Realigning Security Operations

during the course of my engagements with various customers, i am noticing an interesting trend in the way the security functions of these customers are evolving. usually this trend is fairly common in large organizations but recently even mid size organizations seems to follow this trend. about 3 – 4 years ago, the information security team in an enterprise was handling almost all the aspects of securing an enterprise IT environment. some of tasks that the security team were responsible were:

  • defining corporate security policies
  • performing IT risk assessment
  • tracking threat and vulnerability landscape for new threat vectors and vulnerabilities
  • identifying security controls required to mitigate the threats of close the vulnerabilities
  • managing and maintaining security controls like IDS, firewalls, anti virus, url filtering etc
  • monitoring malicious activities on the network/system security elements
  • incident response
  • in some cases also working on BCP/DR initiatives.

in the recent past, i have noticed a change in the way security functions are being organized and their work areas or job descriptions defined.

looking at few analyst reports, the security budgets have more or less remained range bound between 7 – 9% of the overall IT spend in the past two years. there is exception in 2004 – 2005 for some verticals due to sox deadline. of the overall IT security spend about 40 – 45% is on products and solutions.

in the dynamic era of globalization, the business needs also keep on changing in face of new business initiatives and service rollouts. such initiatives require involvement of the security teams to identify and formulate a risk management strategy for these initiatives. at the same time, new and more complex threats appear on the horizon (for more details on new threats etc, one can refer to sans or cert websites). Thu, the security teams seldom have time to focus on more strategic initiatives and risk management functions.

in the discussions i have had with some CIO’s and CISO’s, there are some interesting points which came out. there is a desire at senior management level to shelve the tactical and operational responsibilities to the other IT teams. the management now wants their teams to now focus on strategic tasks like risk management and program management (to keep a check on how various teams go about execute their newly acquired security operational responsibilities ). however there is much resistance to this change at level of security engineers, to give up their controls and move to more strategic role. i am not sure how long they can hold on their resistance cause this shift in responsibilities though.

at a tactical level, i am noticing the transition of following responsibilities:

  • the systems and network teams are now also responsible for ensuring the servers and routers that are now being provisioned are build securely rather than having a security features provisioned as an after thought. the systems teams ensure that the infrastructure are build as per corporate baseline security guidelines and standards. same is the case for desktops also.
  • the security teams are now responsible for developing and updating the corporate security baseline standards for various technologies.

At the operational level, i am noticing the transition of responsibilities as follows:-

  • responsibility for monitoring, management and maintenance of the following components is being now – anti virus, HIDS, endpoint encryption, two factor authentication, access control etc.
  • the security team works with the system team for logical and physical design and vendor selection for the above mentioned technologies.
  • responsibilities for maintaining and managing access control at the network layer using firewalls is now being handed over to network teams. the only exception i have seen is in the case of checkpoint firewalls (since they don’t speak the acl language yet 😉 ).
  • the role of security teams is then to validate a change request for opening certain ports or access to subnets etc.
  • the systems and network teams are also becoming more and more responsible for detecting malicious events and initiating appropriate responses using incident management process.
  • The security team is responsible for defining the incident management process along with the system and network teams.

however the security engineers are resisting this ‘letting go’ of their traditional responsibilities. i have seen engineers who are very good in their respective domains of intrusion analysis, endpoint protection using HIPS technologies etc who have fought tooth and nail to retain their areas of responsibility and resisted any attempt by management to move them to more strategic roles. in the end, many of these engineers have been moved to respective systems and end-user teams so that they can continue their work in those areas.

however this has introduced a new dimension for the existing IT teams. traditionally they have not been accustomed to handle responsibilities for building and maintaining a the security attributes of the IT infrastructure components they are responsible for.

with the transition of tactical and operational responsibilities, there is skill set challenge for the IT teams who, are the executioners of these tasks. many organizations are either spending money to train the teams, hiring new personnel with required skill sets and in some cases, moving the security engineers who still want to continue working with the technology into their teams from security teams.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: