Keeping the enterprise secure is a challenge these days. Security specialists are concerned with a variety of threats from external issues (worms, viruses, rootkits, identity theft, etc.) to internal issues (lost/stolen laptops, data breaches, voluntary or involuntary exposure of confidential information, etc.). Unfortunately, many IT shops look at security as a technology issue and forget to address the business side of security. Some shops lock down their enterprise to the point where they impact the business's ability to be successful. While researching this topic I came across an excellent abstract from the Software Engineering Institute written by Richard A. Caralli and William R. Wilson. This abstract is a must read.
What is the goal of an organization's security strategy?
Security experts must understand that everybody in the organization is their customer. Many IT shops act more like a dictatorship and continue to put policies and technologies in place that make IT a hindrance to the business. Caralli & Wilson remind us that...
..."the ultimate benefactor of the security activities that an organization undertakes should be the organization itself."
..."the industry’s affinity for technology-based solutions alienates the “business people” in the organization."
..."anything that impedes assets and processes from doing their jobs potentially derails the organization’s ability to be successful."They suggest that the CSO (Chief Security Officer) reports to someone from the business. I don't disagree, however, if the IT department is business focused, I see no reason why the CSO can't report to the CIO. The same argument is often made for business analysts, project management, and even the Chief Architect. This is a direct result of IT becoming out of touch with the business and taking a technology first approach to all problems instead of a business first approach. The authors go on to say...
"Managing security in the context of the organization’s strategic drivers, provides both advantages and conflict. On the one hand, this approach ensures that the goals of security management are forged from and aligned with the high-level goals of the organization. On the other hand, the strategic drivers and needs of the organization are often in conflict with the actions required to ensure that assets and processes remain productive. In addition, as the organization is exposed to more complexity and uncertainty (because of the increasing use of technology and the pace at which the organization’s risk environment changes), keeping security activities and strategic drivers aligned becomes more difficult. In the end, finding the right balance between protecting the organization’s core assets and processes and enabling them to do their job becomes a challenge for security management—and a significant barrier to effectiveness."Examples of IT security becoming a barrier
Security has similar issues as governance, standards, best practices, and enterprise architecture when the strategy is too technology focused. A great example is IT's resistance to adopt collaboration technologies like social networking, instant messaging, and even wireless access. Security professionals are often so insecure, that they lock down the enterprise to the point where they stifle innovation and productivity. All of the fears that I keep hearing related to collaboration technologies are the same fears I heard when companies where looking into providing Internet access years back. To me, it is the fear of the unknown. Instead of trying to live in the mainframe era of the 60's and 70's where everything was centrally controlled and nothing was acceptable unless it went through the all-powerful administrators, IT people need to accept the fact the world revolves around the business and not IT. We need to change our old ways of thinking and acknowledge that as technology continues to change at a rapid pace our strategies need to change with it.
How do we solve this problem?
Whether the CSO (or whatever the title of the security leader is) reports into the business or IT is not relevant to me.What is important is, this person must fully understand the overall business strategy and the related IT strategy. A too rigid security strategy can hinder IT from doing their jobs as much if not more then it can impact the business. The armies of people in IT building systems and keeping the lights on are customers of the security office as well. The security strategy should be one that is created with the collaboration of representatives in both the business and IT. Within IT, the strategy needs input from more then just security and infrastructure departments. Caralli & Wilson recommend...
"In pursuit of addressing the challenges noted herein, the first obstacle that an organization must confront is to determine what they are trying to accomplish with their security activities. In essence, the organization must ask what benefits they get from “doing security.” The organizational perspective is essential to determining these benefits and for setting appropriate targets for security."
"A resilient approach transforms the basic premise of security - that of locking down an asset so that it is free from harm—to one that positions security as a contributor to strengthening the organization’s ability to adapt to new risk environments and accomplish its mission. Aiming to make the organization more sensing, agile, and prepared provides a clearer purpose, direction, and context for security management. Looking beyond security (to resiliency) may provide the change in perspective that organizations need to balance security and risk management with the organization’s strategic drivers."Next steps
If you are a business owner or a leader within IT, you should read the abstract and ask yourself, "is our security strategy just another mechanism for IT to say NO to its customers or is it keeping us secure while still allowing the enterprise to meet its goals". If it's the former, I suggest that you start a conversation with the leaders within company and take a fresh look at security. After all, Insecurity should not be the driver for your security strategy.