Posted by: kenwbudd | April 7, 2009

Re-thinking IT Security in tough times

The current economic downturn is forcing a corporate change and metamorphosis that, when combined with ever broadening security threats, presents information security groups with an opportunity to radically change their identity and add more value to the business.

To capitalise on the moment, security groups need to reassess their approach, add visibility and transform the very role of security.

It is good timing because maintaining security during tough economic times is critical. Besides external threats that evolve even more rapidly in economic downturns, business slumps increase the probability of disgruntled employees striking out using intimate knowledge of corporate systems.

Risk is further exacerbated by the fact that, since the last economic crisis of this magnitude, companies have become far more reliant on information technology systems, which are now highly complex and essential to sound operations.

Your current security path represents existing programs, capabilities, processes, etc. The goal is to create a parallel path that influences existing practices and allows you to refine a new strategy without disrupting current expectations. In time, the new path will become a dominating force and take you in a new direction.

Step 1: Tuning the Approach
During the last decade security has been virtually defined by compliance. For many companies, it has been less about security than it has been about ensuring that certain regulatory demands are being met. Unfortunately, compliance does not necessarily enable the business, align with core initiatives, and alone may not thwart debilitating attacks.

Understanding this, some security groups have strived to use compliance efforts to improve their security posture.

Unfortunately, not all companies see the value of such activities and instead simply see compliance as a cost of doing business.

You have to convert the security practices that fall under the banner of “mandated for compliance” into specific activities that resonate with the business. For example, a predominant force in business is time to market and the rapid conversion of investments to revenue generation. This can materialize as a new service, application, communication platform, network or alliance. The key to tuning your approach is to optimize security features to help the business move more quickly, reduce barriers or accommodate a requirement quickly.

Key to being able to accomplish this is institutional knowledge within the security group and leveraging and combining resources in ways that benefit the business as much as it does security, for example: supporting secure coding practices through collaboration with the development team, optimizing standard builds to stand up servers more quickly, security testing as part of performance testing, or utilization of directory services to support streamlining of access controls for a new partner.

Fundamentally, it is about operating in a risk/reward model. Prioritize activities based on risk as well as where the greatest opportunities are for the business. By becoming intimate with business goals and mapping against elements of risk, what begins to surface is a common thread that demonstrates a point where the business and security goals become more closely aligned.

A good place to start is within the project management arena, where risks to the initiative or life cycle will become apparent, in addition to helping identify critical paths and what is most important or critical to the business unit. By using information of this nature, combined with institutional knowledge that the security group possess, you can begin to interpret demands and risks in business initiatives and quickly find areas of common ground.

Step 2: Adding Visibility
Security groups typically make security efforts visible to executive management by presenting security metrics, risk dashboards, and the like. However, along the way, many encounter some key challenges.

The first challenge is that the measurements are only focused on security and typically do not provide insights to other aspects of security operations that demonstrate effectiveness. For example, a dashboard may present compliance risk, operational risk, technical risk and current threats. It is assumed that keeping the values in an optimal or desired range means that security is doing its job.

However, company executives are increasingly focused on efficiency, effectiveness and overall alignment to business initiatives. They want to know how well these objectives are being met, what influence they have had on other key business performance indicators (such as time to market, customer retention), and how resources and other valuable assets are being utilized.

Executives are concerned about inefficient or wasteful activities and want to ensure all activities focus on the bottom line. Presenting to the board a risk dashboard can be helpful to demonstrate your alignment to security concerns, but that’s only one part of the equation in the eyes of executives. The more effectively security can reduce the need to translate security results into something meaningful for the business, the better.

The second challenge relates to the “gap” factor. The gap refers to the difference in what security is providing to executives as visibility and the ability for the security group to influence the system to enact change.

For example, a report may demonstrate that the number of vulnerabilities in Internet-facing applications is increasing significantly quarter over quarter. However, the security group may not have the capacity or capability to reduce that number to a reasonable value. As a result, some senior security managers find themselves tasked to correct an issue they simply do not have the ability to accomplish.

