In my experience, most IT professionals fundamentally understand that the “wait and see” attitude is no longer an effective way to manage security. Reacting to viruses and threats after a breach has occurred can be costly and inefficient. This approach not only leads to a very ad hoc security program but it distracts the IT team from their primary activities – usually those efforts that supply the company with a strategic advantage.
As security strategies slowly evolve beyond this reactive approach to a more proactive one, there is a great opportunity for IT professionals to create a security platform that encompasses the entire enterprise – one that includes not only technology, but people and processes. Managing security proactively requires one to take a step back and view the environment more holistically.
Unlike security centered on application security, which has a very limited purpose and function, proactive security is based on a comprehensive overview of the entire organization. This allows one to create a plan with a long-term perspective that goes beyond simple technology fixes.
Thinking proactively is not an easy task.
It takes time and investment to design the processes and build the technology to execute them.
What is more, there is a challenge inherent in this approach: It often requires buy-in from many different stakeholders, in addition to IT management and the network administrators. Very often IT professionals hit a roadblock in the approval phase because each stakeholder has his or her own agenda with his or her own individual priorities.
More often than not, security is put on the backburner as these priorities take precedence, and a more tactical approach is employed. In creating a proactive security approach, I advise my customers to take a few initial steps to ensure their plan is embraced by all concerned parties.
Understand Your Environment
Before you decide where you want to be, you need to understand where you are.
To accomplish this, an objective eye is required to review the current security state – the business assets, threats and vulnerabilities. With this insight, you can begin to identify and prioritize the risks that may have the greatest impact on the company, and those that can be mitigated effectively.
Involve the Organization
In order to create a strategy approved by the organization, one needs to involve the organization. At the start, bring together decision-makers from groups or divisions with a direct and indirect stake in security. Use this meeting to create a steering committee to review the organization’s IT security and ensure each group’s needs and concerns from a security perspective are acknowledged.
Create a Strategy
A clearly defined strategy is a roadmap to where you want to be and how you plan to get there. Without a long-term strategy, security projects will continue to be uncoordinated and even incompatible with one-off projects.
A strategy for a holistic approach to security entails thinking about security as a part of enterprise architecture. This perspective can, in turn, help break the problem down into components that are the basis for a roadmap. Starting with the enterprise architecture, one can consider what security means to messaging, to transactions, to hosted applications, and so forth. From this vantage point, it’s also easier to factor in policies and infrastructure, for a strategy that is both contextual and comprehensive.
Create a Business Case for Security and Define the ROI Security is not a discrete product, so defining its cost savings can be a challenging exercise. When trying to identify the ROI on security, a good rule of thumb is to consider money your organization could save by mitigating risks that may or may not happen. Some aspects of security are intuitive – so significant that they do not require a full-blown business case, such as the investment to secure a Web site to prevent theft of customers’ credit card information.
Other aspects of overall security do not have such obvious benefits. It’s important to try to establish the value of security based on discrete items, but extrapolating from small-scale efforts can backfire. While it’s tempting to define value based on a single project because there are fewer costs and functional lines to cross, it can undermine the credibility of one’s argument if the overall security architecture and requirement is not referenced.
Speak in Their Language
Perhaps most important is to understand how your consortium of representatives likes to see risk structured and quantified for their groups or for the organization. People who focus on activities related to auditing are going to have an interest in security that’s different than the people who focus on maximizing the volume of transactions performed by systems.
Then you can demonstrate the strategy and security plan in their terms, from their perspective.
Think of your CEO and CFO as your customers, and tailor your approach into a language that they understand.
Frank Curry is the Practice Director for Technology Infrastructure at Avanade Canada Inc. a technology integrator for Microsoft solutions in the enterprise