IT and IS processes

Previously, we discussed the common ground between IT and information security in terms of technical solutions, as well as scenarios for their use and exchange of experience.

It remains to rise to a higher level and understand where, in principle, all the contradictions and problems begin – to processes.

General processes

Both IT and information security departments in a company can be wholly or partially responsible for the company’s internal processes. Some of them may be specific and relate only to one of the teams, while others are more general and even “business”, where the areas of influence and responsibility are gray and blurry.

1. Testing

Testing of any innovations, especially those related to the installation of new solutions of any class, business history (checking reliability and recovery) – all this is carried out by both teams in the context of their own infrastructure. Sometimes there are intersections when it comes, for example, to a new virtualization platform, a new service – and then you have to work together, and not in parallel.

2. Support

Support can be either internal user support or aimed at the same solution stack; but in both cases there is a place for information security: the notorious awareness and recommendations/tasks for hardening based on the results of pentesting and working with incidents.

3. Development and SSDLC

We discussed the role security professionals play in development in one of our articles earlier.

But we must not forget that development and any git often relies on support and administration from IT. At the junction, this is, mostly without visible conflicts, the full-fledged work of several teams on the same process.

4. System analysis, system design

Business speaks as it needs. Information security tells how to fulfill these requirements with an eye to security. And IT will be responsible for implementation in one form or another. We are again talking about teamwork, only here there is room for disputes and different areas of responsibility – because each team will have its own vision and its own resources in order to solve the problem.

5. Risk management

To be honest, risk takers are a separate people, with their own rules. But in any case, in every process there is this cornerstone of efficiency versus rationality, speed versus established rules.

6. Vulnerability management

This is a process, the complexity of working with which is due to the fact that IT is responsible for its implementation, and both of them can set such tasks. And while in the case of IT there is often some clear plan or resources, on the information security side there are requirements and knowledge on how to prioritize the threats behind vulnerabilities; the need to adhere to clear deadlines, because the safety and work of the entire company may depend on it.

7. Asset management

Often this process is associated only with IT, but if we look at the same NIST and its phases of working with incidents, we will see that the first two stages are responsible for understanding what you own. And it is knowledge about the infrastructure, internal relationships, as well as the ability to influence this that is required by information security. This entails attempts to separate the capabilities of the teams as much as possible – as we said earlier, each team can have its own asset management systems and not overlap at all, although the process is essentially common.

8. Incident management

Although the name itself implies that such a process relates specifically to information security, company policies very often provide for proactive response actions to be carried out only through the IT team. Whether this is because analysts cannot be trusted to do this, or because the decisions through which such actions are implemented are in the IT team, does not matter. The main thing is that in this process, without collaboration, it will be absolutely impossible to do anything meaningful.

9. Change management

When it comes to the notorious hardening and post-incident activities, it seems to mean that information security speaks and IT does, although this is not always the case.

It is not enough to formulate and issue recommendations for the infrastructure; there is a way to protect any innovations, first for IT, and then for business.

10. Configuration management

This process is controlled in exactly the same way as the previous one, they go together.

11. Patch management

Basically, here we can talk about vulnerabilities, but sometimes it is also related to development processes – problems found in the process of testing and code reviews in your own product also entail a chain of approvals and disputes – how much is needed at a particular moment, how effective.

12. Compliance

Despite the fact that compliance requirements are more important for business, it is security specialists who work with them, either as part of awareness or in terms of organizing the process. And in order for this process to exist in principle, it must be based on the work of the IT department.

13. BCM (business continuity management), process management

Surprisingly, even such seemingly “purely business” processes contain subprocesses such as asset management and security work, since testing is carried out for information security solutions as well. The continuity of the business as a whole depends on the well-coordinated work of the two teams.

General difficulties

1. Communication

It can be difficult to establish communication if departments exist as separate as possible from each other. If procurement is carried out with each individual separately, the requirements are not consistent with each other and there is no platform for interaction.

2. Priorities

Using the example of patch management and vulnerability management, it is clear that the goal of IT and information security sometimes lies in different things that may contradict each other.

3. Responsibility

This is probably the biggest thing that catches your eye. All these policies and definitions of who can do what and who cannot do what are the first thing you will hear as an answer to the question of contradictions.

4 Expertise

Different levels of expertise and competencies can often lead to poor communication. After all, if two teams speak different languages ​​and they do not have a “translator,” then how will they agree?

5. Communication with business

Sometimes IT is closer to business problems, sometimes information security, depending on the company. However, almost always someone's needs coincide with the main vector of the company, and someone must additionally protect them.

6. Changing processes

In principle, it is very difficult to take it and start working differently. It is very difficult to change, especially where the process has already been established and has shown its effectiveness.

Solutions

1. Joining forces for common processes

It can help to either recruit a shared team that includes members from different departments, or implement a process from the list above that takes into account the participation and needs of both departments. The internal laboratory will bring such projects to completion together, combining strengths.

2. Unified strategy from business

IT and information security are equally valuable in a company, and if you continuously fill one side of the scale, forgetting about the second, the imbalance will sooner or later make itself known. It is impossible to get a good result without combining competencies and practices on both sides.

3. Exchange of experience and personnel

Sometimes it is useful to work for some time in a team of people whose activities are not entirely clear and transparent to you. In some cases, being confronted with the same challenges that people go through every day in their work is somewhat sobering and allows them to think about how to solve these problems instead of making them worse.

4. Technology Stack Exchange

As we described earlier, there are many useful solutions that can improve the efficiency of both information security and IT. The exchange of this knowledge, technology and expertise allows us to reach a new level of comfortable and efficient work.

In general, healthy communication and the absence of imposed competition and stereotypes that come from both businesses and ordinary users help solve most problems and disagreements.