Turning Tough Times to Your Advantage

The current economic melee is forcing a corporate metamorphosis that, when combined with ever broadening security threats, presents information security groups with an opportunity to radically change their identity and value to the business.

Although vendor-written, this contributed piece does not advocate a position that is particular to the author's employer and has been edited and approved by Network World Editor in Chief, John Dix.

The current economic melee is forcing a corporate metamorphosis that, when combined with ever broadening security threats, presents information security groups with an opportunity to radically change their identity and value to the business.

To capitalize on the moment, security groups need to reassess their approach, add visibility and transform security's very role.

The timing is good because maintaining security during tough economic times is critical. Besides external threats that evolve even more rapidly in economic downturns, business slumps increase the probability of disgruntled employees striking out using intimate knowledge of corporate systems.

Risk is further exacerbated by the fact that, since the last economic crisis of this magnitude, companies have become far more reliant on information technology systems, which are now highly complex and essential to sound operations.

Your current security path represents existing programs, capabilities, processes, etc. The goal is to create a parallel path that influences existing practices and allows you to refine a new strategy without disrupting current expectations. In time, the new path will become a dominating force and take you in a new direction.

Step 1: Tuning the Approach

During the last decade security has been virtually defined by compliance. For many companies, it has been less about security than it has been about ensuring that certain regulatory demands are being met. Unfortunately, compliance does not necessarily enable the business, align with core initiatives, and alone may not thwart debilitating attacks.

Understanding this, some security groups have strived to use compliance efforts to improve their security posture.

Unfortunately, not all companies see the value of such activities and instead simply see compliance as a cost of doing business.

You have to convert the security practices that fall under the banner of "mandated for compliance" into specific activities that resonate with the business. For example, a predominant force in business is time to market and the rapid conversion of investments to revenue generation. This can materialize as a new service, application, communication platform, network or alliance. The key to tuning your approach is to optimize security features to help the business move more quickly, reduce barriers or accommodate a requirement quickly.

Key to being able to accomplish this is institutional knowledge within the security group and leveraging and combining resources in ways that benefit the business as much as it does security, for example: supporting secure coding practices through collaboration with the development team, optimizing standard builds to stand up servers more quickly, security testing as part of performance testing, or utilization of directory services to support streamlining of access controls for a new partner.

Fundamentally, it is about operating in a risk/reward model. Prioritize activities based on risk as well as where the greatest opportunities are for the business. By becoming intimate with business goals and mapping against elements of risk, what begins to surface is a common thread that demonstrates a point where the business and security goals become more closely aligned.

A good place to start is within the project management arena, where risks to the initiative or life cycle will become apparent, in addition to helping identify critical paths and what is most important to the business unit or group. By using information of this nature, combined with institutional knowledge that the security group possess, you can begin to interpret demands and risks in business initiatives and quickly find areas of common ground.

Step 2: Adding Visibility

Security groups typically make security efforts visible to executive management by presenting security metrics, risk dashboards, and the like. However, along the way, many encounter some key challenges.

The first challenge is that the measurements are only focused on security and typically do not provide insights to other aspects of security operations that demonstrate effectiveness. For example, a dashboard may present compliance risk, operational risk, technical risk and current threats. It is assumed that keeping the values in an optimal or desired range means that security is doing its job.

However, company executives are increasingly focused on efficiency, effectiveness and overall alignment to business initiatives. They want to know how well these objectives are being met, what influence they have had on other key business performance indicators (such as time to market, customer retention), and how resources and other valuable assets are being utilized.

Executives are concerned about inefficient or wasteful activities and want to ensure all activities focus on the bottom line. Presenting to the board a risk dashboard can be helpful to demonstrate your alignment to security concerns, but that's only one part of the equation in the eyes of executives. The more effectively security can reduce the need to translate security results into something meaningful for the business, the better.

The second challenge relates to the "gap" factor. The gap refers to the difference in what security is providing to executives as visibility and the ability for the security group to influence the system to enact change.

For example, a report may demonstrate that the number of vulnerabilities in Internet-facing applications is increasing significantly quarter over quarter. However, the security group may not have the capacity or capability to reduce that number to a reasonable value. As a result, some senior security managers find themselves tasked to correct an issue they simply do not have the ability to accomplish.

In short, information from the security program is misaligned with its ability. Some use this to justify investments that would address the gap. But unfortunately this pattern is growing increasingly ineffective as business owners demand more accountability. The solution is to create a security program that not only presents good and bad trends, but more importantly, has the ability to have a meaningful impact in changing them.

