Effective Security and Compliance Require More than a Tool

It should be clear by now that if someone is pitching you This One Weird Trick as the solution to all your security and compliance woes, they are probably trying to pull a fast one. Actually achieving the goal of a secure and compliant IT environment requires the trinity of people, process, and technology. Technology alone cannot solve the problem, without the right people talking to each other and using the correct processes to communicate.

This one tool can solve all your problems! Er - probably not.

This one tool can solve all your problems! Er – probably not.

There is one particular area where the process and the communication between different groups of people breaks down: the SecOps gap.

This is the gap that develops between a Security group, which audits systems and requires rapid change to remediate vulnerabilities or compliance issues, and an Operations group, whose primary focus is performance and availability of those systems, and who try to minimise the inherent risk of change with rigorous change management processes.

The consequences of this gap can be disastrous. It takes far too long to remediate identified vulnerabilities, leaving companies open to exploitation and public embarrassment – not to mention direct financial and even legal consequences.

The SecOps gap

The SecOps gap

We saw a very real example of this mechanism in action with Community Health Systems, who were hacked last August. The big problem is that the vulnerability that was exploited in that hack was Heartbleed, one of the highest profile security vulnerabilities ever, thanks in no small part to its catchy name and memorable logo. Heart bleed was disclosed on the 1st of April, and the patch was available only a few days later – so how come CHS was hacked in August?

Heartbleed

Heartbleed

The thing is, nobody at CHS was negligent (as far as we know). It’s just the complexity of modern IT systems that is the enemy of processes developed in an earlier age. New processes are required to close the SecOps gap and ensure that what happened to CHS does not happen to other companies. These processes can be automated to a large extent, integrating good existing tools on both sides of the gap so that issues do not get lost in between.

I will be talking about this very subject with Forrester analyst Renee Murphy on a free webinar this coming Tuesday. Register here to attend, or review the recording later if you are unable to attend live. You can also find the latest information on BMC’s Intelligent Compliance recommendations at bmc.com/compliance.

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

Share This Post


Dominic Wellington

Dominic Wellington

Dominic Wellington is BMC's Cloud Marketing Manager for Europe, the Middle East and Africa. He has worked on the largest cloud projects in EMEA, and now he calls on that experience to support new cloud initiatives across the region. Previously Dominic supported BMC's automation sales with direct assistance and enablement throughout EMEA. Dominic joined BMC Software with the acquisition of BladeLogic, where he started up Southern Europe pre-sales operations. Before BladeLogic, he worked in pre-sales and system administration for Mercury and HP. Dominic has studied and worked between Italy, England and Germany.