DevOps and SecOps began as separate efforts
Source – csoonline.com
Until today, anti-fraud, security and authentication activities in organizations have operated as largely-separate domains, with IT Ops even more separated, in most cases.
This is due, in part, to the “silo mentality” in enterprises, where it’s more convenient to have a bunch of teams running their own disciplines. After all, collaboration and synchronization increase the degree of difficulty. Politics, momentum, status quo, and decentralized operations that use third-party providers are also contributing to the current operational division. Given the escalating threat environment and evolving data protection requirements, I think it’s high time we began converging these siloed efforts.
Silos inhibit collaboration and hurt our customers
Traditionally, the CISO and IT departments have been responsible for one aspect of protecting the enterprise, while risk and compliance executives were largely responsible for anti-fraud and data protection. Another team, perhaps led by the CIO or even the CFO, is responsible for Ops.
In this siloed world, collaboration tends to happen only when it must – for example, when security controls need to be adjusted to satisfy data protection requirements. It’s not that there is animosity between the two “sides” – it’s just easier to operate independently. The amount of communication and coordination between these silos is inconsistent and often ineffective, and many of them only come together around a crisis.
DevOps and SecOps pave the way
Just as DevOps and SecOps began as separate efforts, but later joined forces to become DevSecOps, a unified approach that converges fraud, authentication and security together will better serve the constantly changing needs of businesses today.
Call it “FrAuth” or the mouthful “FrAuthDevSecOps”, but whatever you call it, it will help mitigate risk. Beyond landing on a name though, there are challenges to overcome in terms of reporting structure, funding and processes that will enable us to execute at the velocity required by the business and so on. In any case, I believe integrated perspectives and objectives are needed, with “just enough process” to enable coordinated execution. If we approach this as a heavy, waterfall-like process it will never work – instead, organizations that embrace an agile approach get an edge in this new world.
In addition to the increased leverage from a converged approach, there are practical concerns that will bring these disciplines together. Consider GDPR (the EU’s General Data Protection Regulations) and similar data protection regimes, for starters. These schemes will push us toward a more holistic approach in how we consider, manage, protect and maintain all of these systems in our environments, particularly those which store or process sensitive business and personal data.
Don’t worry – there is good news
The good news is we already have most, if not all, of what we need to succeed in this newly converged world. The bad news is that we’ll have to change our processes, mindset and (perhaps most difficult of all) set aside our political baggage to make it work.
Last week, I attended iovation’s annual Fraud Force summit in New York City. This event brought together fraud, risk and security professionals who shared best practices on implementing the latest fraud prevention and authentication strategies to reduce exposure to fraud while improving the customer experience. Along these lines, there was a lot of discussion around “omnichannel” authentication, which provides a consistent user experience with authentication, no matter where or how a customer interacts with your business.
What are we learning? Convergence is going to happen, and organizations striving for an omnichannel experience will be a big driver. It definitely won’t be an easy road to unite traditionally siloed disciplines, but in the long run, finding ways to provide customers with a seamless and positive authentication experience while protecting businesses from fraud, will be the best thing for our businesses and our customers.