When Tim Callahan came to Aflac four years ago to take on the role of CISO, enterprise security at the insurance giant was embedded deep in the infrastructure team.
One of his first requests of the CIO: Let me extract security out into its own group. Callahan readily admits the culture shift was not easy but believes that the demarcation has actually led to better collaboration.
“Networking and security are distinct roles, and mixing them as a single group is dangerous,” he says. “In our highly regulated industry, we have to show separation of duty.”
Arguing for a walled-off security team is not easy for security leaders amid a shrinking talent pool of qualified security professionals. Analyst firm ESG found that from 2014 to 2018, the percentage of respondents to a global survey on the state of IT claiming a problematic shortage in cybersecurity skills at their organization more than doubled from 23% to 51%.
Callahan maintains, though, that you can restructure into two teams successfully as long as you clearly communicate the objectives of each team, along with the roles and responsibilities team members carry, and are willing to use innovation and automation to supplement human resources.
At Aflac, security owns the responsibility for monitoring the environment, informing the organization of attacks and vulnerabilities, and creating standards and protocols. “We determine the risk through a strong vulnerability management program and then lay out priorities for remediation for the network team to follow,” Callahan says. “Having clear lines fosters respect for each other’s profession and builds a healthier environment overall.”
The Aflac security team uses a Responsibility Assignment Matrix, charting which participants are responsible and/or accountable, need to be coordinated with, and/or need to be informed at different stages of a project life cycle. This only works, though, if security is seen as an essential part of every IT endeavor, not an afterthought, according to Callahan.
“We’re brought in early in the networking team’s development cycle to make sure the code created is truly secure,” he says. “We aren’t finding out just ahead of production so that we’re left to decide if we let it go as ‘insecure’ or get accused of stopping progress.”
Why to keep security distinct from networking
Chris Calvert, co-founder of Respond Software, an automation tool that uses artificial intelligence to simulate the reactions of a security analyst, says it’s important that security doesn’t get lost in the IT shuffle.
“Some of the security operations centers I built put security in with IT, and security would wind up getting kicked
Thanks to Sandra Gittlen (see source)