The 2015 Network Instruments State of the Network Study found 85% of network teams regularly engage in security...
investigations today, with nearly one-fourth of those teams working on security tasks from 10 to 20 hours each week.
These findings speak volumes about what's happening in both IT and enterprise security -- and highlight some areas of risk that enterprises need to focus more effort on.
Something I've noticed in my work is that IT (generally speaking) is being consumed by security responsibilities. What once were specialized skills around design, implementation, administration and so forth to keep the shop running have evolved to include a much more targeted focus on security and keeping the shop resilient.
I hear stories from clients and colleagues all the time about how their IT committee meetings are consumed by discussions around security, compliance and audit. Ditto for budgets -- security is front and center regardless of the context. I believe we're seeing this happen because networks have become more self-reliant, high-performing and stable in recent years. Plus, there's a growing dependence on outsourcing larger projects as well as cloud-based services that are relatively hands-off -- at least compared to the networks of the 1990s and 2000s.
One finding from the State of the Network Study that really stood out was the top three methods for identifying security issues:
- Simple Network Management Protocol
- Tracking performance anomalies
This says a lot about how enterprises are struggling to keep up with security threats and vulnerabilities. Manually perusing such data, trying to correlate everything and making sense of it all in terms of security issues on any but the smallest of networks would be a challenge; that's likely why many enterprises are still getting hit with issues and breaches today -- their network and security staff members are drinking from a fire hose and are expected to perform challenging feats, often with improper tools and little to no training.
The Network Instruments study also found two-thirds of respondents are implementing security measures during attacks. This indicates teams are struggling to keep up with security in terms of proactively applying patches and fixing the most basic of security issues. In fact, many security exploits carried out on any given network at any given time can be traced back to security controls that should have already been in place by either the network or security team. Research from Verizon, Trustwave, Cisco and others backs this up.
The State of the Network study goes on to reveal more than half of respondents investigate security breaches after they actually occur. This helps correlate the challenges in the often tenuous yet overlapping relationship between network and security teams: Not every security professional knows network protocols and network administration functions like the network team does. Just like a business leverages the security team to ensure threats and vulnerabilities are kept in check, the security team has to leverage the network team when more detailed network information is needed. It's often the network team that is showing the specific details of anomalies and attacks to the security teams and is providing specific recommendations on how to solve the security problems that do arise. On the other hand, many network professionals -- along the same lines as developers and database administrators -- will tell you that security and information risk management is not their forte.
It's easy to surmise that there's a fundamental training gap among many IT professionals, but is there? It can be argued that, generally speaking, enterprise security is everyone's deal. That said, the responsibilities for managing information risks on and around the network ultimately live with the enterprise security team -- and, more specifically, the management that oversees it all.
IT is evolving into having a core dependence on security; it's one of the cornerstones of the industry, regardless of the specific IT job role. Pulling everyone -- and everything -- together into a successful enterprise team requires leadership. Not just leadership that can talk its way through network and security tasks, but leadership that is technical with an understanding of the fundamental challenges facing the network and security functions.
How can organizations gain this leadership? It starts with putting the right people in the right roles in IT and security. More and more, we're seeing people with completely disconnected backgrounds with no technical experience taking on leadership positions in IT and security -- this is hurting more than it's helping most enterprises. In order to get the right people on board, management must "get" IT and security. Therein lies much of the gap. The other element holding businesses back is the sheer lack of leaders who are both technical and can properly communicate the value of IT and security to their executive peers. There's not really a quick fix to this dilemma; long term, however, those in IT and security who want to write their own tickets will focus just as much on enhancing their soft skills as they do their technical skills.
Ensuring overall business risks are minimized is also going to require ongoing training on the part of network and security professionals. In many cases, IT professionals either don't have (or make) the time to get the training, or they don't believe there's anything new to learn. That's a slippery slope that facilitates security breaches. IT professionals should seek out conferences -- such as the RSA Conference -- as well as seminars and webcasts -- such as those put on by TechTarget and others -- in addition to taking advantage of all the amazing resources available on YouTube and other social media outlets.
The convergence of network operations and enterprise security into a combined enterprise team no doubt affects most people reading this in one way or another. It will certainly affect certain groups and businesses on a much greater scale because not all businesses -- especially small and midmarket enterprises -- have dedicated network and security teams. These organizations are lucky to have a handful of people who are not necessarily experts in networks or security, yet they're responsible for keeping everything running and secure.
Enterprises faced with the challenges of two teams (network and security) needing to gel, or IT generalists doing the best they can, would be well-served to seek out these issues and do something about them before things become even more complex -- and the odds of a breach are even greater.
Training, security tools -- such as security information and event management and vulnerability management systems (or even outsourcing these functions if needed) -- and top-notch IT and security oversight can bring things together as a cohesive enterprise team that can handle the growing number of security tasks. If any of these elements are missing or weak, uphill battles are virtually guaranteed.
About the author:
Kevin Beaver is an information security consultant, writer, professional speaker and expert witness with Atlanta-based Principle Logic LLC. With over 26 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments and penetration tests of network systems, as well as Web and mobile applications. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website and follow him on Twitter at @kevinbeaver.
Explore more on why successful information security requires organized teams