IT operations security can be a complicated language to learn, but for optimal security performance, accuracy and coordination, organizations must invest in training for ITOps teams.
The more fluent an ITOps team is in security, the fewer roadblocks it will encounter when implementing IT security concepts and tools. This article explores why IT security deficiencies exist within ITOps, where the skills gaps are and how to get an organization's IT support staff up to speed.
I recently spoke about ITOps security fluency deficiencies with Plamen Martinov, CISO of the Open Commons Consortium, a Chicago-based venture that supports cloud computing initiatives in the medical and scientific communities. He has witnessed this issue on more than one occasion. All too often, security incidents are brought to the attention of front-line IT staff only to be mishandled due to a lack of understanding or ineffective and siloed communications channels, he said. Faulty assumptions about the skill levels of ITOps personnel is a contributing factor, particularly because ITOps is a relatively new field compared to others.
Well-established professions, like marketing, accounting and finance, receive more initial and ongoing training that provides staff members the essential foundation to be successful in their jobs. IT, which is a fairly new concept compared to these other organizational roles, is treated differently, according to Martinov, and ITOps professionals are not given the same training. It's often assumed that everyone in IT is fluent in IT security processes and procedures, but Martinov said that this could not be further from the truth.
ITOps staffs need common security language and tools
While ITOps staffers don't need to be experts in IT security, Martinov said it's important they understand organizational security policies and communicate the basics. As such, a common language is critical to successfully exchange information between teams. For example, when properly implemented, the NIST Cybersecurity Framework can provide employees in different IT departments a way to communicate, coordinate and collaborate in a language that's universally understood.
Another IT operations security training gap revolves around tools that protect and monitor the corporate infrastructure. Many organizations restrict access to these tools to the security team only. As a result, IT security administrators are the only ones trained to properly read and react to the alerts the tools generate -- this leaves other front-line staff in the dark. In addition, ITOps teams will often implement their own security monitoring tools instead of sharing the existing ones that are already in place. This creates unnecessary overlap and, ultimately, a glut of tools within the IT department.
Martinov's recommendation: Make security more open within the organization by giving ITOps access to the security program's technology -- and sufficiently train staff to use the tools properly. In some cases, he said, vendors have performed the heavy lifting by creating specialized security tool dashboards and capabilities for IT operations staff. He stressed that access and visibility to the same security information available to the security team would empower ITOps to make the right security decisions using their knowledge and experience.
Cultural changes needed to drive ITOps security
The path toward ITOps security fluency requires cultural changes from within. Business leaders must reevaluate the level of IT security risk they are willing to tolerate. Because of growing concerns over data theft and loss in the enterprise, it's likely business executives will have less tolerance for risk than they previously thought. If that's the case, then talking about security being a priority and making security a priority will be two very different things, according to Martinov.
Business leaders, as a first step, should focus on the identity of the organization, he recommended. They must determine what the company wants to be as it relates to cybersecurity and understand that identity clearly. Then they can begin to make organizational and cultural changes to achieve that identity. Positive outcomes are short-lived, in Martinov's opinion, unless good security habits become part of the identity of an organization. This can only be achieved through strong and ongoing training.