Until recently, network and security teams could go about their business completely effectively with little requirement for anything more than a light-touch partnership. If network teams are responsible for the roads upon which business data travels, then security teams have traditionally been in charge of barriers, guard rails, and toll booths. The two teams have tended to operate within a shared working environment, with very clear and separate areas of activity. But, thanks to the impact of Digital Transformation, things are changing, and parallel-but-separate activity is not going to be workable for much longer.
By Neil Thacker, CISO EMEA, Netskope
Digital Transformation means something different to everyone, but you’d struggle to find a project that didn’t include a predominance of cloud, and it is this that is the cause of the shake-up for networking/infrastructure and security.
While networking and infrastructure teams prioritize performance, security teams are guided by a need to protect. With cloud, the two are not so easily separated. Old school approaches security directly impinge upon performance and usability, but overly permissive networking workarounds leave little security protection for sensitive and regulated corporate data that no longer sits inside a protective perimeter.
Security and networking teams know this. Most can see the need for change and closer collaboration, and many are even looking to converge teams and budgets, adopting a SASE (Secure Access Service Edge) architecture as a way, to ensure neither performance nor protection is de-prioritized. But these transitions are not easy. My job is to support CIOs and CISOs to make these necessary changes and I advise that teams agree and adhere to the following steps:
- Agree joint metrics
To avoid conflicting priorities and optimizations, network and security teams should agree on a common set of metrics for digital risk, network performance, and user experience. Each action taken should be evaluated with respect to the unified set of metrics. These goals are jointly owned; network and security teams are equally accountable. Securing this consensus from the outset ensures no procurement decision is taken, or architectural ideology pursued, that would negatively impact upon another KPI. These metrics enable teams to pursue purchasing projects with multiple goals – passing any potential internal disputes out for resolution by the vendors pitching their technology solution.
- Ensure full visibility of performance
Somehow, the many benefits of cloud have been enough to persuade organizations that visibility over what is being used – by whom, when, and in what ways – is not essential. Security professionals who find themselves disquieted by this state of affairs have had to bite their tongues while performance, cost, and usability advantage were prioritized over risk management. We need to agree that a lack of visibility is no longer something businesses should accept as an unavoidable side effect of the cloud.
To the rescue of the blindsided security professional rides SASE, securing data wherever it resides or travels (inside or outside of corporate infrastructure). Network and security teams should use the increased telemetry delivered by a mature SASE platform to create a whole new and detailed set of insights. These reveal the reality of business activity and processes and provide the potential to identify opportunities for service and policy improvement. Such visibility enables constant learning about the ways in which the business is operating, and understanding of end-user actions, behaviors, and processes, and so will help manage digital risk as well as identifying performance uplifts.
- Take a unified approach to emerging threats
Network and security teams should seek to use the greater visibility delivered by SASE, along with unified metrics, to identify emerging risks and develop strategies to manage these within risk appetite. This allows the development of business, network, and security roadmaps that get ahead of threats. Just as shared metrics prevent security professionals from designing architectures that create unacceptable performance penalties, so network professionals can make use of threat intelligence to design a more robust and relevant access infrastructure. A SASE architecture makes a shared network/security strategy essential and the acknowledgment of that, with collaboration at the highest level from the outset, will make the process smoother sailing.
UX designers talk about ‘desire paths’. A desire path can be easily seen as you walk your dog about town; it’s the muddy route that cuts the corner, avoiding the tarmac path to find the faster route. Over the past decade, application teams grew to understand the power of user desires, with Shadow IT creeping in around the organization. Now it’s the security and networking teams that are having to rethink their infrastructure as a result of these desire paths. The workforce is embracing the work-from-anywhere approach, using the devices they choose and accessing the applications that they determine best support productivity. If we do not identify and respond to the desire paths in use then we fail to support the business. But if the desire paths we allow do not protect corporate data then we may become equally negligent.
Networking and security professionals must therefore collaborate to build an enabling infrastructure that both protects and shares the essential data required. Without parallel goals and metrics, one team’s success is tomorrow’s battle for the other side.
About the Author
Neil Thacker has an impressive background and is a regular commentator on DLP, Neurodiversity, data protection, and GDPR as well as other topics. He is co-founder of the Security Advisor Alliance, an advisory board member for the Cloud Security Alliance, and a member of EUUG (European User Group for Enterprise and Cloud Data Protection).
Neil currently serves as CISO for Netskope, tasked with supporting the business security challenges through product security, incident management, data protection, security audit, governance, risk, and compliance. He leads the data protection function in EMEA and is the global GDPR lead and central to Netskope’s annual cloud threat report, the latest of which was published in February.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.