securing the budget to actually do something about it isn’t easy either, which makes it an even bigger hurdle.

It is clear that there appears to be a lack of awareness in many organizations. But even if there’s awareness, the next hurdle is access to education, which is lacking as well, based on feedback from the group. Over-regulation inside organizations was also cited as a reason for not being able to bridge the gap, with security teams more or less being forced to operate on an island.

Leave a comment

Contact Us


    Please use this form to contact us or email us at [email protected]

    Address

    Singapore CBD

    Phone-no

    +65 8714 2780