Recently, I had the pleasure of getting into a fight with Charisse Castagnoli, who is not only a highly regarded expert in the field of information security (InfoSec), but is a trained lawyer as well.
Obviously, I don't have the best judgment, because, of all the people one should avoid arguing with, lawyers and InfoSec pros are at the top of the list. But here I went and found both wrapped up into one package. The one thing that saved me: She is a delightful human being.
A true professional, she welcomes differing opinions and relishes the chance to test her experiences and ideas against those of another -- not to win and not to prove she is right, but rather to find the honest truth of the matter.
So, what was so special about my talk regarding IT friction that merits bringing it up here?
Like I said, she's in InfoSec. Getting security professionals into the room and talking with network operations (NetOps) folks is challenging at best. It's made even more challenging when the NetOps person in question (me) has a focus on network and systems monitoring.
If we presume that neither side ... wants the situation to continue, what are the humble InfoSec and NetOps professional to do?
In all the years I've focused on the monitoring sub-specialty, my experience is that InfoSec and NetOps have what can be politely described as a "co-predatory" relationship.
That's because InfoSec folks want -- indeed, by the very definition of their job, they need -- to keep access to resources as limited as possible. The smaller the number of entities that can access a system, the smaller the number of potential risks and the more manageable security becomes.
On the other end of the spectrum, the NetOps folks -- armed with their monitoring tools -- want to access everything. Nothing is outside of their purview because, typically, they are responsible for fixing whatever breaks. Knowing what's broken or, more critically, what is breaking, helps avoid extended down times and unhappy users. And in order to effectively monitor and manage systems, root/admin/superuser access is typically needed.
Clash between groups hurts bottom line
You can see, if you haven't already experienced this yourself, how this might generate some IT friction.
On top of that, the risks -- both to the careers of IT pros and the corporations they work in -- are not insignificant. In our talk, I outlined one specific customer's system that generates $167,000 in revenues per minute. Allowing that system to crash for even a standard service-level agreement could be disastrous. Obviously, security needs to take a back seat, right?
Not so, responded Castagnoli. Should that same system be breached, the financial penalties imposed by the government would eclipse any profit the customer hoped to see for weeks, if not months.
So, the stakes are high, the egos large, the history long and contentious. If we presume that neither side -- never mind the companies where this inter-departmental warfare takes place -- wants the situation to continue, what are the humble InfoSec and NetOps professionals to do?
First, there's empathy. As my colleague and fellow SolarWinds Head Geek Thomas LaRock has written, empathy is, "the No.1 thing I tell everyone they need to have if they aspire to have even a modest amount of success in whatever field they choose."
Understand that the person on the other side of this not-so-great debate is not evil, not bent on ruining your life (or even your day), not willfully blocking your career goals. He is trying to get a job -- his job -- done.
Second, there is the revelation that InfoSec and NetOps have an enormous amount to offer each other. There simply is no need for IT friction.
The dirty little secret revealed
You see, InfoSec has a secret: Security pros spend a lot of time trying to build up the walls around the infrastructure because that's the hack that looks like a hack. Once the breach is made, attackers move laterally inside the network in ways that look exactly like a user. Well, at least to the InfoSec folks. But often, those data flows are visible to the monitoring tools NetOps is using.
What does NetOps get out of the deal? Well, for starters, they get an easier time gaining access to the systems that need to be monitored. Not because of some quid-pro-quo arrangement, but because inviting InfoSec into the NetOps world necessarily builds understanding, support and, yes, empathy.
Going beyond that, what NetOps professionals get out of building bridges with InfoSec is a career path. InfoSec is one of the hot jobs on the market right now, but current analysis projects a serious shortage of qualified professionals. Where in the world will security teams find people who are both skilled at IT, which concerns the bottom three layers of the IOS model, and are passionate about their job?
Oh, right, that sounds a lot like NetOps people.
As psychologists have pointed out for decades, there's a thin line between love and hate. InfoSec and NetOps have tried the path of hate for a while. Maybe it's time for a change.