The challenges can be summarized as providing visibility into more than security in security terms, but also in a manner that is more readily digested by executives and easier to align to business goals. Secondly, build a security program that not only produces meaningful information relative to security and business metrics, but also has the inherent capability to institute change and thereby meet expectations.

Providing additional visibility to existing risk-based perspectives can be enormously valuable. To accomplish this, you need to become more intimate with what resonates with the executives -- the measurements they focus on day in and day out, the performance indicators they study beyond the financial ones. Each company is different and each business unit may have a different spin. Moreover, many may seem like the furthest thing from security, such as shipping metrics, warehousing, capacity indicators, system use or even collaboration indicators. You have to look behind these to begin to see where security can begin to mimic the same philosophies.

From a security perspective, look to report on areas within your domain of influence and help reflect how well you're running as a business. It can be as simple as resource utilization, project involvement or performance quality scores from your peers.

From there you can start tying to other reported information and trends, such as the planned decline in effort to perform regular vulnerability testing, but an incline in report quality and effectiveness, essentially demonstrating that you are meeting security and business objectives. Or show how, through collaboration activities (which have been measured) and modifications to technologies, you've helped reduce the number of security related helpdesk tickets. These are, of course very basic. Nevertheless, the point is to find related information between what you are doing for security and how well you are doing related to business expectations.

This approach helps form your new path for security, drawing from your original strategies and enhancing them. Start small, test the waters and seek mentorship within the organization. As more confidence grows in providing additional perspectives on activities, you can move into closing the gap.

Step 3: Service orientation

By this point you've learned how to orchestrate your core competencies to help the business reach its goals using a risk/reward method. And you've started experimenting with adding visibility to the executives on alignment. As a result, the identity of security is beginning to shift. It may not be obvious, but it's happening. However, this is a critical stage and the time to innovate. Once executives see something they like, they want more, expectations increase, and that "good job" turns into "what have you done for me lately?"

One of the common pitfalls is not following through to ensure a foundation exists to keep up with new expectations. As a result, massive ground is lost and you're back to square one.

Adopting a service orientation can help you continue to move forward. Service orientation has three primary objectives:

1) Convert tactical best practices that were once hidden within compliance efforts into business services that can be consistently utilized.

2) Close the gap between what you can control/influence and what you're reporting on.

3) Create a foundation for building a highly agile security approach.

The key is to learn from experimental practices in tuning activities and report on additional metrics and indicators relative to business goals. For the development of security services, it's the tuning of the approach that provides the information you need to get started.

In the most simple of definitions, a security service is a well-formed package of related processes, technologies and capabilities that has a predictable outcome that is needed or in demand by the business. What makes security services differ from traditional security activities is input.

Just about everything requires input to feed a process to produce an output. For security, the input is usually "self-assigned," meaning the business must meet a specific policy or some other documented requirement to have security perform an action. For example, a policy may read, "Any material change to an Internet-facing application requires a penetration test." That's a sound approach, but it's reactive and misses the opportunity to gain valuable insights to underlying business needs and goals.

While looking for risk/reward scenarios, you will see a pattern emerge and the tuning efforts outlined above should help you identify opportunities to incorporate specific business attributes into what you're performing.

The basis for security services is taking advantage of this pattern. In fact, you're doing this today to some degree. For example, an application is due for a test, but you've learned that the changes relate to one of several roles defined in the system. As a result, you may limit testing to that one area because of your knowledge and comfort with the application from previous tests. Now, extrapolate this to all things in security. It's less about simply doing what you do and more about giving the business additional opportunity to feed the process in order to refine the activity -- or service in this case -- to the business need.

The next important characteristic of security services is how people, processes, tools, methods and technology are architected to perform the service relative to input and output. This is a lot easier to say than to do. Organizations tend to approach these elements as independent or loosely coupled. Moreover, some security architectures and frameworks facilitate segmentation, making alignment of them seem alien and uncomfortable.

One challenge is internally developed standards that are either overly comprehensive or too granular. Successful implementation of security services typically starts with reviewing the standards and looking at them as a common foundation to services as opposed to specific elements for a given security function.

As with all things of this nature, a slow and methodical approach wins the race. Don't try to create a services model over night. Take what you've learned in tuning, couple it with something you're already doing today (such as vulnerability testing, patch management, identity management, data protection, monitoring), and then pilot a services approach with a friendly business unit.

1 2 Page 1
Page 1 of 2
NEW! Download the Spring 2018 digital edition of CIO magazine