Enterprise information security is a complicated responsibility. And the security of enterprise data isn’t helped by the fact that enterprises often don’t have a complete or accurate picture of their own information and processes – or an understanding of the impact security breaches could have.
With an eye on tying security management more closely to business objectives and processes, Hewlett-Packard has announced new consulting services to support enterprise decision-making about information security risk. HP says its Security Metrics Services (SMS) “offer a patent-pending methodology and framework to more clearly demonstrate the potential that a security incident might have on business objectives.”
HP believes that by making explicit, clear connections between security risks and their impact on business processes, the new solution will help to convince business managers of the importance of making the right decisions when it comes to securing critical information.
“Security Metrics Services connects the dots between enterprise security and business processes,” Richard Archdeacon, chief technologist with HP Enterprise Security Services, told IT World Canada in an advance briefing. “It will help enterprises put a value to security.”
Archdeacon said that one of the keys to improving the security of enterprise data is making sure that business metrics are gathered and analyzed properly, and connecting them with business processes – something that seems to be a challenge for many organizations.
Archdeacon cited a recent Ponemon Institute survey, which found that although three-quarters of respondents said metrics are “important” or “very important” to a risk-based security program, half of those surveyed weren’t sure metrics were properly aligned with business objectives.
Using HP Executive Scorecard, an enterprise metrics utility that presents information on IT assets via scorecards and dashboards, SMS links IT assets to 34 identified key risk components. HP says this will enable organizations to understand their business objectives and processes and correlate them to threats, vulnerabilities and incidents. The risk components are underpinned by a predefined library of security data sources, which specifies how the data is gathered and used to provide ongoing business-related risk information.
Enterprises can assess their information security via an Executive Scorecard dashboard that provides security incident alerts and gives users the opportunity to get additional detail, such as a hierarchy of processes and assets that are or might be at risk.
HP (Nasdaq: HPQ) clearly believes that there will be additional benefits to the new security services.
“We worked with a major utility company,” Archdeacon told IT World Canada. “Metrics are very important to them, and we found that once we had helped them identify their business objectives, in addition to remaking their security function they were able to save money from the IT budget, reduce the cost and time of launching new applications – and they were able to get closer to their customers.”
While SMS is based on the Executive Scorecard running on a SQL Server back end, the initial consulting engagement is probably the most critical part of the whole process, Archdeacon says. By meeting with managers across the full range of business processes, the implementation team develops a broad picture of processes and objectives. That information helps managers understand the impact security incidents will have on those processes and objectives.
“The key step is showing how security relates to key business objectives,” Archdeacon said. “It should be easier to justify putting more resources into information security once the business understands how critical it is. And that comes when management can see the actual vulnerabilities and the direct impact they can have.”