Finding Zen – How IT Ops and IT Security Can Work Together
Um. Hi i'm tim brown, vice president of security, for solarwinds. So i've been doing security, for a long time, probably about 20, 25, years almost. And you know we've seen a lot of changes, i've had opportunities. To do many different things in my career. You know i've worked with and met with you know probably a thousand, csos, and i t teams around the globe. I've worked with governments. I've worked with you know institutions. Large and small. You know i've designed, security, systems, i've built products, i've done a lot of different things give me a lot of different, background. On, you know where security, is where security, is going. I've also really been a thought leader i've have you know 18, patents and security, related, topics. I've invented, a lot of things i've done a lot of thinking about where we should go and what we should do. Prior to joining solarwinds, i was with dell i was one of seven dell fellows. You know i purposely, took my position, at solarwind. So that i could run an iq operations. Team, also run a strategy, team, also, help everybody kind of move forward, in security, so that's what we're always looking at. You know right now, if you look at where we are. We're going to talk about one of the biggest, problems. That we we face today and that is how we can get our teams to work together. I.t, and security. Often are at odds, when we look at devops, and security, at odds. And how can we even out that, how can we even out those problems, and make things better. Um. So, yeah first off you know what's been going on in the security, landscape, is super interesting. And when we look at that, you know we've got a lot of challenges. Any time we have, change. Anytime, we have change in an organization. Changing, a structure. You know we have everybody working from home now we have whole different, business models going, we have companies, that are going through major, changes, on how they, you know implement, how they have people, where people are working.
What Operations. They have. And, with those changes, become more risk. And. Each company needs to look at what that risk has affected. And where that risk is going. Our adversaries, are also, taking a big advantage, of that risk, you know we see huge, increases, in fishing we see huge, increases. In attacks, we see. Big. Important. Things going on in the outside, world that affect the security. Of our companies. Because, essentially, the adversaries, are looking to pick up botnets, looking to, you know increase, their reach, they're looking, to really, kind of increase, their focus, to affect, change, and when you look at the risk. Landscape. You have to consider, the second half of 2020. Is really going to be an increased, risk level. So what do you do on an increased risk level, you know you get the basics, right you start with the basics, you move forward. You make sure that you have, controls, you make sure that you have tightened, down wherever you can tighten down. Make sure your access, controls, are in place, you make sure that your teams are working well together. Now, as we come out of covid, and out of our current, environment. You're going to see some companies, survive. You're going to see some companies, thrive, you're going to see some companies. End up, going out of business. And, those that thrive, those that survive, those that really take advantage, of new opportunities. Are those, that are going to embrace new business models. Those that are going to embrace. New ideas, of how to do business. And, part of that is you know the last digital revolutions. That we've, had. Have taken years. We're looking through an evolution, now that's taking, months. And, if you look at the companies that are doing well right now, those are companies that have embraced, remote models, those are, people that have, you know embraced, take out food those who have embraced, telemedicine. Those that have embraced. Remote, working. Those teams, and those companies, are, thriving, right now, so we need to make sure that we are not a barrier. So that means both, the i.t, people, that means the security, people. We need to move fast. In order to move fast we need to make sure we come together. We need to make sure that we are not our, you know own enemy, in this we need to make sure that we are efficient. As possible. So is the conflict, real, right is there really a conflict. Between i.t and security. You know and as i said i've talked to you know hundreds, thousands, of different it departments, in my career, and i wish i could tell you that no the conflict's, all fake, right that doesn't exist.
