There’s no way you can have a secure enterprise computing environment unless that environment is properly managed. And you can’t effectively manage those complex enterprise systems unless there’s a good sense that they are secure.
Some might call this a chicken-and-egg situation, where you don’t know where to start. Should you start with security? Or should you start with system management? That’s the wrong approach. Think of this instead like Reese’s Peanut Butter Cups: It’s not chocolate first. It’s not peanut butter first. Instead, both are mixed together — and treated as a single delicious treat.
Many organizations, I would argue too many organizations, are structured with an IT management department reporting to a CIO, and with a security management team reporting to a CISO. The CIO team and the CISO team don’t know each other, talk to each other only when absolutely necessary, have distinct budgets, certainly have separate priorities, read different reports, and utilize different management platforms. On a day-to-day basis, what constitutes a task, an issue or an alert for one team flies completely under the other team’s radar.
That’s not good, because both the IT and security teams must make assumptions. The IT team believes that everything is secure, unless someone tells them otherwise. For example, they presume that devices and applications have not been compromised, users have not escalated their privileges, and so-on. Similarly, the security team assumes that the servers, desktops, and mobiles are working properly, operating systems and applications are up to date, patches have been applied, etc.
Since the CIO and CISO teams aren’t talking to each other, don’t understand each others’ roles and priorities, and aren’t using the same tools, those assumptions may not be correct.
And again, you can’t have a secure environment unless that environment is properly managed – and you can’t manage that environment unless it’s secure. Or putting it another way: An unsecure environment makes anything you do in the IT organization suspect and irrelevant, and means that you can’t know whether the information you’re seeing is correct or manipulated. It might all be fake news.
Bridging the IT / security gap
How to bridge that gap? It sounds easy but it can be difficult: Ensure that there is an umbrella covering both the IT and security teams. Both IT and security report to the same person or organization somewhere. It might be the CIO, it might be the CFO, it might be the CEO. For the sake of argument here, let’s say it’s the CFO.
If the company doesn’t have a secure environment, and there’s a breach, the value of the brand and the company can be reduced to zero. Similarly, if the users, devices, infrastructure, application, and data aren’t well-managed, the company can’t work effectively, and the value drops. As we’ve discussed, if it’s not well managed, it can’t be secured, and if it’s not secure, it can’t be well managed.
The fiduciary responsibility of senior executives (like the CFO) is to protect the value of business assets, and that means making sure IT and security talk to each other, understand each other’s priorities, and if possible, can see the same reports and data — filtered and displayed to be meaningful to their particular areas of responsibility.
That’s the thinking that went into the design of our Zenith platform. It’s not a security management tool with IT capabilities, and it’s not an IT management tool with security capabilities. No, it’s a Peanut Butter Cup, designed equally around chocolate and peanut butter. To be less confectionary, Zenith is an umbrella that gives IT teams what they need to do their jobs, and gives security teams what they need as well – without coverage gaps that could undermine assumptions about the state of enterprise security and IT management.
We need to ensure that our business’s IT infrastructure is built on a secure foundation – and that our security is implemented on a well-managed base of hardware, infrastructure, software and users. We can’t operate at peak efficiency, and with full fiduciary responsibility, otherwise.