alotofpeople -


Benefits and challenges of NetOps-SecOps collaboration

Organizations need to tread carefully when planning how to converge their networking and security teams to achieve potential benefits and mitigate the challenges.

Despite the hype that suggests network-and-security convergence is a huge phenomenon sweeping the enterprise, a Nemertes research study revealed that is far from the case.

The firm's "NetSecOps Research Study 2024-2025" found that only 31% of IT organizations have merged their network and security operations.

At the same time, Nemertes' research illustrated some of the benefits enterprises realized by converging their network and security operations, among them the delivery of highly reliable network services. But that upside came with a clear caveat: Enterprises with converged security teams didn't necessarily record high levels of success in security.

That said, the nature of the modern enterprise and today's cybersecurity threats suggest that organizations -- even if they don't converge network and security operations -- should at least pursue a strategy of tighter and broader collaboration between the two groups.

Benefits of network-and-security collaboration

For more than 10 years, Nemertes has advocated that enterprises converge their network operations center (NOC) and security operations center (SOC). The reasoning is based on the realities of the events that NOCs and SOCs respond to, the tools they use and the processes they follow.

Network problems can look like security problems, and vice versa. Is it a failed router or a DoS attack in progress? In both cases, the initial reports might look the same and come from the same people. This vagueness sparks one of three responses:

  1. Both the NOC and SOC respond simultaneously, resulting in duplicative effort and, potentially, conflicting responses.
  2. Either the NOC or SOC responds initially, handing an event off to the other whenever one finds out it isn't the right team to pursue it. This usually results in a similar duplication of effort, albeit serially rather than in parallel.
  3. The combined NOC/SOC responds, escalating the event to appropriate specialists in networking or security as events unfold.

NOC teams and SOC teams usually rely on an overlapping tool set. While the security team is likely to have more specialist tools to draw on, it leans, like the network team, pretty heavily on general-purpose tools, such as SIEM software; scripting tools, like Python or PowerShell; and infrastructure-as-code tools, like Ansible or Chef.

If network and security teams work entirely separately, they are likely to follow divergent standards for the scripts they write, differ in how they manage scripts and recipes, and possess multiple licenses for and instances of tools where a single one might serve better and cost less.

The bottom line: The more NOC and SOC teams use the same tools and share instances, the more efficient they can become.

Sharing tools becomes even more important when members of either team have to cover for members of the other. It is also worth mentioning that most modern network devices have strong security functionalities and can and should be integral to both ongoing cybersecurity policy enforcement and cybersecurity incident response.

The same logic applies to event management processes, including escalation policies and paths, and to incident response. The more tightly woven an enterprise's network and security processes and policies are, the less likely anything will drop into the space between and be left unaddressed. Tighter integration also makes it easier for teams to cover for each other.

Whether or not the enterprise goes all in and formally consolidates its NOC and SOC, it can reap abundant benefits from having its network and security teams collaborate more closely and consistently.

Challenges of network-and-security collaboration

Enterprises face a number of challenges when trying to pull their network and security teams more closely together. The main issues are organizational, budgetary and political.

Organizational challenges

Organizationally, the chief challenge is that, in entities big enough to have them, security teams typically report to a CISO, while network teams report up to a CIO. Merging teams forces enterprises to decide who will oversee the combined teams -- and this can create an awkward reporting structure.

Merging processes and tightening collaboration without consolidating the teams generate their own problems, among them the failure to eliminate impasses, as well as finger-pointing at the team level and the leadership level.

Budgetary challenges

At the budgetary level, there are fewer barriers to collaboration but plenty to consolidation. Network budgets and teams are level or shrinking in most organizations. Cybersecurity budgets and teams are most often growing, if still inadequate to the need. Some cybersecurity teams and leaders are reluctant to risk this favorable position by merging with their networking counterparts.

Political challenges

Politically, there is little enthusiasm to invest a major amount of money or effort in networking. It is not seen as strategic -- quite the contrary with cybersecurity. This is seen as an area of existential threats and, as such, receives a lot of focus in the boardroom.

At many organizations, a sharp division continues to exist among networking and security teams. Employees are unenthusiastic about collaborating, and the respective teams' reputational and institutional profiles -- neglectable, technically stagnant utility versus strategically crucial hotbed of innovation -- only exacerbates the cultural rift. To make closer collaboration work, leadership must push, set the example and hold both teams accountable on an ongoing basis.

John Burke is CTO and principal research analyst with Nemertes. With nearly two decades of technology experience, he has worked at all levels of IT, including end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect. His focus areas include AI, cloud, networking, infrastructure, automation and cybersecurity.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing