Bridging Gaps — How To Build A Better Bond Between IT And Cybersecurity
Use these tips to create a collaborative environment in your company
Cybersecurity can be quite a confrontational area to work in, with regular conflicts happening between the Cybersecurity and Technology teams.
Sadly, this is quite common as we are often seen as the gatekeepers and final approvers before something moves into production and goes live.
This can lead to friction with the technology teams, where cybersecurity is perceived as a blocker that is out of touch with practical reality.
Not to mention the numerous times that Cybersecurity has to inform technology teams of the issues and security weaknesses that may be present and get them to fix it
In one company I worked for many years ago, the launch of a major app was about to happen, with IT working round the clock to make it a perfect launch.
Suddenly, Cybersecurity stepped and stopped the deployment, citing security issues due to a major weakness they discovered
This led to a major argument with the frustrated IT team already at breaking point and under immense pressure, seeing Cybersecurity bringing an issue in at the 11th hour.
The Cybersecurity team also could not back down, seeing that this issue could put the company at risk if the app went live like this.
While the independent nature of cybersecurity puts us in this role, there are more collaborative ways of working with the IT teams.
All of it comes down to how Cybersecurity works with IT and how issues and problems are communicated.
Just re-phrasing certain sentences can lead to a more collaborative way of working and a great improvement in how IT and Cybersecurity perceive each other
Let us take a look at how we can achieve this.
Improving How Cybersecurity and IT communicate.
1 — Stopping something from moving into production
All of us have seen this scenario a thousand times
IT wants to move something into production ASAP, but there are security issues that need to be fixed
All of which lead to escalations and finger-pointing at the last minute
But there are better ways to go about it
Instead of saying, “IT cannot do this,” .. change it to “We CAN do this with these controls and safeguards in place.”
In the first sentence, you pass the buck to IT and tell them they are on their own and must fix the issue.
In the second one, you say we are partners and will work together to fix this.
This alone will help IT see Cybersecurity as someone who is in the trenches with them in this issue and helping them out.
2 —Communicating Security Findings
Another common scenario is when security findings are discovered
The Security team runs a scan, and the result comes back with several critical/high findings that need to be fixed immediately
The application team comes back and says they are busy and will get to it when they have the time
Cybersecurity teams point out they HAVE to fix within X amount of days as per the agreement service level agreements (SLAs) between them
Back and forth emails start flying, with blame being pointed and senior management getting involved
Let us take another look at this
Instead of stating, “Application has these findings !” .. change it to “We need to work together to solve these issues to meet our SLA.”
Again, how we communicate this makes IT realize that the cybersecurity team is with them on this issue, and together, we can find a solution.
Improving How Cybersecurity and IT collaborate
After communication comes collaboration .. it is critical to build actionable ways in which IT and Cybersecurity can work together
We all know that cybersecurity should be involved in projects right from the start, but there are other steps also that can be taken
Here are a few tips:
1. Joint Training Sessions
Set up training sessions where IT and Cybersecurity can collaborate and learn from each other on secure coding, threat modeling, and security assessments.
This goes a long way in breaking down barriers and removing the perception of cybersecurity as the “other department.”
2. Shared Metrics
Sharing metrics between IT and Cybersecurity is a great way of aligning both teams toward a common goal.
For example, making both IT and Cybersecurity accountable for a 30% reduction in security findings or a 20% increase in closed security tickets
By making both teams responsible and giving joint ownership, the teams have to work together and share resources, creating a culture of shared security.
3. Exchange programs with IT
Create a program in which Cybersecurity staff are rotated and work in IT and vice versa.
I initiated a similar “security champions” program in a company many ears back, where select IT members worked in cybersecurity for a few months.
This is a great way for IT teams to see how cybersecurity works and vice versa.
When they go back, these IT persons also become the “go-to” guys for cybersecurity issues within their teams.
Given their knowledge, you will also get some great insights from the IT team.
These are just a few examples of how IT and cybersecurity teams can build strong bonds and create a culture of cooperation.
Apply these tips, and I guarantee you will see transformative changes and reduced team friction.
Remember that Cybersecurity is not just about putting in technical solutions but also creating a strong culture of respect and collaboration between teams !
Fantastic article! You've highlighted a crucial issue in many organizations and provided practical solutions for improving collaboration between IT and Cybersecurity teams. Communication and collaboration are key, and your tips on joint training sessions, shared metrics, and exchange programs are spot on. Building a culture of respect and cooperation is essential for a strong cybersecurity posture. Thanks for sharing these valuable insights! 👏💻🔒
Explore captivating Romance, Thriller & Suspense, Science Fiction, Horror, and more stories on my Substack for FREE at https://jonahtown.substack.com