[mingus88]

In many mature orgs, corporate IT rolls up to the CIO and security will roll up to the CISO

The CISO and security ops will demand to be completely independent from corp IT, for legit reasons, as the security team needs to treat IT as potential insider threat actors with elevated privileges.

They will also demand the ability to push out updates everywhere at any time in response to real-time threats, and per the previous point they will not coordinate or even announce these changes with IT.

There has always been an implicit conflict between security and usability, because of the inherent nature of security deny policies, but they also inherently conflict with conservative change management policies such as IT slow rolling changes through lower environments on fixed schedules and operating with transparency

[valenterry]

> The CISO and security ops will demand to be completely independent from corp IT, for legit reasons, as the security team needs to treat IT as potential insider threat actors with elevated privileges.

I always wondered: why should security ops not be a potential insider thread actor? In fact, if they were compromised, it would be even worse.

Do we need two different security ops that monitor each other? :)

[briffle]

In most clustered systems, you need at least 3 observers, so that its a clear majority of systems can decide that the observer is not working as expected.

So I guess 5 security OPS teams in different regions of the world, and they can all call a vote if one of the teams is now 'bad' :)

[com]

Generally, act vs monitor is the segregation of duties that I have seen best working between platform or IT ops and engineering (act) vs security ops (monitor).

For many high privilege operations there are more segregation of duties in the act side of things - these can be down to plan, authorise, configure, activate, validate or some rollups of these. Another is dual control on the act side, since conspiracy is generally quite hard to do especially if it’s just for pocket-change. Different if it’s $$Billions of fungible cash of course at stake.

People often overcomplicate - simple do/check is often enough.

[jachee]

Isn’t that why some organizations have a red team and a blue team?

[com]

Security should not, in general, have anything but awooga-awooga red lights and sirens break-glass write/change/delete/shutdown access to prod infrastructure or systems, or indeed anything that could compromise them. I’d argue that access to read or copy sensitive data is almost, but not quite as dangerous without extensive controls and internal monitoring too…

IMO there are no legit reasons except politics, empire building, NIH and toxic relationships for such a such a crazy state of affairs.