How to boost collaboration between network and security teams

When Tim Callahan came to Aflac four years ago to take on the role of CISO, enterprise security at the insurance giant was embedded deep in the infrastructure team.

One of his first requests of the CIO: Let me extract security out into its own group. Callahan readily admits the culture shift was not easy but believes that the demarcation has actually led to better collaboration.

“Networking and security are distinct roles, and mixing them as a single group is dangerous,” he says. “In our highly regulated industry, we have to show separation of duty.”

Arguing for a walled-off security team is not easy for security leaders amid a shrinking talent pool of qualified security professionals. Analyst firm ESG found that from 2014 to 2018, the percentage of respondents to a global survey on the state of IT claiming a problematic shortage in cybersecurity skills at their organization more than doubled from 23% to 51%.

Callahan maintains, though, that you can restructure into two teams successfully as long as you clearly communicate the objectives of each team, along with the roles and responsibilities team members carry, and are willing to use innovation and automation to supplement human resources.

At Aflac, security owns the responsibility for monitoring the environment, informing the organization of attacks and vulnerabilities, and creating standards and protocols. “We determine the risk through a strong vulnerability management program and then lay out priorities for remediation for the network team to follow,” Callahan says. “Having clear lines fosters respect for each other’s profession and builds a healthier environment overall.”

The Aflac security team uses a Responsibility Assignment Matrix, charting which participants are responsible and/or accountable, need to be coordinated with, and/or need to be informed at different stages of a project life cycle. This only works, though, if security is seen as an essential part of every IT endeavor, not an afterthought, according to Callahan.

“We’re brought in early in the networking team’s development cycle to make sure the code created is truly secure,” he says. “We aren’t finding out just ahead of production so that we’re left to decide if we let it go as ‘insecure’ or get accused of stopping progress.”

Why to keep security distinct from networking

Chris Calvert, co-founder of Respond Software, an automation tool that uses artificial intelligence to simulate the reactions of a security analyst, says it’s important that security doesn’t get lost in the IT shuffle.

“Some of the security operations centers I built put security in with IT, and security would wind up getting kicked out,” says Calvert, who has spent nearly two decades building security operations centers for large enterprises, including IBM, Shell Oil, Sony, and Walmart. He’s found security teams are generally loud and can get animated in their whiteboard discussions about stopping bad guys. Conversely, network operations centers are quieter and are focused on the green and red lights on the screen.

If companies decide to separate out the security team, they must also consider the reporting structure of leadership, according to Johna Till Johnson, CEO and Founder of Nemertes Research. Based on Nemertes’ research into 625 successful organizations, the companies with the most successful security operational metrics are those in which the CISO reports to the CEO, CFO, or the chief legal executive, but not the CIO. “The CISO’s job is to accurately translate technical risk into legal risk,” Johnson says. This can get muddied when “the CIO is mandated to build the technology, and the CISO is mandated to decide if it’s worth the risk.”

That’s Callahan’s philosophy, as well. He is direct-lined to the general counsel, who reports to the CEO. “That is a very important structure,” he says. “[The CIO and I] are partners coming out of the chute, not in a subordinate relationship.”

“Co-location might not work, but communication does,” Calvert says. “IT directors and security leads must model the close relationship they want from their teams because if they don’t get along, their teams won’t get along,” he says.

Having security carved out as its own niche apart from IT also enables Callahan to more forcefully argue his own budget, which has led to a well-funded transformation and refresh of technology. 

Why to integrate networking and security teams

Ed Rodden, CIO at global food manufacturer SugarCreek, says technology such as software-defined networking is blurring the edges of security and networking so much that companies would be ill-served by separating teams.

A team of 20 people handles all the infrastructure needs – network, storage, and security – of the fast-growing $800 million family-owned company. Rodden credits virtualization, including VMware’s NSX SDN platform in the data center, which has network and security controls in the same software, for fostering a unified environment. Trying to manage such technology with disparate teams would be a nightmare, he says.

The raucous whiteboarding that Calvert describes does happen at SugarCreek, but it’s among the top four IT leaders. “On a periodic basis, we lock ourselves in a room and methodically make our way through all the egress points in the network, doing a complete review at a very detailed level of our security posture,” Rodden says. “This forces us to come to a consensus on security and networking.”

The pace the owner likes to move also plays a role in Rodden’s decision to keep things tight. “We’ll get an email that the company has acquired a building to house operations, and we have to get wireless and infrastructure up in two months, leaving no time for the bureaucracy that comes with people with discrete responsibilities,” he says.

“When security team members are so down the rabbit hole in their niche, they won’t understand how things are built, and, therefore, how to better secure them,” says Jacob Lehmann, managing director of Friedman CyZen, a cybersecurity consulting service.

He adds that as organizations make their way further into the cloud, they are going to need networking and security to be well integrated to set clear policies and enforce them.

“Going to the cloud doesn’t remediate risk; in many cases it can increase risks,” Lehmann says, adding teams need to be able to quantify that risk before making a decision. “The better everyone understands the risk, the better they can prioritize.”

Bridging the networking-security divide

Organizations that split their networking and security teams can still keep them close through education and training.

“Security can host boot camps on secure coding, lunches on the basic fundamentals of security, and more,” Johnson says, giving security teams a chance to impart their specialized knowledge. In addition, when the two teams need help, they will already be familiar with one another.

Calvert says security could learn from networking teams, as well, including principles such as ITIL: “There’s value in security learning networking’s language.”