Podcast Security

Security Operations and IT Operations—Better Together—SolarWinds TechPod 030

August 25, 2020

Security operations and IT operations have a lot of differences, but more similarities than you may think, especially as their worlds are merging more quickly than ever before. This presentation will delve into research driven by in-depth conversations with professionals from both groups, examining some of the biggest challenges they see separatelyand in working together more effectively. Going beyond traditional surveys, the findings will provide deeper insights into what’s needed to overcome these challenges. Supportive quantitative data will also be highlighted.  

You’ll hear directly from SolarWinds® Vice President of Security, Tim Brown and IDC Research Director of Security & Trust Products, Christopher Kissel. They’ll take you through the research and leave you with some actionable steps to accelerate the transformation of your IT and security operational collaboration. 

Related Links:

Episode Host

Chris McManus 
Marketing Manager, SolarWinds 

Chris McManus is a multimedia content producer in the SolarWinds ITSM business unit. He works with Service Desk customers on case studies and video stories, and he’s the go-to producer for ITSM webinars and training material. Chris also contributes to Orange Matter, THWACK ®, SolarWinds Lab, and SolarWinds THWACKcamp. Prior to joining the SolarWinds team, Chris was the brand manager for an ESPN Radio affiliate, and still enjoys all things sports. 

Episode Guests

Christopher Kissel
Research Director, Security & Trust Products,
IDC

Christopher Kissel is a research director in IDC’s Security Products group, responsible for cybersecurity technology analysis, emerging trends, and market share reporting. MrKissel’s primary research areas are identity access management (IAM) and security and vulnerability management (SVM) platforms. Cybersecurity extends beyond on-premises solutions, and the emphasis of Mr. Kissel’s research will be on the establishment of identity across heterogeneous networks (including cloud environment), and the role of analytics pertaining to SVM. 

 

Tim Brown 
VP Security,
SolarWinds 

Timothy Brown is currently the vice president of security for SolarWinds, overseeing internal IT security, product security, and security strategy. As a former Dell Fellow and CTO, Tim deeply understands the challenges and aspirations of the person responsible for driving digital innovation and change. Tim has over 20 years of experience developing and implementing security technology. Nationally, his trusted advisor status has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. He’s a member of the advisory board for Clemson University and holds 18 issued patents on security-related topics. 

 

Episode Transcript

This episode of TechPod is brought to you by Accelerating Transformation With Security and Operations Collaboration Best Practices, a new research infobrief from IDC, sponsored by SolarWinds. Hear about the latest research highlighting how to transform your security operations and IT operations for better collaboration.

Chris McManus:
Welcome to SolarWinds TechPod. I’m your host, Chris McManus, and this episode will focus on the convergence of security ops and IT ops. And we’ve got some interesting results from IDC Partner Research. And we’re going to give you hopefully some best practices to make these two disciplines work together effectively and meet some of the modern challenges that organizations are seeing. So, let’s meet our guest today. We’ve got SolarWinds Vice President of Security, Tim Brown. Hey Tim, thanks for coming on.

Tim Brown:
Thanks, Chris.

Chris McManus:
And we’ve also got Chris Kissel, who is the research director of security and trust products at IDC, who’s got some interesting research to share with us today. Hey, Chris.

Chris Kissel:
Hey, how you doing? What’s going on, Chris?

Chris McManus:
I’m good. I’m good. Thank you for joining us. I want to start kind of broad with you guys. Obviously, we see complexity increasing within IT environments. We’ve got all kinds of factors going on at this moment with the pandemic that organizations are responding to. So Tim, let’s start with you. When you look at the current landscape, how do you see IT environments changing?

Tim Brown:
Yeah. If you look at where we are right now, we’re definitely in a major flux and change in a lot of different places. From a security perspective, we see that we’ve got a lot of things going on in the background. We see rises in ransomware, we see things like Twitter getting hacked, we see more complex threats, we see economic changes, which are driving more aggressive behavior from the adversaries. We see a lot of things there. And then on the IT side, we’re seeing more complexity, we’re seeing more systems, we’re seeing more data than we’ve ever seen before. I mean, exponentially amount of data that we’ve never seen before. We see people using cloud environments, we see people being on-premises, we see people having multiple environments—multiple cloud environments.

Tim Brown:
So, complexity in the IT area is just kind of exploding. It’s like back in the early days when we had 72 versions of Unix running. We now have hundreds of environments running that are different. People using Azure, people using AWS, people using Google. So our complexity in the IT area just continues to expand, and our threat landscape continues to expand and change and is different. And a lot of challenges right now in IT and security working together.