In short, information from the security program is misaligned with its ability. Some use this to justify investments that would address the gap. But unfortunately this pattern is growing increasingly ineffective as business owners demand more accountability. The solution is to create a security program that not only presents good and bad trends, but more importantly, has the ability to have a meaningful impact in changing them.

The challenges can be summarized as providing visibility into more than security in security terms, but also in a manner that is more readily digested by executives and easier to align to business goals. Secondly, build a security program that not only produces meaningful information relative to security and business metrics, but also has the inherent capability to institute change and thereby meet expectations.

Providing additional visibility to existing risk-based perspectives can be enormously valuable. To accomplish this, you need to become more intimate with what resonates with the executives — the measurements they focus on day in and day out, the performance indicators they study beyond the financial ones. Each company is different and each business unit may have a different spin. Moreover, many may seem like the furthest thing from security, such as shipping metrics, warehousing, capacity indicators, system use or even collaboration indicators. You have to look behind these to begin to see where security can begin to mimic the same philosophies.

From a security perspective, look to report on areas within your domain of influence and help reflect how well you’re running as a business. It can be as simple as resource utilization, project involvement or performance quality scores from your peers.

From there you can start tying to other reported information and trends, such as the planned decline in effort to perform regular vulnerability testing, but an incline in report quality and effectiveness, essentially demonstrating that you are meeting security and business objectives. Or show how, through collaboration activities (which have been measured) and modifications to technologies, you’ve helped reduce the number of security related helpdesk tickets. These are, of course very basic. Nevertheless, the point is to find related information between what you are doing for security and how well you are doing related to business expectations.

This approach helps form your new path for security, drawing from your original strategies and enhancing them. Start small, test the waters and seek mentorship within the organization. As more confidence grows in providing additional perspectives on activities, you can move into closing the gap.

Step 3: Service orientation
By this point you’ve learned how to orchestrate your core competencies to help the business reach its goals using a risk/reward method. And you’ve started experimenting with adding visibility to the executives on alignment. As a result, the identity of security is beginning to shift. It may not be obvious, but it’s happening. However, this is a critical stage and the time to innovate. Once executives see something they like, they want more, expectations increase, and that “good job” turns into “what have you done for me lately?”

One of the common pitfalls is not following through to ensure a foundation exists to keep up with new expectations. As a result, massive ground is lost and you’re back to square one.

Adopting a service orientation can help you continue to move forward. Service orientation has three primary objectives:

1) Convert tactical best practices that were once hidden within compliance efforts into business services that can be consistently utilized.

2) Close the gap between what you can control/influence and what you’re reporting on.

3) Create a foundation for building a highly agile security approach.

The key is to learn from experimental practices in tuning activities and report on additional metrics and indicators relative to business goals. For the development of security services, it’s the tuning of the approach that provides the information you need to get started.

In the most simple of definitions, a security service is a well-formed package of related processes, technologies and capabilities that has a predictable outcome that is needed or in demand by the business. What makes security services differ from traditional security activities is input.

Just about everything requires input to feed a process to produce an output. For security, the input is usually “self-assigned,” meaning the business must meet a specific policy or some other documented requirement to have security perform an action. For example, a policy may read, “Any material change to an Internet-facing application requires a penetration test.” That’s a sound approach, but it’s reactive and misses the opportunity to gain valuable insights to underlying business needs and goals.

While looking for risk/reward scenarios, you will see a pattern emerge and the tuning efforts outlined above should help you identify opportunities to incorporate specific business attributes into what you’re performing.

The basis for security services is taking advantage of this pattern. In fact, you’re doing this today to some degree. For example, an application is due for a test, but you’ve learned that the changes relate to one of several roles defined in the system. As a result, you may limit testing to that one area because of your knowledge and comfort with the application from previous tests. Now, extrapolate this to all things in security. It’s less about simply doing what you do and more about giving the business additional opportunity to feed the process in order to refine the activity — or service in this case — to the business need.

