Tip

Convergence of security and network management has pros and cons

Over time, the pendulum between centralization and decentralization of operational tasks has swung back and forth.

In the mid-1990s, the pendulum for security operations swung toward decentralization. It became a specialized and complicated job to manage firewalls, not to mention the 15-20 other types of products that have come to encompass the security ecosystem. At that time, there was basically no way to gain economies of scale by centralizing management, and increasing efficiency while cutting cost is really the only reason to centralize anything.

So what we've seen over the past 10 years has been the gradual centralization of security functions, driven largely by the need to be accountable from an auditing/compliance standpoint. It became too hard to enforce corporate policies and centralize reporting with operations spread far and wide across the globe. This was another reason why the pendulum swung toward pulling everything into a central security group.

But once again this is increasingly changing; a number of organizations are moving security operations into other operating groups, like networking, data center or applications. We as an industry need to figure out if this is a good thing or not. Let's examine the pros and cons.

Pros:

  • Security is intrinsic to all operations – I don't think anyone would argue that security needs to be a consideration at all layers of the technology stack. If security

    Requires Free Membership to View

  • specialists are isolated, the concepts of security tend to be an afterthought or something the networking folks just need to "tolerate." If everyone is on the same team, it facilitates collaboration and ensures objectives are aligned.
  • Vendor consolidation is driving leverage – On the technical side, there is clearly a trend in which large technology vendors are adding security capabilities to their offerings. Cisco Systems Inc., IBM, Oracle Corp., Microsoft, etc., all are integrating security into their existing product lines. For example, Cisco considers security a key part of its advanced technology business strategy and IBM acquired security vendor ISS to provide more security knowledge and products. This means there will be leverage in managing network security within the network group, since over time the toolsets will converge.
  • Consolidation allows separation of operational duties and program control – In many organizations, the top security officer reports to a non-technology person (CFO, CEO, etc.). This is to ensure the security function is totally objective and independent.

Cons:

  • Influence can be a challenge – If security operations reside within the technical operations groups, the job of the CSO becomes one entirely of influence, since this person controls minimal resources. I don't see this as a huge liability, but it is a different job; it requires different tactics to manage by influence rather than by empire building.
  • Reporting can be harder – If network, data center and application security are elsewhere, it's harder to gather all that data and get a consistent, integrated view of what is going on throughout the organization.
  • Responding to an incident is more complicated – Incident response can also be problematic when security specialists are spread throughout the organization. And when responding to an incident, speed and decisiveness are critical. In this scenario, the CSO needs to have a well-defined and practiced containment program to ensure the organization can marshal the resources needed to contain a problem when the time comes.

One thing to be clear about is that regardless of where security operations occur and report, security program management must be separate. A company's overall security strategy and the associated program must be managed by a chief security officer. Regardless of whether the CSO reports to the CIO or elsewhere, the buck for security must stop at the CSO's desk. It's as simple as that.

For more information:  

 Should a capable network manager stretch his or her responsibilities into the security space, perhaps acting more like a chief security officer? Contributor Shon Harris shares her ideas.

Who should be in charge of firewall management: the information security team, networking department, or both? SearchSecurity.com members weighed in on the debate.

Why? Ultimately, someone must be singularly accountable for the implementation and success of the security program. That someone must be without preconceived notions or biases relating to their areas of expertise. An unbiased security professional can think in broader terms than someone just focused on operating the networks, applications or data center.

What's right for you?
I wish there were a simple answer, but your decision must be based on what is best for your organization and what will work best in your corporate culture. In some cultures, power equals people, and with no people, a CSO will be left twisting in the wind. Other cultures value collaboration and teamwork, and the best move for the CSO would be to move security specialists into the operational teams.

Regardless of which direction you go in today, it will likely move back the other way tomorrow. That just seems to be the natural order of things in the security business. There's a constant need to get better in security, and since internal business processes play a large role in any change, groups and roles will periodically shift as decision makers believe the grass is greener on the other side.

About the author
Mike Rothman is president and principal analyst with Security Incite, an Alpharetta, Ga.-based industry analyst firm specializing in the information security market. After staring his career as a programmer and networking consultant, he joined Meta Group in 1993 and spearheaded the organization's foray into information security. Rothman later founded SHYM Technology, a PKI software firm, and later served as an executive with both CipherTrust and TruSecure. He often serves as a consultant on security management issues, and is a regular speaker at industry conferences. Rothman is also the author of The Pragmatic CSO: 12 Steps to Being A Security Master.

This was first published in January 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.