Chris Kissel:
Yeah. Tim, you got all that right. And there’s a couple things I want to add to it. So one real quick thing. We commissioned a study at IDC in January. We looked at where data resides. So January being important because obviously, there’s going to be a fundamental shift because of COVID. But we had six scenarios where the data resides and we’d ask different people where their workloads were. Here’s kind of the results of that. So, 26% of all data was in an on-premises data center. 18% was hosted by an external private cloud like a Rackspace. Fourteen percent of data was at public IaaS platform PaaS. Public SaaS represented about 13% of data. On-premises endpoint had about 16% of the data. And mobile endpoints were 13% of the data.

Chris Kissel:
So, the reason why I drag you through the whole rigmarole is really if you think of those six access points on your computer, at Rackspace, on AWS, or with an IaaS infrastructure support, it’s literally all over the place, and none of those surface areas was small to begin with. We found though, that kind of during COVID, the two really important ideas, and I know we’re going to visit COVID a little bit later in the podcast, but two really important ideas have happened. First of all, an emphasis on your VPN. Companies really didn’t think about their VPN premise, their VPN tool as much because the majority of their workforce was going into work. And you would go and work behind your firewall and your specific identity and access management protocols. That changed as we did our diaspora to account for the COVID-19.

Chris Kissel:
And then the second thing is, is that there had to be greater individual endpoint on computers and things like that. So, when you have something that’s sort of working on a like my PC, typically you would go to an office and you could hook that up through an ethernet, you could go back through firewalls, and you had a more static thing. But when you kind of disaggregate all that, you’re working with somebody very specific VPN. Now, ironically, it did not mean the death of SIM because you still had at some point had to be able to go back to specific work tools and start workflow, prove compliance, and then do some sort of storage. So, the idea of the metadata being Agile and all of that was kind of important. So SIM hasn’t fallen down.

Tim Brown:
Yeah, so great points, Chris. I think the other place that we see changes, I mean, your mobile point was really interesting. It’s like, why so much data on mobile? And it was like, wow, the videos and everybody capturing their own things. And I can imagine, that’s probably driving a lot of the mobile stores. But I never thought of mobile as such a storage device. I think you said like 15, 16%.

Chris Kissel:
Yeah, it was like literally 13. Right. Yeah.

Tim Brown:
Crazy, crazy, that amount of data. So other things that are changing, is reliance on vendors. Nobody’s out there alone. The amount of vendors that we use for doing different things, the amount of data that flows between them, how we control that vendor landscape is another place that kind of increases the complexity for us. So, bottom line, complexity is just increasing, and it is critical that the IT folks and the security folks really start working together.

Chris McManus:
So I think that that captures the complexity of the way that IT environments are changing. And one of the things that you talked about right off the top Tim was kind of this transition that some organizations are moving maybe some things from on-prem to cloud, and you’ve got these hybrid environments. And it’s possible even COVID has had an effect on that as well. So when you look at that transition, how does that change the focus for security and IT ops?

Tim Brown:
Yeah. I mean, you have to realize that you have these environments. You have to realize that people are working in different places. You have to kind of embrace that kind of hybrid model. You have to understand. Once you understand that, you say, “Okay, how should we look at different models to make the security teams and the IT teams comfortable with what’s going on?” If you say from a security professional’s perspective, “Well, I’m only comfortable if everything is on-premises inside my four walls without any cloud services,” and then you look and say, “well, wait a second, is that really true? What do I use for 401k? Am I comfortable with all my employees’ financial data going to a 401k provider?” Well, you’re not going to stand up a 401k provider yourself.

Tim Brown:
So you have to be comfortable at some level embracing this hybrid model because it is just a fact that it’s there. So, once you’re comfortable with that, then you start adjusting yourself. Then you start saying, “okay, well, I’ll start managing from a risk perspective instead of a security perspective. I’ll start moving my whole models around not so much as, yeah, I am just on-prem, I am just in the cloud, I am solely contained, to I am more open.”

Chris Kissel:
Yeah. There were two or three things you said that I kind of wanted to unpack. First of all, the majority of organizations don’t have dedicated network teams and dedicated security teams. You’re talking about, if you have a business that’s lower than 1500 people, very often you’re gonna have a staff of generalists, either IT or, the guy actually comes in and plugs in your computer on your first day of work, he uploads all of the endpoint profiles. And then after he’s done doing that, he monitors things, whether it’s the security or IT things. So you really have to think of going downstream for smaller businesses. It’s not always a discrete either and or, but your tools have to be extensible if ever you wanted to build and you wanted to divide your team in a very certain way.

