Confidentiality, Integrity and Availability – those are the three pillars of the CIA triad model for information security.
Here’s something you might not have known: in reverse order, those same pillars apply to IT Operations. Think about it. In a world of agility and enablement, the availability, integrity and confidentiality of the systems and processes that allow us to conduct and grow our business are more critical than ever.
Let me pose a few questions: Why does it have to be one against the other? ITOps and SecOps have traditionally been at odds with tooling and priorities, yet their goals are the same. What if both groups could share those processes and controls to help them reduce risk, stay in compliance, and provide efficiencies across the organization? Wouldn’t that be something worth doing? One would have to think so.
So, let’s first review what we know about IT and security organizations. In the IT world, we use frameworks like Information Technology Infrastructure Library (ITIL) to tightly manage systems and reduce the risk of an incident adversely affecting critical business services. The people are overworked, underfunded and scrambling to manage everything around them.
Meanwhile, in the security world, we utilize methods to tighten configurations, assess vulnerabilities and look for anomalies to keep our data and systems safe from harm, but we still have more work than we can do, difficulty investigating everything, and not enough control. In these cases, we use different tools to collect similar and valuable information, yet don’t share that across the teams.
It isn’t an easy problem to solve, but there is one place you can and should start: attack the single thing that has the biggest impact to your goals, both positive and negative… change.
Change? Well yes, of course. It is both a boon and curse to IT and security teams. On the one hand, your organization needs to change and evolve to face the business and security challenges of today, while on the other hand, change can be the one thing that breaks all of your processes and controls and destroys the very pillars of which you are trying to achieve.
Change is constant, but knowledge with control is key to reducing the risks it poses.
At the end of the day, we all understand change is necessary. We also understand that within the CIA model, no matter which direction you approach it from, change presents the biggest obstacle to success. From planning to controlling to response, these are not unique to your organization, so why should the tools we use to detect and manage change be? Let’s share and be a stronger organization for it.
To discuss this topic in more detail, please join Geoff Hancock, Principal at Advanced Cybersecurity Group, and me for an upcoming webcast entitled, “Leveraging Change Control for Security.” Our presentation will dive into how IT and security can benefit from good change control. Specifically, participants will learn how Tripwire Enterprise can give organizations unprecedented visibility into changes – good, bad, planned, or unplanned. This will allow them to be more effective, reduce their risk, and keep their systems in a state they want them to be.
- Date: Tuesday, September 20, 2016
- Time: 11 AM Pacific / 2 PM Eastern
- Duration: ~45 minutes