With the risks caused by siloed departments and a lack of collaboration growing ever greater, it’s vital to ensure your IT teams and Security teams are all looking for the same goals.
The world has seen some extraordinary things in 2020, but one that really stopped people in their tracks in October, at least in the UK, was when the reigning champions of the English Premier League, Liverpool, were beaten 7-2 by Aston Villa, a team that only scraped out of the relegation zone by a single point in the previous season. Heads were scratched, jubilee was widespread and questions were asked. What had changed in those few short months between seasons? Yes, Villa had made a number of notable signings, but the big difference that everyone fixed on was attitude. For the first time in a long time, Villa were playing as a team, with a cohesion and trust in each other that was palpable.
Football analogies aside, teamwork is one of the most important facets of any business looking to thrive, but one area that has traditionally struggled in this regard is when it comes to the relationship between Security and IT. Why is this?
To understand you need to look back at the history of how the two teams were formed, says James Alliband, Security Strategist at VMware Carbon Black, as there can be misalignments that arise due to the different career paths of those in IT and security engineers.
In many countries it’s now possible to go into the latter without having a technology background, he says. “You actually find that some are people who, as teenagers, learned how to hack, code and develop. It’s great that you can turn hacking into a positive career, but at the same time, they haven’t come from that technology background.”
“IT was always technology driven and driven through innovation and processes,” adds Alliband. “Security found faults… you imagine somebody’s babies, somebody created this data centre and then someone else comes along and picks it apart, saying, ‘that’s a problem, there’s a vulnerability there’.”
What this misunderstanding does is immediately create silos and defensiveness. For collaboration to be effective, teams need to be able to speak the same language and work together with a common set of facts. Silos and a lack of trust lead to a breakdown in communication between teams, between organisations and between departments.
The outcome is bad for the bottom line, says Alliband. “The result is ineffectiveness, which creates delays, issues and cycles of bad management.
“A task that could take a couple of hours, for example, is starting to take days and weeks. Things don’t move forward and this is not a constructive environment to be involved in.”
Worst case scenarios
To calculate the possible financial risks when teams fail to collaborate is a case of ‘how long is a piece of string?’ says Alliband, but if the end result is drastic data breaches or broken compliance regulations, the damage can run into the millions of dollars. He cites the experiences of British Airways, which has faced various IT issues in recent years, with a post GDPR (General Data Protection Regulation) 2018 data breach caused by a vulnerability in its third-party JavaScript that compromised the details of half a million customers and led to proposed fines of $332 million (the airline is appealing), along with at least three major outages between 2017 and 2019 that led to cancelled flights and thousands of very disgruntled customers.
And the risks are not solely financial. Actual lives are now at stake too. In September this year, Dusseldorf University Hospital in Germany was hit by ransomware, disabling its emergency care systems. A patient was then transferred to a hospital 30 kilometres away, dying in the process. This could well be the first known case of a death linked to a cyber attack.
How to promote collaboration
With such high stakes, it’s vital to promote strong collaboration between the Security and IT teams. Perhaps the first thing to do to repair a fractured relationship is underline the shared responsibility they have for ensuring scenarios like those mentioned above are prevented. They need to understand the possible, and indeed probable, consequences of not collaborating, and the urgency of getting it right. And it’s up to Security to explain issues clearly. “What happens quite frequently is that Security will come to the IT team and point out deficiencies or vulnerabilities, but the IT team won’t necessarily understand what the consequences or potential risks of that vulnerability are,” says Alliband. “Furthermore, how do they remediate against it? Because they are so focused on whatever iteration they need to get through.”
Fortunately, one of the silver linings of the global pandemic is that security has become top of mind for everyone. “It really changes that mindset if you can build that nature into your organisation,” says Alliband. This means everyone, whether they are working in their regular workspace or at home, is aware, and careful not to click on links in suspect emails, not to give out their details to phishing attacks, not to override security protocols that have been put in place for a good reason.
“At that moment in time, you’re effectively collaborating, because you’re building it as part of the process. That’s how you can shift forward.”
To return to where we came in, Alliband is a football referee and says that being a former player has assisted him in applying the laws of the game on the pitch. “Understanding how the game is played, how players behave and how players communicate on the pitch is a real advantage,” he says. “These foundations enable us to understand the expectations and enhances the performance on the pitch of us as officials, as we are able to break down the siloes,” he concludes.