But, There's always some level of conflict, there's never. No conflict, whatsoever. You know i've had csos. Tell me that the first thing they do is start with no. Right that's the first thing they always, start with they say yep if the business, if i ever say yes to the business. Then we just start from the wrong, wrong place that we just don't go forward. You know i've had, others. Um. Tell me that you know other it, leaders tell me well yeah we just, try to ignore security, we ignore it we wait till the last minute we bring them in before they have any time to change anything. So we try to make them less disruptive. As possible. So we just don't involve them at all, you know both of those things are so completely. Wrong. Right they disrupt, business, they make us so that we're insecure. They make us so that we can't get our work done, they make it so that there's an adversarial. Model, between, the two groups. And every time you had adversarial. Models, you have chaos, and that chaos, causes, trouble that chaos, causes inefficiencies. That chaos, makes, things so that, you aren't efficient. And just as i said before, we in the next couple years the next six months the next year, we need to be as efficient. And as secure, as possible. Security, will still be a huge concern. Efficiency. In our, kind of next wave of evolution, is going to even be more critical. So, how do we. Dissolve, some of these conflicts, how do we make them better. Right and we're going to talk about kind of four ways that we can to solve, this call. Dissolve, some of the conflict. The first, goals and priorities, how do we set goals and priorities. Appropriate, how do we make sure that we're talking about them in the right way. Tools, technologies. And terminology. Each of those, if they're not equal if they're not working together, if you're not communicating. Well together, you're going to have problems. Processes, and policies. And finally one of the biggest one is people, we're really going to address, where the people come into the mix. So you know one of the first things we want to talk about is goals and priorities. You know the goals and priorities, are often, different, between, the security, team and other teams, right, so, when you look at our goals. For, security. Is really you know our overall goal is to make everything 100. Secure. Right but in reality we never get there right the only secure machine, is a machine, you, you know unplug, and drop drop at the bottom of the ocean, then you have true 100. Security. But that's not what we can really, do, right so, you know the goals, for it. Is to get things done, is to really move forward the goals for devops, same idea get things done move things forward. But, securities. Goals, are to, sometimes. You know make things, secure. As we are going along. And that's really what we have to think about so we have. Different. Primary. Goals. And that's okay. Right when you think about how teams work, they should have different primary, goals. And those goals, can, are not necessarily. Conflicting. They're just different primary, goals. So, as teams work together, yeah think about your security, as an extension, to your team. With a primary, goal, of making, things secure. Now, are they being practical, doing it that's the big question, and that's what we have to focus, on, is, hey let's make it practical, let's make it actionable, let's make it so, security, is embedded, into the system, as early as possible. So that it doesn't, affect our efficiency, it doesn't affect, our, you know overall, program. But we get security. In first we get moving, forward. We actually make a big difference, so that we don't get things that are unsecure. Out of the back end, so whether that's a it, program, whether that's an engineering, and a product. Whether that's a. Operations. Program. Think about security, as you go in and think about security, as a component. To it the goals, are different, uh goals are different per team but that's okay. Just embrace, that difference. And really understand. That you know although the goals are different our goals are the same in many ways our goals are the same to be able to make sure the company, is secure, that to make sure the company makes money to make sure that we are achieving. Our goals in an effective, time. So, one of the ways that we can really. Do that. Is to combine, our tools, our technology. Our terminology. So that everybody, understands. What is most, important. If everybody, understands. Those, things. From a technology. And tools perspective. We become efficient. So for example how do you communicate. Right when you think about how you communicate, in your team, you know if if the engineering, team is using slack then guess what security, team better be on slack, they're using teams better beyond teams if they use an email you better be on email.
