Security as an Operational Problem

Hoff recently posted that Virtsec is an operations problem (here). I would further this line of thinking and post that security in general is an operations problem.

At the recent Gartner IT Security Summit Peter Firstbrook presented a session on the future of desktop security through 2018 – during the presentation he polled the audience to respond to several questions, one of them was along the lines of “How many people believe that security functions, such as endpoint security, should be managed by the operations teams and integrated with systems management technologies?” 90% responded yes, note these were predominately security professionals and they were essentially agreeing to acquiesce management responsibility of certain asset-based security functions, such as endpoint protection, to the operations team. Now this isn’t really new since in most organizations security teams do not generally patch, configure, deploy or modify infrastructure, although they may inform, audit, and monitor the infrastructure – what is interesting to me is that I asked a similar question about 4 years ago at a Gartner IT Security Summit and only about 30% responded “yes” to the operationalization of security question. What has changed?

Systems manageability has become a critical aspect of effective security management. The proliferation of agents to address compliance and security concerns has shifted the demands for best of breed widgets to best of breed manageability. This is driving the convergence of systems and security management I have been espousing (here) and (here). Systems and PC life-cycle management technologies will converge with endpoint protection technologies.

If this convergence is inevitable then why are companies like Symantec and others so slow to bring a converged solution to market? Simple – they are economically disincentivized to innovate this way. They can maximize revenue with separate products since a single integrated product will have a lower price point as well as lower adjacent revenue streams, such as professional services, maintenance, etc. It is in their best interest to speak to integration but to move slowly to deliver.

The vendors are not alone in how slow they evolve, organizations have been equally slow in moving as much day to day administration and management of security technologies to the operational teams where they should reside. This enables security to focus on the lean-forward aspects of their jobs, namely monitoring and responding, as well as the lean-back aspects which should really be defining and driving policies to better enable business agility and availability.

2 thoughts on “Security as an Operational Problem

  1. Is it as simple as that security management has become routine, fundamental, and just another thing that system managers and operations staff need to do?

    It certainly should have by now. If it hasn’t, the security professionals needs to re-think things a bit.

    Here’s my model (I made it up about 3 minutes ago) 😉

    Yesterdays threats need to be handled by daily operations, todays threats need to be handled by lead system managers, and tomorrows threats need to be handled by security teams.

    The security team needs to be looking down the road at what we’ll smack into tomorrow. They can’t be looking down at their feet to make sure they don’t trip on todays threats, and they certainly can’t be looking behind them at yesterdays crud.

  2. Well said Michael – if your organization has security professionals goofing around with AV signatures, HIPS configuration, deploying encryption, modifying ACLs then your organization is in serious trouble

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s