Chris Kissel:
I also think that when you go to cloud, a couple of things happen on the control plane that are a little bit different. So, identity and access management, it’s not easy to do because a user will flip at different points in the network. So, for instance, every time you go on to a VPN, you get a new IP address, right? Also sometimes people have multiple devices, so tracking them through the environments is pretty tough.

Chris Kissel:
I’d also say last that even before COVID and even as people are moving to multi-tenant and multi-cloud environments, there’s this whole element of digital transformation. So, we’d studied this at IDC in a good portion. But the larger ideas about digital transformation is making your network more flexible so that contractors can go straight on to it, or consumers can interface with your enterprise in a faster and more efficient level. But of course, you still don’t want to compromise security when you do that.

Chris Kissel:
We were able to do some studies that the companies that were more receptive to digital transformation, even though there was a little bit of a cost and upfront things moving from on-premises to cloud, were actually finding slight revenue benefits. I don’t want to make it too hyperbolic, but we could demonstrate that there was a, as you were more digitally comfortable, you were still gaining different revenue sites by being able to integrate cloud compute by bringing in analytics for understanding your customers, offering really smart online promos, and appropriate promos for events and for things that were happening in real time. So there was a lot of reasons for digital transformation.

Chris Kissel:
So, yeah, you’re looking at all things, different generalists in security and IT, the physical transition of keeping identity static as well as digital transformation. So that’s part of the complexity and some of the ideas between hybrid and hybrid cloud environments.

Tim Brown:
Absolutely. IM becomes important. Trying to keep things as simple as you can, that helps a lot. So, when you look at cloud environments, if you’ve got a separate source of truth for each one of your cloud environments, if you have a separate source of truth, meaning an identity that runs in each one of your operations, it’s very, very, very difficult to handle. So, if you truly embrace a single source of truth, if you insist on integration across your platforms, you’re in much better control. So, just across the board, try to simplify, try to do policies in the right way.

Tim Brown:
Your digital transformation comment was completely spot on. I think we’re in phase two. I think we’ve been kind of by COVID, driven into phase two of our digital transformation. And I think IT plays even more critical role in the companies that are going to be successful. I think it’s just important that we do start making those steps to work together, work together better.

Chris McManus:
Chris, I want to go back to something you said a moment ago. You talked about how in many organizations, you have a bunch of generalists who potentially wear multiple hats. We have all of these names for ops within an organization, right? We have DevOps, SecOps, IT ops.

Chris Kissel:
[inaudible 00:13:17]

Chris McManus:
Yeah, yeah. As we see in organizations that folks are potentially involved in more than one area, and we’re talking today about the convergence of some of these disciplines, is there a way to consolidate the way we think about these different disciplines?

Chris Kissel:
Yeah. Let me try that at first. There’s a couple of things, exactly. It’s a panoply of different tools. So obviously, when you think of security, you could think of DevOps is happening with, obviously there’s a MITRE framework and the assignment of NVD Vulnerability Assessment scores. So you could do, vulnerabilities, I should say, then the vulnerability assessment guys go suss all that out. But the larger point is that you do have international base of concerns that happen on a vulnerability level. So you have to be aware of it in your container environment, you have to be aware of vulnerabilities coming to you from applications. And then of course, you have to worry about vulnerabilities on your network.

Chris Kissel:
So it’s a genuine horror show, but you do have to have sort of an integrated workflow. You also have to have both outside-in and inside-out vantage points. So, I would say that, you’re looking at things like antivirus and device vulnerability assessment to figure out what are the holes in your network. But outside in is kind of the marriage of it, there’s something wrong in a networking phase. You have an indicator of compromise, but you don’t know if it’s something like bad load balancing or something has happened with a URL itself or a bad SSL TLS handshake. You got to find that out because in the line of business, if something is going wrong for your end user, whether it’s from you or network or security, your end user doesn’t care.

Chris Kissel:
So you’re trying to kind of streamline your processes. You want to make sure that you have a real perspective between what network insecurity is. So I would always argue that visibility is king because you can write the interpretations later. And then you have to really, you still have to do it on a human level. This is still workflow driven. So, somebody is going to get an IT ticket or somebody sitting over a console goes, look, there’s something wrong with this unusual port activity or there’s something wrong with this server, they’re going to go check it that way. So, you try to ubiquitize the things that you can for having a hierarchy to look at vulnerabilities to check your network and fluid in real time. And try to monitor.

