Digital transformation is a term that can be applied to an enormous range of projects, but underpinning all of these transformation projects will be a requirement to rethink network and security architectures to support new workflows and manage new risks. But research carried out by Censuswide has discovered a potentially damaging schism between network and security professionals that may prevent organisations from realising the benefits they are hoping to find from digital transformation.
54% of European CIOs believe that a lack of collaboration between specialist teams stops their organisation from realising the benefits of digital transformation. Essentially, they are telling us that if the internal teams cannot collaborate effectively, that $6.8T digital transformation spend could be wasted, and we will fail to achieve future-state architectures like the Secure Access Service Edge (SASE) predicated on networking-security convergence.
Beyond CIOs, the research also separately polled network professionals and security professionals in an effort to understand the relationships that each has with the other. If CIOs are worried about ineffective collaboration between the teams, how well are these two crucial groups for digital transformation working together?
The news isn’t good. While 45% of European security and networking teams sit within the same larger group and report to the same boss, 43% of European research participants stated that ‘the security and networking teams don’t really work together much’. Even more damning, 44% of the region’s network and security professionals described the relationship between the two teams in strongly negative terms such as ‘combative’, ‘dysfunctional’, ‘frosty’ or ‘irrelevant’.
So what is at the root of these problems?
Well the research shows that it isn’t that the two teams are working on different goals. Both groups selected the same three top priorities for 2021; supporting increased productivity for the organisation as a whole, expansion of infrastructure to support business growth, and increasing visibility and control.
Nor is the issue a lack of opportunity to work together. Digital Transformation projects are being pursued by both network and security professionals (85% of research participants are either working on a DT project currently or have just completed one), and more than half of these projects involve both networking and security transformation. The same number (56%) have a sponsor within both networking and security teams.
And there isn’t an issue with underlying ideology around collaboration. 82% of both respondent groups stated that security is part of the network team’s responsibility, specifically answering that ‘security is built into the network architecture’.
Is the problem industry-wide?
Twenty years ago, security lived within networking organisationally, but since then we have seen the gradual creation of a specialist security team, which reached its zenith with the creation of the CISO role. While CISOs tended to start out reporting to the CIO, it wasn’t long before the scale of the risk they were managing got CISOs a seat at the board table on their own terms, or at least an opportunity to interface with the non-technical C-suite.
New visibility for the CISO enabled disagreement with CIO and networking teams, and we saw teams start to take very different approaches to achieving organisational goals. But CISOs and CIOs are not the whole reason for a division between network and security - nor are they even the main reason.
The role of security is to find problems and orchestrate the fixing of them. And the problems they find are very often in networking architectures. That’s the nature of the role, but it creates an obvious friction when security can be seen as a critical naysayer. While security owns a strategy, it relies upon the network, infrastructure, and application teams to execute and achieve business objectives. Security teams may select a tool but network and infrastructure teams will be the ones deploying and running it.
And how do we fix it?
Within the wider IT community, network and security are not the only ones who lock horns (or give each other a problematically wide berth). We see many of the same issues between development teams, IT operation teams, applications and infrastructure, and so we can take a look to see how others are resolving their divides.
DevOps was created to bring together a cross functional team with all of the skills and people necessary to build, deploy and run a product or software, and it is pretty well accepted that bringing teams together in this way has brought significant benefits.
Now we are beginning to see that these lessons have been learnt by the security team too. We are starting to see SecOps (security + IT operations) and DevSecOps (where application and infrastructure security are designed from the start) as cross-functional teams committed to unifying priorities and weaving security into developmental and operational workflows.
Breaking down work siloes
In recent years, we have also seen specialised and nimble ‘tiger teams’ being formed within organisations, tasked to address specific business challenges. This cross-functional team approach has been embraced by many sales and marketing teams, which has often led IT into the same model as we work to support the business activity.
In the last year COVID-19 gave many the opportunity to rethink organisational lines, using tiger teams to address the challenges of enabling and securing remote workers. In these teams, participants were given a mission to enable remote work as quickly as humanly possible and not get hung up on endless approvals for things like budget. The teams were empowered by senior leadership to make it happen and in this we saw traditional siloes break down momentarily.
These concerted cross-functional teams are without doubt the best way to fix the divide we see between network and security. One of the most irritating quotidian manifestations of the network and security conflict is the spectacle of NOC and SOC (networking and security operations centres) hurling tickets at one another. These tickets bounce backwards and forwards with no motivation to collaborate to address the root cause of the issues. Converging these two into a security and networking operations centre (SNOC) is a big step in the right direction.
Dedicated, cross-functional, skills-based teams reduce the need for standards-lowering compromise, and empowerment by leadership is the key to success. Teams should be focused on outcomes rather than activity, creating ownership across shared objectives and key results.
An example of an OKR could be, ‘improve the security awareness of my people as measured by a 20% reduction in the number of employees that fall prey to simulated phishing attempts’. While it is still important to ensure work is visible both within and outside the team, these structures naturally re-establish the relationship between network and security.
The dysfunctional relationship between network and security has been allowed to get out of control, but there is too much at stake to let this continue. Collaboration is critical if an organisation is to optimise security and risk management as well as user experience and productivity. Ultimately, without a constructive and effective working relationship, the vast sums being invested in digital transformation risk being wasted.
There is precedent for fixing things, and it’s time that the two were reunited in pursuit of common goals. Uniting the network and security teams with effective collaboration and re-modelled structures will enable enterprises to undertake the network and security transformations that are essential to the success of digital transformation.