Why IT Security and IT Operations Are Converging (+ What It Means for Your Business)

Mark Allers
by Mark Allers
April 24, 2025
Table of Contents
Table of Contents

The lines between IT security and IT operations are blurring—and for good reasons. Historically, these functions operated in silos: operations focused on performance, uptime and infrastructure health, while security zeroed in on threats, vulnerabilities, and compliance. But today, in an era of speed, complexity, and constant threats, these teams have more in common than ever before. 

 

The Common Ground Between IT Security and IT Operations

At their core, both teams are charged with ensuring the resilience of technology systems. They both care deeply about minimizing downtime, preventing incidents, and rapidly resolving issues. Whether it's a network outage or a ransomware attack, the outcomes they're trying to avoid are the same: disruption, data loss, and reputational damage. 

Here are some of the key similarities:

  • Monitoring and Alerting: Both group functions depend on monitoring tools to detect anomalies; however, their approach and process come from two different perspectives (discussed below).
  • Configuration Management: Both operations and security follow best practices in configuration management. 
  • Change Management: While both groups understand change management, operations are much further along in the maturity of people, processes, and technology.
  • Incident Management: Incidents, regardless of their nature, require rapid identification, assessment, and response. Both teams try to follow structured playbooks to triage and remediate issues. 
  • Root Cause Analysis: After any incident, the goal is the same: understand what happened or changed, why, and how to prevent it in the future.

The convergence is not just about shared goals. It's about shared best practices, tools, and accountability. Both teams are using modern security platforms like SIEMs, SOAR tools, and IT Service Management (ITSM) suites, which provide similar, and in some cases, identical services. Cloud infrastructure has further dissolved boundaries, as security and performance hinge on proper configuration and visibility.

 

Why Convergence Makes Sense

Agility and collaboration are no longer optional in today's fast-paced IT environments. Security can no longer be bolted on after operations are complete, and operations can't ignore security concerns when provisioning systems or deploying applications. 

This convergence often takes the form of SecOps (security + operations) or even DevSecOps, integrating security practices into the entire lifecycle of IT service delivery. 

Benefits of convergence include:

  • Holistic visibility into risk mitigation and performance
  • Better alignment with business goals
  • Faster incident response
  • Reduced friction between teams
  • Stronger compliance posture

 

Understanding Key Metrics: MTTI, MTTC, MTTD, and MTTR

To manage both operations and security effectively, you need to understand how each measures success and resiliency. The security industry measures its resiliency through MTTI and MTTC, whereas operations utilize MTTD and MTTR. 

 

Security Metrics

MTTI — Mean Time to Identify

MTTI refers to the average time it takes to detect that an issue or threat (typically synonymous with a security breach) exists. A lower MTTI means your monitoring and alerting systems are working well, and anomalies and unknown/unauthorized changes are being identified and escalated to a SOC (Security Operations Center) for investigation, triaging, and response. 

MTTC — Mean Time to Contain

Once a threat is detected, MTTC measures how long it takes to contain it, to prevent further damage or lateral movement. In security terms, this might mean isolating an infected device.

According to IBM's 2024 Cost of a Data Breach Report, we have reverted to 2017 levels, which is NOTHING to write home about! To put it into perspective, it takes from January 1st to September 15th to identify and contain a security breach.

time to identify and contain a breach

Source: IBM 2024 Cost of a Data Breach Report

 

Operational Metrics

MTTD — Mean Time to Detect

MTTD is often used interchangeably with MTTI, but there's a subtle difference. MTTD typically focuses on how long an operational issue goes unnoticed after it has occurred.

MTTR — Mean Time to Repair (or Respond/Restore/Recover)

MTTR tracks how long it takes to fully resolve an issue. That could mean restoring a system to normal operations. It's a key metric for both uptime and risk mitigation. It could mean stopping a faulty deployment from impacting more systems for operations. 

Moogsoft's 2022 State of Availability Report assesses the ability to detect and respond, recover, repair, and restore in minutes rather than months. 

mean time to detect and mean time to recovery

Source: Moogsoft: 2022 State of Availability Report

 

Alignment with a Zero Trust Strategy

Zero Trust and IT Service Management may seem like distinct disciplines at first glance—one focused on security, the other on service delivery—but they are increasingly interdependent and mutually reinforcing in modern IT environments. 

