SecOps: security as an enabler rather than a burden

This enlightened approach to security has been dubbed ‘SecOps’ – calling for a collaborative effort between IT security and the Operations teams, just as DevOps calls for cooperation between Development and Operations.

A SecOps culture revolves around accountability, visibility and response. This is achieved via security-oriented communication and collaboration, where each aspect of the organisation embraces the philosophy of security considerations by sharing the responsibility and understanding how security fits into their role. This can call for a major cultural shift, doing away with the traditional idea of security being ‘someone else’s problem’.

SecOps ties into DevOps by introducing security into development and quality assurance life cycles. More than simply a checkbox compliance item, this approach delivers business value through reducing risks and the likelihood of delays. It also paves the way for automated security testing prior to pushing changes out into production.

Throughout the business, adopting a SecOps culture involves applying security considerations in operational routines. Regular security patching is a good starting point, reducing ‘vulnerability dwell time’ – how long the business remains exposed to a known threat before it is addressed.

On top of this, a SecOps culture requires treating security threats as a business risk rather than merely an IT risk. This requires understanding the inherent risks of vulnerabilities, as well as the actual value that different business processes deliver for the organisation – thus appreciating the true impact of a security incident.

Embracing SecOps means understanding the importance of ‘layer 8 security’ – your people. Cyber-savvy staff are just as important in your cyber security defences as technological countermeasures.

Training

Security awareness training is crucial in thwarting attacks that take advantage of human frailties rather than technological weaknesses. This extends from basic phishing attempts to sophisticated business email compromise scams where attackers impersonate senior staff.

Combating such attacks requires your people at all levels to understand the cyber risk landscape, including the nature of different attacks, in order to identify potential threats as they arise. This requires a healthy sense of scepticism when it comes to unusual internal and external requests, along with the training to strictly follow financial procedures and other workflows designed to thwart attacks.

Security awareness is often treated as a compliance-driven exercise, expecting staff to watch short instructional videos and answer several basic questions – perhaps as part of their initial onboarding. Real security improvements come from behavioural change, not just ticking off compliance checklists.

This security mindfulness extends to staff taking responsibility for their own personal cyber security when it can put the business at risk, such as in Bring Your Own Device (BYOD) environments.

Whether your people are using work issued devices or their own devices, they need to appreciate that their poor personal security hygiene can be the weakest link in your business’ security chain. A SecOps culture needs to instil a sense of personal responsibility and the need for everyone to play their part in keeping your business safe.