In an ideal world, cybersecurity operations — or SecOps — would look like this: A team of seasoned cybersecurity experts — people whose sole job it is to find and respond to threats — would sit in a security operations center 24/7, monitoring for risks and shutting them down as soon as they appear.
In the real world, though, cybersecurity operations tend to look more like this: In the course of their day-to-day monitoring routines, a team of ITOps engineers who don’t specialize in SecOps notices something unusual, like an unexpected surge in network traffic. Further investigation reveals that the activity stems from a cyberattack, and the IT engineers are suddenly on the frontline of shutting it down — hopefully with the assistance of a cybersecurity engineer or two, but possibly not, because not all businesses employ dedicated security teams.
What this means is that, although in theory SecOps should be handled by engineers who specialize in cybersecurity, in practice cybersecurity work often falls to ITOps teams. That may not be ideal, but it’s the reality — and businesses with non-existent or limited cybersecurity teams should adapt to it by enabling their ITOps engineers to deal with cyberthreats as effectively as possible, even if it’s not their main job.
ITOps vs. SecOps as the Foundation of Cybersecurity
There are several reasons why detecting and managing cybersecurity threats is often a task that falls to ITOps engineers, rather than dedicated teams.
Lack of SecOps functions and teams
The biggest is that some organizations don’t have dedicated cybersecurity teams or functions at all — and if they do, their teams may be stretched too thinly to find and respond to every threat on their own.
The ongoing skills shortage in cybersecurity has made it challenging for businesses to build in-house cybersecurity teams. Plus, businesses don’t always recognize the value of hiring cybersecurity engineers in the first place. In an era of economic turbulence, and where CISOs sometimes see cybersecurity as a cost center that they can scale back when the budget is tight, some organizations end up failing to bother even trying to hire cybersecurity talent.
ITOps detects risks first
Even at businesses that do have cybersecurity engineers on staff, IT teams are often in a better position to spot anomalous activity that could be the sign of a threat. They’re the ones who monitor systems on a routine basis. They have a stronger sense than anyone else of what’s normal and what’s not.
SecOps engineers typically monitor for unusual activity, too, but they don’t usually monitor systems as closely as IT engineers. Their data sources may also be more limited because they analyze only data that they deem relevant for cybersecurity purposes, which does not always reveal every potential threat or risk.
ITOps leads response efforts
When an organization does confirm a threat or breach, IT engineers are often in the best position to guide response activities. They know how impacted systems work and how best to apply patches, migrate workloads, or take other actions necessary to contain or remediate an attack.
Ideally, SecOps specialists would know these things, too. But the fact is that they may not because they are not as intimately familiar with systems as the ITOps engineers who work with those systems on a day-to-day basis. Cybersecurity specialists may be able to explain how a threat originated and how to remediate it. But because they usually lack deep understanding of impacted systems or their role in the business, they are not as well-positioned as ITOps teams to determine the best approach to remediation from a business standpoint.
ITOps hardens systems against security risks
In addition to playing a pivotal role in cybersecurity response operations, ITOps engineers are also crucial for establishing a strong security posture for the systems they manage. After all, they’re the ones who make decisions about how systems are configured, how often they are patched, how user roles are managed, and so on.
Here again, SecOps engineers may be able to offer valuable input about topics like best practices to follow or how to balance security risks with other priorities (like ensuring that user accounts are not so locked down that users struggle to get work done). But security specialists are not the ones responsible for actual implementation of secure configurations.
Empowering ITOps to Manage Cybersecurity
Given the important roles that IT engineers play in cybersecurity operations, businesses should take steps to allow their IT teams to contribute to security as effectively as possible — as opposed to discouraging them from becoming involved in security operations because it’s not supposed to be part of their job.
Educating IT engineers about security best practices is a start. It’s easy to assume that anyone who knows about IT also knows about IT security, but that’s not always the case.
Establishing clear guidelines about the role that ITOps teams should or shouldn’t play in security is also important. There may be some security tasks (such as threat hunting, which usually requires a deep and particular type of cybersecurity expertise) that IT engineers shouldn’t attempt to manage themselves. Drawing clear boundaries ensures that IT teams will not be forced to guess about how much security work they are expected to perform.
Finally, define realistic plans about the extent to which your organization plans to build and maintain a dedicated cybersecurity team, versus relying on IT engineers to cover security work. You don’t want to leave IT engineers in the position of feeling like they’re managing cybersecurity on a temporary basis because you are theoretically planning to hire cybersecurity engineers when in reality you don’t actually plan to do so or you realistically can’t find the budget to support it.
In other words, be honest and transparent about how much of a cybersecurity role you’re going to require your IT engineers to assume, even if they weren’t hired to be security experts.
Detecting and managing SecOps risks is not usually a central component of most ITOps engineers’ job descriptions. But that type of work may, in practice, be an important part of their jobs. Rather than pretending that it’s not, businesses should invest in measures that allow IT teams to tackle cybersecurity as extensively and effectively as they need to.
About the authorChristopher Tozzi is a technology analyst with subject matter expertise in cloud computing, application development, open source software, virtualization, containers and more. He also lectures at a major university in the Albany, New York, area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” was published by MIT Press.