Tim Brown:
I think there’s a lot of things that we sometimes forget that we’re really trying to do a lot of the same things but we’re just doing, have a different focus. And it’s important that we realize that the focus is different. Now the IT guys job is to keep the internal IP systems running. The ops guys is to keep the systems running externally going. The security guys, to make sure everything’s safe. But we’re all trying to do something that’s fairly similar.

Tim Brown:
And it is critical that we realize that, that working together, especially with all this change that’s occurring, all of these challenges that are occurring, the changes in the environment, the increasing usage of cloud, the next kind of digital transformation where IT becomes so important. If we don’t get IT ops, DevOps, and security ops kind of tighter together, we’re fighting a losing battle. It’s critical that we start kind of moving those guys and all of those teams in the same direction.

Chris McManus:
Tim, in your role, what do you believe is security’s role in helping these other disciplines account for risk that is involved in all of this complexity?

Tim Brown:
Yeah. The first thing is to start thinking about risk. It is really all about risk. It’s not about security, it’s not a binary “I am secure” and “I’m not secure.” So first off, starting about risk. The other one is a lot of the human pieces. So, my team runs security operations as well as security strategy. In the office place, we have one rule. We said yes and thank you to everybody. We need to be approachable. Somebody says “I did something stupid, I clicked on a link and my machine’s now acting funny.” “Okay, well, thank you for reporting it.” Somebody says, “I’ve got a vulnerability in my code.” “Thank you for recording it.” Somebody says, “I’ve done something and shared data that I shouldn’t have shared.” “Thank you for reporting it.”

Tim Brown:
Now why, Why is it so important to do that from a security perspective? It’s because the security teams always need help. We need people to be reporting to us. We need people to be self-reporting. We need people to tell us when something went wrong or if they see something. So it’s so important you engage the community to kind of get to the point of an open model. So the more open and approachable you are from each of the ops areas, the more you can get done. The more open you’re working together, again, the more you can get done.

Tim Brown:
That’s one of the critical things that we have to really have here is that working together, yes, people have a different set of priorities and a different set of approaches, and a different set of motivations. But working together, we can get a lot more done than if we’re at odds.

Chris Kissel:
Tim, you cracked me up. I was thinking about an old Saturday Night Live skit before Jimmy Fallon went to do his show. And he had that obnoxious IT guy that would go, “Move!” You’re exactly right where, I know that help desk, I’ve done it before too, where the help desk is asking me very fluid questions about, and directing me, like “hey, when did you go on to this or this.” And I start pounding my keyboard and I’m like a little patience from everybody. Your attitude is completely correct, man. If everybody kind of works through it, believe it or not, there’s going to be a bug on a computer from time to time. Let’s just kind of suss our way through it.

Tim Brown:
[inaudible 00:20:15]

Chris Kissel:
Yeah, yeah, yeah. So I thought that was awesome. And I think that you brought up the idea of risk. In a perfect world, we would drag every file through a sandbox, whether it was going north south or east west. We would have multi-factor authentication in all changing events. We would balance our asset against our vulnerability score. In all reality, you can’t do that. And so, there’s a couple things I wanted to add about that you really do make a concentrated effort on your most important assets. You make sure that your most vulnerable ports are looking over.

Chris Kissel:
Part of the reason why I’m on this tech podcast is we’re developing a study with you folks. And what we did is we interviewed eight different companies. The way we did it was we interviewed four companies, but we did them from an IT perspective and from a security perspective. So, the part about risk to me that really resonated. I talked to a guy at an unspecified hotel chain, and he told me that his security was down to the point where his computer was linked to the ethernet cord. So, if somebody went behind the bellhops counter and pulled the computer out of, literally pulled it and walked away with it, or even if an employee moved it and went somewhere else he would know it. Would actually signal ticket something. And that they were using Opera, which I believe is the hotel ticketing managing things.

Chris Kissel:
So, almost anything that could happen in a hotel, they wanted to unify and express as an incident ticket. And that included every now and then, he would train the security guys to go to the ATM and make sure somebody hadn’t uploaded a scanner. And then I could tell you, another part of the interview that we did, I talked to a guy who had financial services. And he said when he trained new people, I asked him, I said, What is the skill that you’re looking for? I was figuring he was going to say something really cool like data science. [inaudible 00:22:27] It’s like they wanted you to be Mr. Wizard.