The next important characteristic of security services is how people, processes, tools, methods and technology are architected to perform the service relative to input and output. This is a lot easier to say than to do. Organizations tend to approach these elements as independent or loosely coupled. Moreover, some security architectures and frameworks facilitate segmentation, making alignment of them seem alien and uncomfortable.

One challenge is internally developed standards that are either overly comprehensive or too granular. Successful implementation of security services typically starts with reviewing the standards and looking at them as a common foundation to services as opposed to specific elements for a given security function.

As with all things of this nature, a slow and methodical approach wins the race. Don’t try to create a services model over night. Take what you’ve learned in tuning, couple it with something you’re already doing today (such as vulnerability testing, patch management, identity management, data protection, monitoring), and then pilot a services approach with a friendly business unit.

As this approach begins to solidify, several interesting things start to happen. The identity of security and perceived value continues to shift in a positive direction. Nevertheless, you will quickly realize that you have far more capabilities to measure operational details of your organization, and more importantly — you inherently have more influence over them as a result.

This essentially slams the door on the gap. Services facilitate the risk/reward model, they make it possible to organize activities specific to demand, provide the means to measure those activities more effectively, and allow for the controlled management of each element to ensure that what is being reported can be influenced. This can be a perfect storm, but you’re not done. To truly transform, you have to close the loop with governance.

Step 4: Governance Loop
The “governance loop” is the final step and provides the opportunity to realize real transformation. To this point, you’ve tuned, experimented, tested and created the early stages of services and are beginning to rely on the new path and less on the old one.

This has helped increase visibility, initial alignment to the business and promotes effectiveness. Nevertheless, at this point, time becomes your enemy — without governance, the services will eventually break down. Governance, interestingly, provides the mechanism to ensure expectations are being met, but also the means to promote adaptability, closing the loop with the business.

Governance acts as the bonding agent between ebbs and flows in the business, compliance, risk and security activities. More importantly, this is where risk/reward is measured and fed back into the system to instigate change. It is also important to realize that risk (management, assessments, reporting) has played a pivotal role throughout the journey, and governance is the means to realize full potential. Risk remains at the top of the pyramid, but now with services underlying it, supported by governance, it can move far closer to the business.

In short, governance is analogous to “inspect what you expect” and influence change. That means creating a set of responsibilities and practices with the goal of providing direction as well as ensuring objectives are achieved and resources are used responsibly. In so doing, measurements from the oversight of security not only ensure efficient and effective execution, but also facilitate change in the program through intimate connections with risk management and the business offering feedback into the system.

In some companies governance is associated with enforcement. Although partly true, a security group empowered by services and close interlinks with overall enterprise governance through risk management activities will be able to put governance to work for them. This is similar to how, over the last several years, many security organizations have changed their perspective of the audit group.

Historically seen as a regular and painful exposure of operational weakness in security, audit processes are now being seen as a way to strengthen security. It’s turning what is usually thought of as a negative into a positive force. The same is true with governance processes that are outside of the control of the security group or where security is part of a governance committee.

Nevertheless, an important aspect is to understand that the security group is ultimately responsible for its activities — good and bad. Therefore, it is recommended that governance be reflected in the security services and program owned and operated by management resources within the group. This is not a replacement for enterprise governance — rather, it’s an extension focused on the betterment of security.

Organizations need security more now than ever, and as a result, are more receptive to security as a community. What you do with that attention today could have enormous influences on the future of security within your company. Although times are tough, don’t assume this means opportunities don’t exist. The economy will correct itself and businesses will emerge stronger and with a new sense of determination and demands for operational maturity. Taking advantage of what appears to be short-term focus on security for long-term gains is the crux of the opportunity, and opportunity favors the prepared.

This article is by James Tiller, author of The Ethical Hack and Technical Guide to IPSec VPNs, and contributing author on several other books, including the Official (ISC)2 Guide to the CBK, is vice president of security services for BT in North America. He consults with organizations globally on how security can enable business. You can reach him at


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: