Security
Create business-driven information
security
Plan can solve communication problems
and help achieve organizational goals.
by Jeffrey Rogers
As risks to sensitive business information
have increased, information security has
grown from a subset of information
technology (IT) management to an independent
program with its own set of business
drivers, costs, processes and interactions.
Corporate executives and business leaders
have struggled to ensure that results of
this maturing information security market go
beyond technology and instead align to meet
real business goals. The inherent complexity
of managing these technology and core
business issues has increased, and many
organizations have experienced trouble
keeping up with the required changes.
Often, part of the problem is due to a
disconnect between executive management and
information security manager (ISM).
According to a recent study measuring the
importance, impact and influence of trust,
privacy and security within the corporate
world, 20 percent of IT executives say there
is no visible support from senior executives
for security and privacy issues. ISMs
emphasize privacy and security, while
executives focus on core business or
financial measures.
Due partly to constant changes in the
industry, information security professionals
may not be aware of exactly what is expected
of them or how their work helps the
company’s overall efforts. Executive
management has similar difficulty. They know
they are spending money on information
security projects, but they may not
understand the technology or reasons for
those projects, or they do not necessarily
know how to evaluate information security
project progress. More importantly, while
management may be aware of upcoming business
challenges, these business challenges are
not communicated to information security
staff. This disconnect can lead to confusion
and failure to achieve organizational goals.
With a business-driven information
security program, information security
projects and services and their success can
be directly related to the business goals
they support, and the ISM will be able to
evaluate the success of his team in meeting
business goals. Also, executives will be
able to see results in terms that are
meaningful to them, and, in turn, make
better and more informed decisions on behalf
of the organization as a whole.
Organizations can begin developing a
business-driven information security program
by posing these questions:
- What critical risks do I anticipate
today and in the future?
- How do I make sure that security
investment is proportional to business need?
- How should my security program be
structured and governed?
- What processes do I need to have in
place to execute my mission?
- What technology infrastructure is
required to meet future security needs?
- What security policies must be
established for my business?
Define and share goals
In an effective organization, the
information security program has moved
beyond reactive incident response to a more
proactive stance. A critical first step to
such a posture is to improve communication
with executive management. Executives should
have visibility into the information
security operation, and they should work
with ISMs to translate upcoming business
challenges into security-related goals.
The benefits of this strategy allow ISMs
to develop a common language with business
executives, demonstrate the value of the
work performed by the information security
staff, and prioritize security tasks to meet
real business needs. Additionally,
management can achieve an understanding of
information security strategies and the
benefits of investing in security.
Executive management begins the process
by communicating the business goals and the
vision for how the company intends to
achieve these goals. Examples of
well-defined business goals are: Achieve a
15 percent increase in the size of the
mobile work force in the next 12 months;
open two new branch offices in the next 18
months. These goals define the framework and
require the support of the entire
organization–including the information
security staff.
The next step is to determine how the
information security program can help to
meet those goals. Mapping business goals to
the information security projects and
services that support them is essential.
Projects are short-term efforts with defined
start and end dates, which might include
policy development, reduced sign-on
implementation or annual disaster-recovery
testing.
Services are ongoing functions of the
information security program, which can also
be defined as the information security
services offered to the organization.
Typical information security services
include: threat and vulnerability
management; incident response and recovery;
security technology planning; policy,
guidelines, and standards management;
business continuity/disaster recovery;
security awareness and training; security
metrics and measures; legal and regulatory
analysis; and risk assessment and reporting.
In a service or project-mapping workshop,
stakeholders should first agree to the
existing services that the information
security program offers, and then review the
organizational business goals. Using a
tools-based mapping approach, IT and
business stakeholders help design an “as-is”
model of the existing services.
For each goal, stakeholders examine which
services are in place to support it.
Usually, a combination of multiple services
will support a business goal. For instance,
to support the goal of “profitable growth of
five percent in the next 12 months,” risk
assessment and reporting helps evaluate
risks involved in adding new branch offices
in new locations, legal and regulatory
analysis supports the goal by conducting a
compliance review with the laws in those new
locations, and security technology planning
evaluates encryption technologies for
communication with those new offices.
Maps can illustrate how services support a
specific goal.
A workshop or meeting is needed to
develop a map of the associations between
business goals and information security
services, and to clarify those
relationships. By including a variety of
participants (i.e., IT staff, risk and
compliance auditors, product line
marketers), an organization can have more
visibility into the security needs and
better evaluate strengths and weaknesses of
both technology applications and business
processes.
A further exercise for the ISM, following
the workshop, is to expand the map from
goals, services and projects to include
business interactions and process or data
flows. Business interactions for each
service and project will show the ISM which
internal and external organizations are
involved in each activity. Process and data
flows will also allow the ISM to evaluate
each step of the process to ensure that the
safeguards are in place to protect every
transaction.
Gap analysis
The next step is a gap-analysis process
to evaluate the gaps in the model. For each
goal that is inadequately covered by
supporting services, is there an ongoing
project that will allow management to
support the goal upon project completion? If
so, identify that project.
Once the existing projects have been
evaluated, the business has strategic goals
that the information security program has no
plans to support becomes clear. The security
manager can then institute new projects or
services to close the gaps and meet business
goals.
Finally, determine if there are any
ongoing projects in the information security
program that do not correlate to existing
business goals. These projects should be
evaluated to determine if they are
beneficial to the goals of the organization.
After the projects and processes have
been mapped to business goals and the gaps
closed to ensure that the information
security program is supporting business
goals, the ISM needs a way to manage change
and evaluate progress.
An information security program model should
demonstrate a solid foundation and adequate
support.
One effective model of an information
security program is the concept of a house
supported by columns. The “house” is
composed of the services offered by the
information security program to the
organization. Whenever those services are
altered, especially when new services are
added, the supporting columns should be
evaluated to ensure they are strong enough
to handle the additions. In the model, the
supporting columns are the organization, the
strategy, the processes, the applications
and the infrastructure.
The governance model is the foundation
supporting the columns. A governance model
includes the elements required to exercise
authority or control over the information
security program. Just as any change in a
house requires that the columns and the
foundation be sufficiently strong to support
the extra load, any change in the
information services offerings requires a
review of the supporting columns and the
foundation, to ensure that the proper
components are in place to yield success.
With these plans in place, executives can
see how visibility into the details of
information security operations is
beneficial to the organization. This entire
process should be repeated regularly in
order to maintain the alignment with
business goals.
Jeffrey Rogers is a senior security
architect with Unisys, Blue Bell,
Pa.
For more information
(click here)