Zero Trust is a security framework that assumes no user or system should be inherently trusted, whether inside or outside the network perimeter. Access must be continuously verified based on context, identity, and behavior. 

Key Zero Trust principles include:

  • Never trust, always verify
  • Least privilege access
  • Micro-segmentation
  • Continuous monitoring and validation

 

Where Zero Trust meets ITSM

There are five ways Zero Trust aligns and integrates with ITSM across various domains:

1. Identity and Access Management (IAM)

  • ITSM Relevance: Granting access to services, applications, and data is a common ITSM function.
  • Zero Trust Impact: Every access request should be verified and governed by identity, device health, location, and behavior. ITSM tools can integrate with identity platforms (e.g., Azure AD, Okta) to enforce this in workflows like provisioning, de-provisioning, and approvals.

2. Change and Configuration Management

  • ITSM Relevance: Managing changes to systems and maintaining configuration baselines.
  • Zero Trust Impact: Configuration drift or unauthorized changes could indicate a breach. Zero Trust enforces strict validation of system states to ensure integrity and visibility.

3. Incident and Problem Management

  • ITSM Relevance: Logging, categorizing, investigating, and resolving incidents.
  • Zero Trust Impact: Zero Trust can provide deeper telemetry and context for incidents (who accessed what, from where, and under what conditions), which helps ITSM systems prioritize and respond to incidents with more precision.

4. Service Request Management

  • ITSM Relevance: Employees request access to apps, devices, or support.
  • Zero Trust Impact: Policies enforced at the request level (e.g., conditional access, device posture checks) ensure services are delivered securely and compliantly.

5. Asset and Configuration Visibility

  • ITSM Relevance: Maintaining an up-to-date inventory of IT assets.
  • Zero Trust Impact: Continuous monitoring aligns with the need for accurate asset and configuration data. It can alert ITSM tools when unauthorized or unknown devices appear on the network or change from an expected state of operation.

 

Looking Ahead

So why are the metrics of one measured in months and the other in minutes? Both utilize similar best practice controls defined by ITIL or COBIT for Ops and NIST 800-53, CIS Controls, or the Secure Controls Framework for Sec. My answer is twofold and quite simple:

  1. Operations are driven by a closed-loop process, whereas security is an open-loop process. Security lacks the formal practices of release and change management.
  2. Operations approach resiliency through the lens of knowing everything good/authorized, which can immediately highlight unknown and unwanted changes resulting from either a circumvented process or malicious activity. Security stems from the ubiquitous use of denylists, where organizations inherently trust that all activity is valid unless known to be bad.

The traditional boundaries between IT security and operations are becoming liabilities. Businesses embracing convergence—integrating their tools, processes, workflows, and teams—benefit from faster response times, tighter security, and more resilient infrastructure.

This isn't just a trend. It's the future of IT.
Tags:
Mark Allers
Post by Mark Allers
April 24, 2025
Mark is the VP of Business Development at Cimcor and is responsible for driving the strategic focus and alignment with industry initiatives and partnerships. Mark has held executive management positions at six enterprise software companies and one venture capital firm over the past two decades.
Follow me on LinkedIn

About Cimcor

Cimcor’s File Integrity Monitoring solution, CimTrak, helps enterprise IT and security teams secure critical assets and simplify compliance. Easily identify, prohibit, and remediate unknown or unauthorized changes in real-time

Definitive Guide to FIM
THE DEFINITIVE GUIDE TO FIM

Protect Files.
Prevent Breaches.
Promote Integrity.

Get The Guide

Related Blog Posts

How to Comply with APRA Prudential Standard CPS 234
  • Mark Allers
    |
     
  • August 27, 2024
How to Comply with APRA Prudential Standard CPS 234

2 min read

4 Key Requirements for APRA CPS 234 Compliance [+ CHECKLIST]
  • Mark Allers
    |
     
  • August 29, 2024
4 Key Requirements for APRA CPS 234 Compliance [+ CHECKLIST]

2 min read

Achieving DORA Compliance: A Guide to Meeting Key ICT Control Requirements Using CimTrak
  • Mark Allers
    |
     
  • November 19, 2024
Achieving DORA Compliance: A Guide to Meeting Key ICT Control Requirements Using CimTrak

4 min read