It should be clear by now that if someone is pitching you This One Weird Trick as the solution to all your security and compliance woes, they are probably trying to pull a fast one. Actually achieving the goal of a secure and compliant IT environment requires the trinity of people, process, and technology. Technology alone cannot solve the problem, without the right people talking to each other and using the correct processes to communicate.
There is one particular area where the process and the communication between different groups of people breaks down: the SecOps gap.
This is the gap that develops between a Security group, which audits systems and requires rapid change to remediate vulnerabilities or compliance issues, and an Operations group, whose primary focus is performance and availability of those systems, and who try to minimise the inherent risk of change with rigorous change management processes.
The consequences of this gap can be disastrous. It takes far too long to remediate identified vulnerabilities, leaving companies open to exploitation and public embarrassment – not to mention direct financial and even legal consequences.
We saw a very real example of this mechanism in action with Community Health Systems, who were hacked last August. The big problem is that the vulnerability that was exploited in that hack was Heartbleed, one of the highest profile security vulnerabilities ever, thanks in no small part to its catchy name and memorable logo. Heart bleed was disclosed on the 1st of April, and the patch was available only a few days later – so how come CHS was hacked in August?
The thing is, nobody at CHS was negligent (as far as we know). It’s just the complexity of modern IT systems that is the enemy of processes developed in an earlier age. New processes are required to close the SecOps gap and ensure that what happened to CHS does not happen to other companies. These processes can be automated to a large extent, integrating good existing tools on both sides of the gap so that issues do not get lost in between.
I will be talking about this very subject with Forrester analyst Renee Murphy on a free webinar this coming Tuesday. Register here to attend, or review the recording later if you are unable to attend live. You can also find the latest information on BMC’s Intelligent Compliance recommendations at bmc.com/compliance.