So far, we've looked at the gap as a linear where we are and where we want to be on a Capability Maturity Model. This has been (up to this point) addressing the gap between IT operations and IT security.
We've talked about some ways that we can interface between these teams through the use of:
- Service level agreements
- Organizational level agreements
- Processes
- Policies and procedures
However, we need to take another gap into account. The user, stakeholder, or customer is at the receiving end of every service that we provide.
Creating useful information is important to communicate through formal and informal channels between IT and InfoSec; however, the user can also use cyber intelligence to drive their decision making.
What makes the userspace interesting is that the level of interaction between either InfoSec/IT ops is limited through the methods we've discussed:
- The users must use the process and procedures that are put into place
- The users must agree to the organizational policies
Since collaboration is the theme we are trying to convey in this book, we need to look at the user as an entity that we should be working with. We shouldn't be only pushing down edicts.