Chris Kissel:
He said, “If these guys in an interview tell me about risk, they win my heart.” He goes, “The thing is is that for us, we’re looking at, we handle personally identifiable information, credit card information, anything you’d ever need in a loan application, you can multiply that a thousand times over for consumer and business.” And he goes, “If my guys understand that our assets are not to be exposed or vulnerable, if we do all of our architectures risk-based, we’re willing to give up in that specific industry.” If it was a choice between doing a workaround or improving network performance versus adding risk, and sometimes I don’t want to make it like this, this is a constant and always choice, but every now and then it’ll come up. They’re like, let’s wind it back down and make sure our risk profile is good. That was my point, so I wanted to kind of put some-

Tim Brown:
It’s super key that you understand your crown jewels essentially, understand your mission and business critical application. So important to be able to understand what the most important assets in your environment are, and then protect them at a different level than what you protect everything else. So I haven’t met one security guy that says, I’ve got plenty of money, I’ve got plenty of people, I’m just going to protect everything at 100%.

Tim Brown:
But if you get to the point of saying, okay, yup, here’s what I am. I don’t have 5000 applications, I have 200 things that fit my mission and business critical. I can protect 200 things. I can’t protect 5000 things. So I can protect them to a sort of a level, but can I truly go attest that the risk is almost zero to 5000 assets, no. So being able to attest the risk to a couple hundred, sure. So, it’s very important that you do define where your risk is, define that risk with your IT groups, define that risk with your business groups, define what the most important assets are. And then take a measured approach and a practical approach to it.

Chris McManus:
One of the themes we’re developing here and that I’m hearing for both of you guys is that the mentality is half the battle in terms of calculating risk and getting that to be something across disciplines that folks think about. I wanted to ask you from, if you’ve got that mentality throughout your teams from an execution standpoint and from a tool standpoint and from things that you can do to find improvement in the way security and operations work together. Tim, we’ll start with you. Do you have recommendations?

Tim Brown:
. Absolutely. So, common tooling and common language and common policy between a security and IT ops team makes so much of a difference. Internally, we use Orion for our IT ops team. And those guys are using it all the time. They’re always in there. But from a security perspective, if I see an event occur, I can go out and I can look and I can see what the device is. I can see who owns the device, I can see all the information about the device. My security guys are more of a monitor, a watcher, not an action taker on those. But being able to pinpoint, hey, this event occurred on these systems, these systems exist, now this office and this world and this area of the world. And I can communicate that back in an inappropriate language so the IT guy to go take action.

Tim Brown:
You’d think that would be something simple. Never. It is hard. So, with the right tools, we can do that. We just use the tool slightly different but being able to look at my network manager, look at my systems manager, look at my performance management and say, “hey, us using the same tool for slightly different purposes helps an incredible amount.”

Chris Kissel:
It’s people, processes and technology. It’s a little more than just the idea of … Let me kind of back it up. What I think about the framework of what I would want in IT SecOps, really a couple of things. I think I would prefer if all things were equal to try to map to a security framework, whether it was like NIST 800-53 or MITRE ATT&CK framework. And none of that’s easy as Tim correctly says, but the thing is, and I’m seeing honestly, in the last year of the study’s I’ve conducted, a lot more appetite for both the SOC guys as well as the tool manufacturers or vendors to map to the MITRE framework. And there’s a real pragmatism to that because two things. One, there is real transitioning in the workforce. Very often, one guy will leave, he works for a mid-sized bank and then Bank of America instead of training somebody from the ground up, already appreciates this guy’s skillset, he moves over.

Chris Kissel:
That doesn’t mean everybody’s completely out of the loop. If you’re using a common framework, like a MITRE or NIST or something or a SANS security control, what’ll happen is the next, that is kind of the language and the fluency for that. And specifically about MITRE, if you track it left to right, it tells you about all the different exploit phases. So, when the initial landing is, first lateral move, the first extrusion out. So, if somebody kind of gets to that kind of rigidity of thinking it helps.

Chris Kissel:
And I think Tim has been saying, as much as anything else, if you can get to a common taxonomy, common code, the best you can anyway, and implementation of playbooks, you cut down on false positives, you cut down on time to respond, and you set up your tertiary things like patching better. Or if you need to reimage you know how to do that. Or if you need to go back, if you need to put assets dynamically in a sandbox. You really have to think about those things because, unfortunately, time is on the adversary’s side. And so, the longer they’re in the network, the more damage they can do.

