Have you ever tried bringing up compliance with an IT Admin? It usually ends up in one of two ways. The first is that the administrator’s eyes will glaze over as they begrudgingly accept their fate to add yet another responsibility onto their already long to-do list. However, security often ends up on the backburner for IT personnel because their priorities lie with fixing outages and other crises. Compliance is no exception, so you can expect results to take a while. The second way the interaction could end up is drastically different. The admin may fight your every move and try to defend the current state of the network environment. They might take your advice as an attack on their hard work getting the network to where it is now.
Security speaks in “Not too fast” and “What’s the risk?” which often conflicts with IT’s language of “Get it Done” and “Is it Working?”
The National Institute of Standards and Technology (NIST) has been the de facto framework for many companies regarding compliance up to this point. However, it has mainly been a self-reported compliance framework up to now. The conversation with IT may have gone something like this in years past: A CEO sends a link to the admin on NIST compliance and asks, “Are we compliant?” The IT Admin answers, “Yes, we do most of those things. We can do the rest with more resources.” Then, the final exchange from the CEO, “Good, do the things we are not doing when you have free time. Oh, and could you help the new hire with a password reset?”
With the Cybersecurity Maturity Model Certification (CMMC) replacing NIST at the government level, companies must employ a certifying body to maintain contracts. Pushing security issues to the back of the list is not going to be an option. CMMC is one of those compliance issues that can make or break a situation for bidding on and receiving work from the US government. Many cloud applications have an option to set tools by default to help technically administrate this effort. However, in most cases, it is best to bring in a third party or assign someone who can manage the compliance effort instead of just handing it off to your admins. Understand that your IT resources need time and assistance to answer these compliance questions. If they read that they have to change their whole workflow to meet some of these security issues, they might fight the process. By bringing someone in to advocate for security while the IT admin advocates for efficiency and availability, you can generate a healthy balance and achieve the “Done” both parties want.
IT admins are great at getting things done and fixing things when they break. However, when it comes to documenting the processes and the procedures used to complete some of the regular tasks, compliance officers can be left wanting.
Staffing seems to have always been an issue in IT. Information technology requires a lot of people to run smoothly in your organization. If those employees have too many high-priority projects or issues to resolve, you can run out of people to perform technical work pretty quickly. Additionally, if the company's central IT resource leaves, not having their day-to-day activities recorded creates a huge security risk. Employees that are left to pick up the pieces might not know the ins and outs of the current infrastructure. Having documentation in place can help ensure an employee transition goes smoothly. Unfortunately, your team likely does not have the time to record everything they do. The solution? Hire a junior admin with the starting responsibility of documenting everything they learn from the senior colleague. Your senior admin will love the help with this task, and the junior will love the experience. The junior can throw all the notes in CMS systems like OneNote or Evernote for a quick future reference on an obscure task or responsibility.
Asking IT to Do Security
Fixing things may be IT’s strength, but they are often stretched thin on so many projects they jump from task to task and rely on automation to perform the bulk of their duties. They might be hesitant to take additional responsibilities, and security tasks tend to disrupt their streamlined workflows.
To better understand how your IT team will react to new compliance mandates, you must determine three things. These include, what is their current workload, are they in the middle of several priority projects, and have they recently automated themselves out of a resource constraint problem? If they are already working on projects to remediate higher priority network risks, a security project on top of that would not be ideal. In most cases, bringing in another resource to perform security is necessary. However, since security is a higher-level function of Information Technology, The IT admin may prefer being promoted, and a new resource can take over the current admin roles. After all, who knows where the holes are better than the person who set the systems up? That could be an opportunity for the IT admin to rectify past mistakes only made out of necessity.
Using Reports to Make Compliance Simple
IT Admins love to see their network problems in a “single pane of glass.” They play with dashboards to set up their views, allowing them to see an issue as soon as it becomes a problem. Leadership and compliance officers need this information too, but often these dashboards are geared toward availability and not quarterly leadership statistics.
The first step in talking to an IT admin about reporting is to learn what they are already tracking. If they manage everything in the cloud, they might already be halfway to your compliance needs before you start. Ask them what they monitor already and note the information they give you and whether or not their monitoring solution can generate automatic reports. Then, start with a spreadsheet on what metrics need to be collected every month/quarter/year based on your compliance mandate. If there is a missing metric, see if the admin can easily add it to their dashboard. Then flip the switch on the automatic reporting and send those email reports at the required intervals. Once the information is flowing, you can get more granular as time progresses. The main thing is that you have evidence and documentation of these reports sent through email delivery. Your organization is most likely already collecting the needed logs for the metrics that you need for compliance. However, the big problems usually consist of consolidating that information in one place and having a steady cadence of meetings and reviews to go over the data. Once the reports send, you can always move the meeting responsibility to other members of management to make sure the reporting and risk analysis is progressing without putting too much more work on your admin.
Security officers are often deemed the fun police in their organizations. They are often the people who mandate the compliance law from their cubicles in the sky and make everyone’s lives more difficult. The truth is that most of them develop this thick skin by trying to compromise with IT administrators on compliance issues. Working together on the shared “done” of compliance implementation can be a great way of bridging the differences between IT and security.
Written by Grant Codak
Grant has over a decade of IT experience spanning a variety of domains with a focus on defensive security. Grant is currently a Cybersecurity Expert at TechGuard Security where he performs a wide variety of proactive security services, including penetration testing. He also holds the following certifications: CISSP, CEH, Security+, Network+, A+, and Metasploit Pro Certified Specialist. Recent responsibilities include, a Senior Web Security Engineer at a Fortune 50 organization along with a variety of application administration roles in security operations. His past project work includes, web tool development as well as firewall and web proxy migrations. Currently at TechGuard Security, Grant conducts audit control assessments, penetration tests, vulnerability assessments and social engineering exercises. Grant ties his knowledge together with his deep understanding of network operations and security architecture to deliver approachable report analysis to clients. Grant is also a nature enthusiast and enjoys mountain biking, hiking and kayaking.