The IT and security worlds that we once knew are now dramatically different, especially given the sudden shift to remote work. However, it's still important to consider the symbiotic relationship between the two, as they share a handful of notable similarities, as well as some differences.
As we've seen, remote work affects both IT and security in a multitude of ways that has forced nearly all organizations to define a new set of priorities and best practices that will serve them both immediately, as well as in the years to come.
Rise in similarities between IT and security teams
Although often thought of as two distinct entities, an organization's IT and security teams have more in common than one might think. There's been a fundamental shift away from the historical silos, as well as a new approach to what constitutes an IT or security priority. Traditionally, something like managing passwords and general device security was thought to be one of either the IT or security team's responsibilities, but now these have almost all moved into the average employee's job description. As a result, IT and security teams are now able to shift their focus from mundane tasks to proactive and challenging job duties.
With the rise in cloud and SaaS security provided by the likes of Amazon, Microsoft and the companies that have emerged to support these ecosystems, the two departments will further integrate. With technological advancements and products and services now able to automate management, IT and security teams are often smaller but more experienced. Therefore, both are transitioning to "generalists," ultimately helping understaffed teams deal with end users while building macro-level IT and security puzzles without constantly worrying about the micro-level issues. It's likely the two will become more similar, accelerating further convergence and increasing collaboration.
Nonetheless, IT and security teams still have a long way to go and still have some differences. This is especially true at large organizations that typically aren't as flexible as their smaller counterparts, such as large financial institutions with traditionally siloed departments and segregation of duties with little to no cross-collaboration. Sometimes, this setup is due to regulation-imposed rules, but often it's a case of "we've always done it that way."
When separated and working toward different goals, a constant game of tug-of-war exists between IT and security departments when asking for and receiving organizational resources. With that in mind, should an organization focus more on business goals and initiatives by helping the security team? Or should it provide more resources to the IT team, which is more closely aligned to the end user? The answer lies within the organization's priorities and business goals, but we're seeing some industries troubleshoot better than others.
A balancing act between IT and security
Security teams across the industry are severely understaffed as a result of the skills gap. Not to mention, we're witnessing many issues with security roles and responsibilities translating to the remote work environment.
SaaS can help mitigate some of these issues through automation, and large organizations are likely already working remotely in some capacity. However, small companies new to remote work are struggling. Instead of working toward securing new devices, home networks and VPNs, while also accurately communicating updates to the C-suite, understaffed security teams are preoccupied with new and constant attack vectors and often sign "blank checks" as a result.
Then again, some IT teams have become so reliant on physical security that they lack a proper remote work plan to begin with. Troubleshooting emails or login issues can be simple when addressing them face-to-face but trying to reach all the necessary parties remotely can be a time-consuming task and difficult to adequately address, even for an experienced IT professional.
Handling remote end users
One of the biggest aspects of the shift to remote work that an organization's IT and security teams often overlook is the mindset and the lack of technical knowledge of the end users. Reports show that end users are often the kryptonite to an organization's security, as they are often guilty of leaving devices unsecured, using easy-to-guess passwords or unknowingly clicking phishing links.
In addition to the lack of education or security reminders, employees are often afraid to admit that they either don't understand something or that they made a mistake. Therefore, IT and security teams need to remember to check in on the seemingly mundane, low-level security systems such as Wi-Fi connectivity, access management, multi-factor authentication or traditional firewalls. Though these can slip the mind of a security professional, they are basic security protocols that protect end users and organizations from significant attacks.
Short-term vs. long-term implications
With this massive recent shift to telework, the resulting short-term and long-term ramifications are profoundly different as they relate to IT and security. Due to the rapid changes to the workforce, both teams are currently flying blind and the implementation of proper security protocols can be deprioritized to maintain as much of a "business as usual" mindset as possible.
This hesitancy only exacerbates the already unaddressed issue of being a step behind, instead of allowing teams to be proactive in their defenses. Whether it's a hardware device issue or using a remote desktop to fix a software issue, already understaffed teams have to tackle age-old issues with new challenges. The current state of affairs is likely to have long-lasting effects on IT and security teams. But given the current rapidly changing nature of the societal, political and security climates, it's difficult to determine how far reaching these effects will be, and exactly how they will manifest.
Growing collaboration between IT and security teams
Organizations can install some best practices for their IT and security teams. The first is automation, as teams should enable software to handle tedious tasks and address baseline needs. Through this, small teams and organizations can scale while also allowing themselves to focus their time and resources on more complex problems and be prepared for issues that could arise at any moment. Automation also goes hand-in-hand with defining infrastructure as code, making it easy for any member of the team to see a complete history of a component and understand not only what choices were made, but when and why.
Another best practice, and perhaps the most important one, is more collaboration and convergence between IT and security. Despite the current global crisis and its impact on this industry so far, the evolution of technology and security is happening so quickly that it's hard for any individual or team to identify any foreseeable needs.
Remote work inherently makes it harder for organizations to clearly communicate among all their departments with different priorities, so there must be an increased emphasis on intra- and inter- team collaboration. If not, organizations and users will likely see many negative consequences of underdeveloped and lackadaisical IT and security.
Jonathan Meyers is the head of infrastructure at Cybrary. He is responsible for designing, maintaining and securing all corporate infrastructure including their security enablement platform supporting over 200 companies and 2.5 million users worldwide. He previously worked as a senior DevOps and senior operations engineer at Forcepoint (formally RedOwl Analytics) where he oversaw the operations and deployment of its hosted and on-premises UEBA e-surveillance product. Jonathan holds an information technology degree from The U.S. Military Academy at West Point.