Tim Brown:
Yeah. And the more standard you are, the more efficient you are, bottom line. And the more common policies, procedures, technology that you utilize, just the more efficient that you can be without question. Internally, we run a program that looks at CBSS scores of different things and prioritizes those based on the CBSS score. Doesn’t matter where it came from. Could be a vulnerability in a system, could be a vulnerability in a product, could be a vulnerability anywhere. We look at that and we have rules that we essentially run through in a playbook in a process that we do. And we do it all the time so that if something terrible comes up and something big comes up, it’s just something that we’ve already run through all the time so that we’re not trying to reinvent ourselves. So, very important that you pull together the right kind of policies and procedures and standards.

Tim Brown:
I’m a big fan of NIST, big fan of MITRE. Both of them have very good frameworks to follow to get through things. Just do it consistently is the big message here.

Chris McManus:
So, you’ve each talked about how difficult it can be and how much commitment it takes to achieve some of these goals. But just to summarize this section of the discussion, ideal utopian world, where we’ve put in all the work and commitment to get there. What does it look like to have integrated security and ops in your environment? Give us the brief overview of how that functions?

Tim Brown:
Yeah, I’ll take this one first. If you reach that, you reach common understanding of hey, the importance of this, whatever this happens to be, because I’m now working on a risk-based process, a risk-based program. I can realize just like the IT guys or the DevOps guys, they can realize, hey, this service is critical to the business. If it goes down, it is terrible. We all realize that right off the bat. Then we say, how do we deal with this whatever it is? Oh, we just go through our normal playbook, whether it’s a super critical issue or a less critical issue. We follow through our standard playbook. We know what’s expected, we know who to involve, we know how to run through a process, and we know how to work together, how to communicate together using the same language so that we’re as efficient as possible. That’s nirvana.

Chris Kissel:
That’s right. It’s not super, super easy but you’re going to have certain times in bigger organizations where a tier one guy kind of does the big cutting. And then the tier two tier three guys go to the butcher level where they’re trimming the marble off the beef. So you have to sort of understand when an incident is closed, when it’s open. That’s part of it. And then obviously, you kind of have to run everything back through the network to make sure that you’ve got your server configurations correct, that the end-user experience is good. Tim described the processes very well.

Chris Kissel:
I was just going to say that I think that the cloud does add complexity. I’d mentioned it earlier in the podcast that the hardest part of this is keeping the user static. So you would think, well, this is, something emanating from Chris Kissel’s computer is going to be safe because I’m trustworthy. I’ve got like a Tom Hanks head, everybody goes, he’s a trustworthy looking dude.

Tim Brown:
As a security guy, we never trust those folks who say they’re trustworthy.

Chris Kissel:
That’s exactly right. If you see their head in the post office too, that’s not so good either. Now the larger point of it is that you’ve always got the impossible travel problem where somebody’s figured out what my MAC address or IP address is. They’ve figured out how to make me a credentialed user. And then they’re trying to do things in the Ukraine with all of that stuff. The idea of keeping, even when things go right, you do have to have different kinds of places redundancy, if nothing else, just kind of double check them.

Tim Brown:
The team model is just so important. Technology is important, absolutely. Others are important. Just finding ways to work together is a huge part of it.

Chris McManus:
Speaking of dynamic users, for many organizations, their users are no longer even within the confines of the office. And Tim, I’ve heard you talk about this as “the new different.” How do you see the impact of remote work, of COVID-19, of everything that all these organizations are dealing with right now, including ours, how do you see that having an impact on security operations and IT operations?

Tim Brown:
We moved almost 4000 people to their home offices in about a matter of a week. And just said, “yup, okay, our offices around the world have to satisfy what local and regional laws were.” And therefore, we got people to move home. Moving home was probably a little bit easier than moving back and moving into hybrid. We were a company that primarily folks came into the office all the time. So, luckily, we had invested in a lot of tools, invested in some good technology to make sure that we were allowing people to get access to things without overloading our VPN, allowing people not to necessarily call home all the time.

Tim Brown:
And now we’re starting to plan our come back in. And come back in means hybrid, means that we’re going to have people from different places. We’re going to need to make sure that we understand how to run meetings efficiently and effectively. You see problems where people are running meetings when half the people are in the office, half the people are away. Those are actually much less efficient meetings than when everybody is away, everybody is remote.

