Meet the Bloggers

Vaune Carr, Principal Consultant, BT Global Services

Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Jill Knesek, Chief Security Officer, BT Global Services

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

Ben Rothke, Senior Security Consultant, BT Global Services

Pete Russo, Senior Marketing Manager, BT Global Services

Bruce Schneier, Chief Security Technology Officer, BT Global Services

Ray Stanton, Global Head of BT’s Business Continuity, Security & Governance Customer Capability Unit

Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Twitter Blogroll About BT

SecureThinking

Friday, August 21, 2009

The Case for Adaptable Security, Part 7: Services Relationship Model

By Jim Tiller

[This is the last of a seven-part series on transforming security during this economic downturn. Part 1 set the stage for the series and posed the thesis that what is needed today is adaptable security that both leverages existing investments and addresses the fact that the demands of the business will increasingly be a moving target. Part 6 focused on the flexibility needed to balance security services with business needs and strategic changes, and introduced an adaptable Security Services Model. This part concludes with the importance of a services relationship model to bring it all together.

Comments on this post and the series are welcome!]

Supplementing the risk and services model, and incorporated into governance processes, there must exist a mechanism to connect individual security services to ensure the original intent is achieved. This is done through the creation of a relationship matrix that helps security practitioners and managers expose potential issues as security in any one area declines. This allows for other services to be applied as compensating controls. However, this isn’t simply about adding to the process. If that was the case, the services would naturally become combined and we would be right back where we started. For example, to reflect changes in delivery capability or capacity, a security service may need to be reduced. As a result the relationship matrix offers a view into what other elements can be applied, such as a different service that costs less to execute and has broader delivery capacity.

Establishing a services relationship model is critical to maintaining alignment between risk and the business, accomplishing things such as:

  • Ensuring that one service is not overwhelmed and consuming expensive resources, while others lie dormant.
  • Taking advantage of less costly and time consuming services where applicable to better utilize resources.
  • Making certain that no one service is critical to the business in light of potential future changes that might impact its delivery capacity.
  • Taking advantage of strength and investments in one area to supplement other weakened areas.

This is where all the work comes together. Understanding the business strategy, building a risk model that can be repeatedly applied to view business and security risk, formulating a services model, building governance to provide valuable performance information to the business, and creating a method to ensure capabilities, investments, and processes are balanced to ensure flexibility allows for effective and efficient security to be realized in a manner that is seen as enabling the business.

This concludes the series. Have you implemented a model to understand the interrelationship of your security services? Can you use it to dynamically change services with changes in the business? I’d love to hear what’s worked for you in this regard.

Posted at 9:40 PM
Tags: , , , , , ,

Bookmark and Share

Leave a Reply

subscribe - log in