But Decide. On, platforms. Defined, on platforms, to communicate, with. Embrace, those platforms, and embrace them for the entire, team. Don't have one team off on an island doing something different. Make, each of the teams kind of work together. On things. You know one of the big things we have that's sometimes, different is we use different terms. You know some things that we just think are simple, and easy you know i threw out a term, a while back i just said oh yeah, yeah, we're running our dlp, program. Right. And. I, you know just happened to ask in the room of engineers, who knows what dlp, is. And. Looked around and it was like well nobody. Right data leakage protection. So understand. That people don't necessarily, have the same background. Understand. That that background. Can create, conflict, can create. You know information. Flow that doesn't, happen, can create. You know basically, barriers. To efficiency. You know so watch the terminology. That you're utilizing. And make sure the people in the room understand. It you know watch your acronyms, you know one of the guys on my team, from x military, he uses acronyms, for everything. You know he's i think he's got a three-letter, acronym, you know for you name it it's there. And i have to say. Hey what does this mean right what does this mean, so it happens in every group it happens in every team. But the better, terminology. You have the better consistency, you have the better that you end up communicating. And working together. Other technology, that came comes into place is how you track things how you understand, things how you prioritize. Things, the more standards. That you can use the better, you know today for issues, for security, things we track. We retract via jira we score everything with a cvss. Score which is a common, standard, way of scoring. Things, so the more standards, you can use, the less, knowledge, transfers. You need to do, so. Tools, technology. Terminology. Extremely. Important when you build a team between. You know security, and i.t. Get those right it'll absolutely. Help you, build a cohesive. Team. Next one. Policies. Processes. And programs. You know. As an engineer. Yeah programs, do not come to mind for me, naturally. Right i don't track programs. Very well i have to learn to track programs. But i absolutely. Absolutely, 100. Percent, appreciate. Programs. Tracking, programs. What they accomplish, what they do. And. I, you know i tell my program manager. Boy i love what you do it's what i hate to do. Right, i really do, uh and she is wonderful, she tracks things she keeps singing on on track she moves us forward she makes for sure, that, the ideas.
That We have, don't just stop with ideas, but they follow up with, actions. So, ideas, are fine but they need action. Action, takes programs. Actions, takes policy, actions. Takes, procedures. To be followed. The more consistent. You are with tracking, those programs. The more open you are with tackling those programs. The more visible, those programs. Are, the more efficient. Things, happen. Then you think about standards. Okay well every program we should have has a security, section. Every standard, security, section has a risk assessment. They have, a final security. Review, at the end of the program. So build up your standards. Around, how you want to run program. And make them consistent. Once those consistent. You're going to put your teams together, those teams will start working more closely. They'll start developing, relationships. They'll figure out that hey security, is not that so far off from it, or not so far off from engineering, not so far off from devops. That team, is what will make you efficient. That team as we said before, is critical, to our success, is critical for us moving, fast. And making things secure. So think about from the program, perspective. Be consistent. Be, you know be active, in how you're going to do things. People. The last topic here. You have to realize, that people, are different. And, you know people that get into the security, field. Really do have a reason to get in the security, field. Um you know some things that i look for for people in security. Are you a lifetime, learner. Are you always willing to take a challenge. Are you always willing, to. Look at what is happening. Do you, do you love to investigate. Do you love to try to stay ahead of an, adversary. Do you love, to kind of fight with an adversary, and see where you can go, do you think like an adversary. Do you think, go into a room and say hey. How could i break into this room do you walk through a door and say wow that's insecure, i could get through that do you walk into a system do you run an application. And say hey, this is where it's facing, risk. So it's a different mentality. From a security. Perspective. Than from. Other, disciplines. It just, is. You know i have you know friends that say that yeah i always sit on the subway car that has, you know the exit, window, built into the, car. I always sit with my back face to the wall in case a fire occurs so i can get out fast. I always, look when i come into, an environment. How i could break into this point-of-sale. Terminal. We think differently. Right. Now, is that wrong. No it's just, different. Right, and some of my best development, buddies, right what they're doing is thinking hey, how can i develop this securely, how can i develop this efficiently, how can i get it out fast, how can i make it efficient, how can i use the least cycles, how can i make it the best program, it can to meet the needs. Right how can i do this from an i.t perspective. Too, right, efficiency. Becomes. More important, than security. Performance. Becomes, more important, cost, becomes more important. So just recognize. People, are looking, at things from a different, lens, and a different, perspective. Neither perspective. Is wrong. But what you need to do is understand, that their perspectives. Are different. Embrace, those perspectives. And you know not discount, them, right, realize that your security, guy's brain is somewhere, and your i.t guy's brain is somewhere, else, and when you come together. Recognize, the fact that those brains, are different, and their motivations. Are different. If you start at that, realization. Then you can start, again, building up that efficient, team. And really make progress. Towards, the efficient. Well, well, executing. And, secure. Result that you guys are looking for, so think about that. And really make sure you understand. So. Goals and priorities. Tools, technology. Terminology. Process, people. All play, play a role. So let's look at a few more things. That you can do to really help the team's, efficiency. And helping the teams work together. First off think about security. As early in a cycle, as you can. You know involve, the security, team involve, your security, folks. Um, don't hide from them, very often what we see is programs, occur. And. You know you put security, at the end so they don't, have time, to make a make an effect or don't have time to cause you trouble.