Tim Brown:
So we’re looking at things like that. From a security perspective, we can’t count on the security of the network anymore to provide us all the security necessary because people are sitting behind their home router, they’re sitting behind machines that are not necessarily secure. So, we need to be able to add additional security to the endpoints to make sure that those endpoints that need to be heavily secure, again, those that are accessing Our mission in business critical apps. I need to understand which ones I need to actually spend a lot more time on, because again, I said I can’t protect everything, but protect my top 30% of devices at home, and make sure that those are heavily protected, heavily monitored, heavily protected, that are going to more risk sensitive environments, then I’m in a much better condition.

Tim Brown:
But I think we have to essentially embrace the fact that we’re going to live. Hybrid has now just changed from not just cloud environment to cloud environment to on-premise senvironment, but part of our hybrid is now home. So, I think embracing it and working through the risks that that brings you, and then adjusting the risk based on the workloads that folks are doing are kind of where we need to head.

Chris Kissel:
Let me take this to a slightly different direction. I concur and sign off on all those points. At IDC, I’ll be honest, the one cool thing that we did was literally, like the last week of February, we’ve been surveying different companies, like literally 850 to 1000 depending on who we could contact every two weeks about their approach to COVID-19. And I’ll give you a couple of general ideas. So, in our last, we call it wave nine because it was our ninth survey that ended on July 18th. Yes, the IT spending, the way we asked the question was, compared to going into 2020, where is your IT spending? What is your impression? Is it going to decrease by 20%, decrease 10 to 20%?

Chris Kissel:
When you do the numbers, we had more people expecting a decrease in spending. And it was slightly, if you balanced it out, it was maybe a 1% or 2% less spend in IT than they’d anticipated. This is IT, this isn’t just necessarily security. And ironically, some of the people like we found that IT services. If they had projects that were basically professional services to do, they actually slightly changed, they actually had a little more increased spending. So, what was funny is is that if you asked the same, well, we did ask the same people, do you have greater hopes for GDP. Almost like three to one were negative.

Chris Kissel:
So it seems that IT, the old saying was is that saloons always do well in depressions and they do well in good times. IT is going to matter no matter what. And to be honest with you, when we did all that stuff, we did those surveys, I thought the drop would be more noticeable if only because you had whole market segments getting wiped out like restaurants and hotels and things like that. And let me also add that aside from architecture, the mindset has to change, slightly. I’m in Phoenix, Arizona, I’m single single guys. So, I’ve always worked from home. I don’t travel as much now. But then again, I have more time to do more work. And guess what, my boss gives me more work. It’s part of the deal.

Chris Kissel:
But the larger point is, is that I have colleagues that when school comes up, they’re going to have to set time to do some home schooling. I don’t even know how you do that for first, second, and third graders, K through three or whatever. We’re all going to be frustrated sometimes with the VPN. We honestly think that there is, and it sounds like a soft value, but I think it’s real, COVID kindness is what we’re calling it. You’re really going to have to have empathy for people that are in different phases their work. It’s something that was on-premises or service oriented, and they’ve refashioned their job dynamically.

Chris Kissel:
Like I say, I feel sort of lucky in that I can control a ton of my environment. I don’t think a lot of people are in the same boat. It’s not just scary from a technical view. Very often, you might have family members that could be afflicted or you’re worried about other friends of yours that are in more affected industries. This is not easy. So you got to really care about, you do the best you can with technology but we also think that COVID kindness is going to matter. If you’re a jerk during all this thing, two, three years from now, if people get their money back and they have elective spending, they’ll remember it. That’s what I’ll tell you.

Tim Brown:
I love the term right. It is going to kind of drive us for the next while, that people are going to need to be sensitive to other situations. And we’re going to need to adjust. But I think if you look across, I don’t know how your surveys show, but I know internally, we’ve seen that our productivity has actually gone up. We’ve actually been doing more projects and more things on time and getting more done because truthfully, people can’t go out and can’t do other things so they’re working a lot.

Chris Kissel:
That’s the other part of it. It’s not just working from home. You’re comparing my job to whether I want to go watch a movie or watch many of my mediocre Arizona teams play. It has nothing to do with even trying to advance professionally. It may be actually the funnest thing to do on a Saturday. Let’s do an email sweep or something so you’re right.