You Know please be inclusive. On those, you know because, again. We can't have, solutions. We can't have programs, we can't have, anything, launched, that's not secure. As i said in the beginning. Our security, landscape, continues, to shift, our risk continues, to shift, so it is critical. That we have, you know secure, solutions. That's number one. Number two. Stop talking about security, and start talking about risk. Now, it is, you know sounds like a simple concept, but when i have some whenever i talk about security, somebody says hey am i secure, and i always say nope i just walked in the room you can't be secure anymore. Right it's talking about risk, right. What does that mean that means we accept the fact that we are going to accept some risk, so risk can be business, risk risk could be operational, risk risk can be program, risk, but all of those risks come into play. So measure, risk. And quantify, risk. And always, talk about risk. Not. Am i secure, or not. So, risk another, second one. You know if processes, are inefficient. You know please speak up you know as i said we're going through an evolution. That evolution. Is, going to be, difficult. That evolution, is going to take new ideas, that evolution. Is not going to be, you know simple. Right we've got to transform. A majority. Of our businesses. In the next, six, nine twelve months, we need to reimagine. What they look like, and those companies, that do that reimagination. Those companies, that change, their way of doing business. Will be those companies that thrive. So in order to do that we need ideas from everyone, we really do, we need people to speak up we need them to say hey this is inefficient. Here's how it can be. Fixed. So if you're a manager, of people, encourage, your people to speak up, if you're individual. Speak up when you see something that's inefficient. That could change or something that's insecure. Don't be afraid, to speak up and tell people that hey we've got some problems, here and we can be better. Right because our goals are the same our goals are to make the best things that we can and a team that is efficient, and working well. Next one is understand the business. Right, and, it's so important that when you look at risk, it's business risk when you communicate. Risk, it's business, risk when you think about. How you're going to. Be effective, and efficient, between, security, and other organizations. It has to be focused, on the business. So, understand, the business, learn the business, learn how your products how your solutions, how your programs. Affect, the business. But everything, needs to go back to the business. Whether it's just a technical, routine, somewhere, in the operation. Still goes back to how does this fit in the business. So understand, the business, take that into account, the more understanding, of the business you have, the more. Impact, that you can have in the overall, company and the overall, program. You know finally. These new opportunities. Are going to require, a lot of thought. And, thinking, is not necessarily, one of those things that we have been focused, on, you know somebody once said hey, you know what happens, if i, you know my boss comes in i have my feet up on my desk and he says what are you doing, i'm thinking. Well how would that go. Right, well why aren't you doing something why are you just thinking. Right somebody told me a story, of um, they, took over a team at ibm. And they said, yep they were walking through the office and this guy just sat there, for five days straight had his feet up on his desk and he was just kind of sitting there, he's just kind of sitting there, and so he said so, what's up with this guy. Well, you know last time he got his nobel, prize, he sat there for six months with his feet up on the desk. So they said okay we'll let him put his feet up on the desk and keep thinking. But in general, thinking, is not as rated, as what it should be, we need people to be thinking, we need people to be addressing, what they're doing. Very often we rush to action, before, we fully, think.
So Thinking is an important, component. For how we, embrace, this new normal it's an important component. Of, how we embrace, teams working together. So, don't, be afraid to spend some time thinking, and not just doing, and that's both from the security, folks, and the it, folks. I think if we take all these lessons, i think we will really, have, an opportunity, to work better together. To be efficient. And to really move forward. As a, unified, teams. So thank you for all your time. I really appreciate, it and, have a great. Day.