Chris McManus:
Sadly, I think we have all been at that point on a Saturday or Sunday over the last four months. I want to bring kind of the whole thing to a conclusion here with you guys. We’ve talked about complexity which was increasing before the pandemic. And for some organizations, it’s only accelerated the increase in complexity. We’ve got challenges that are coming with end users working from home. But as you speak to security ops pros and IT ops pros about these things that are changing and some of these challenges that they’re facing. Tim, what would be kind of your main takeaways that you would want the audience to keep in mind as they confront these challenges?

Tim Brown:
The first thing is, IT is here to stay and it’s going to be taking a more, even more important role in the future. If you look at the companies that are doing well, they’ve been reinventing themselves in this kind of new world. Telemedicine, huge, incredible, doing extremely well. Remote home care. Also huge, very data dependent, very IT dependent. Restaurants are doing no brick and mortar, just order.

Tim Brown:
So I think this next level of digital transformation will be putting IT in the forefront even again more than ever. So, with that, we’re going to have the complexities. So, with those complexities, you have to find ways that your IT team, your security team, your ops team, whether they’re a small team of a couple of people or a large company of hundreds of people, they have to find ways to work together. They have to understand that working together drives efficiency, drives risk down to the business and make things much better.

Tim Brown:
So, when you’re thinking about that, make sure that you’re all having the right human attitudes. Make sure you have COVID Kindness across the organization. I love that term. Make sure that you’re training your employees, having them work together. Use the same tools if you can. Simplify where you can and make sure that you’re kind of using all the same policies and [inaudible 00:44:18]. And always remember that your goals are the same. Your goals may be, at a highest level, they’re the same. You want to succeed, you want your company to succeed, you want your company not to have undue risk. You want to make sure that you are providing the most efficient ways to do things. So, really develop that culture of yes and that culture of making sure that things are, moving forward with the right things in mind.

Chris Kissel:
Everything you said is spot on. The way I kind of thought of it was, I thought if you looked at, every now and then the network insecurity has, they’re not against each other, but sometimes they’re a little bit off. So for instance, let’s say that security finds out that we’re vulnerable because we don’t have the most recent Microsoft OS 10 patch. Well, security will just throw it over the fence and say to networking, please deploy the patch. Sounds great but you don’t want to do that Tuesday at 10 o’clock or 10AM because you could have some CPU issues or load balancing. So there has to be strategies.

Chris Kissel:
I put like a quick little couple of notes. These to me have to be considered to be shared ideas between network and security, these six ideas. Workflow, okay. So whether it’s a networking or a security issue, it has to get solved commonly. Risk. You talked about this a ton, Tim, but the idea that we really do care about our web servers and financial servers, those are the most important assets. I would also argue that risk is shared across data where you make sure you have a correct encryption and decryption strategy data at rest and data in transit. Policy. It’s like what is secure access, what is proper end user behavior? That’s got to be across the organization. Access. The very specific things that you do to multi-factor authentication or single sign on, tracking identity through multiple clouds.

Chris Kissel:
Compliance is another important idea because if a regulator says that there’s something wrong. The GDPR standard is you could get docked up to 4% of your gross income. And they’re not going to care if it’s a slip up from a network administrator or security guy, if cloud data is out there. And then the last one would be capacity. So, you think of networking as an issue that’s discrete. So let’s say that you don’t have enough headway, your applications come in, your jitter is introduced. Well, that’s a real problem to your security tools too because when you have very limited bandwidth, you really compromise your firewall rules, your antivirus gets kind of, all these things get janky at the edge. And once you start losing packets, you start losing control.

Chris Kissel:
So, those are the six things that I think you keep in mind. And I guess, Tim, between us, number seven, how about a little bit of kindness, this thing matters. It’s not about “hey, security should get the checkmark or networking gets the checkmark.” Let’s do it right. Make it good for the organization. I’m the rah rah guy for the organization now. Make it good for the end users, make it good for each other. We can do this. All that’s important.

Tim Brown:
Yup. Absolutely. Great point. Thanks, Chris.

Chris McManus:
Thank you guys both so much. Chris, thank you for all the insights and keeping a pulse on how organizations are dealing with some of these challenges. And, Tim, thank you for the insights and for everything you’ve done for us internally here at SolarWinds. I’d love to close by telling you I’m a trustworthy end user but I heard earlier that that’s not what you want to hear. So I’ll promise I’ll try my best. How about that?

Tim Brown:
There we go. That’s perfect.

Chris McManus:
And thank you everyone for listening today. For a copy of the research that you heard throughout the episode and other useful security resources, be sure to visit SolarWinds Trust Center at solarwinds.com/trust-center.