By Jim Tiller

[This is the last of a seven-part series on transforming security during this economic downturn. Part 1 set the stage for the series and posed the thesis that what is needed today is adaptable security that both leverages existing investments and addresses the fact that the demands of the business will increasingly be a moving target. Part 6 focused on the flexibility needed to balance security services with business needs and strategic changes, and introduced an adaptable Security Services Model. This part concludes with the importance of a services relationship model to bring it all together.

Comments on this post and the series are welcome!]

Supplementing the risk and services model, and incorporated into governance processes, there must exist a mechanism to connect individual security services to ensure the original intent is achieved. This is done through the creation of a relationship matrix that helps security practitioners and managers expose potential issues as security in any one area declines. This allows for other services to be applied as compensating controls. However, this isn’t simply about adding to the process. If that was the case, the services would naturally become combined and we would be right back where we started. For example, to reflect changes in delivery capability or capacity, a security service may need to be reduced. As a result the relationship matrix offers a view into what other elements can be applied, such as a different service that costs less to execute and has broader delivery capacity.

Establishing a services relationship model is critical to maintaining alignment between risk and the business, accomplishing things such as:

• Ensuring that one service is not overwhelmed and consuming expensive resources, while others lie dormant.
• Taking advantage of less costly and time consuming services where applicable to better utilize resources.
• Making certain that no one service is critical to the business in light of potential future changes that might impact its delivery capacity.
• Taking advantage of strength and investments in one area to supplement other weakened areas.

This is where all the work comes together. Understanding the business strategy, building a risk model that can be repeatedly applied to view business and security risk, formulating a services model, building governance to provide valuable performance information to the business, and creating a method to ensure capabilities, investments, and processes are balanced to ensure flexibility allows for effective and efficient security to be realized in a manner that is seen as enabling the business.

This concludes the series. Have you implemented a model to understand the interrelationship of your security services? Can you use it to dynamically change services with changes in the business? I’d love to hear what’s worked for you in this regard.

By Jim Tiller

[This is the fifth of a seven-part series on transforming security during this economic downturn. Part 1 set the stage for the series and posed the thesis that what is needed today is adaptable security that both leverages existing investments and addresses the fact that the demands of the business will increasingly be a moving target. Part 4 focused on a risk-based approach to organizing security services. In this part I describe four steps to establish services-based security.

Comments on this post and the series are welcome!]

As security services are defined and structured to find a balance between traditional security activities and those needed to address localized conditions, the basis for creating greater visibility for executives is realized. This is accomplished in the following steps.

First – Establish service levels for each service and create a delivery matrix to understand the minimum conditions that are needed. This creates common understanding of expectations, demonstrates relevance to recovery strategy, employs risk assessment information, and provides the foundation for cost analysis. More importantly, when the business is inherently involved in the definition of risk and service levels, there are positive by-products, such as less time consumed in planning and justification, and greater collaboration between groups because both clearly understand what needs to be accomplished, and at what granularity. Initiation of security services becomes far more streamlined.

Second – Address the management of the services. Defining conditions for degrees of service complexity, scope, and depth requires management of information and resources to be aligned. For example, a service may be applied to a business unit to implement configuration changes to address system stability. Under normal circumstances resources may follow an established method and execute them regardless of nuances in the intent of the project. Management provides for the ability to ensure specific methods and tools —or portions of them—are implemented relative to the service function for that particular business unit. Management activities can then be tracked and measured for performance.

Third – Define performance metrics as they relate to service delivery and to the business. These are not information security metrics, but rather indicators of performance exposing how efficiently and effectively a service was executed. This translates to dollars and time, as well as the use of resources. Performance metrics can express time, utilization (of people, process, and tools), quality, completeness, and management. The relevance to the business is enhanced through the use of services, and the ability to demonstrate effective application of those services begins to close the gap between common security approaches and business needs.

Fourth – Governance of the security program as it relates to risk, business conditions, and service delivery is paramount. This simply assures that all the processes necessary to define, refine, deliver, and accurately report are working in unison and as expected. Moreover, this provides for a lessons-learned, feedback loop that ensures information from follow-on risk assessments and performance gaps in services and delivery are addressed. Governance acts as the final bonding agent between business expectations and security operations. Through governance, the identified security and business risks are translated to effective and meaningful use of resources in terms executive management can easily associate with broader directives. Ultimately, this is about the maturity of the security program and based on that maturity, security practices have the ability to be highly targeted and effective to the overall mission.

In my next post on this topic (Part 6), I’ll address the flexibility needed to balance security services with business needs and strategic changes, and will introduce an adaptable Security Services Model. Have you implemented a security services model with service levels, management guidelines, performance metrics and governance? If so, what were some of the challenges in implementing? How effective is the services model?

By Jim Tiller

[This is the fourth of a seven-part series on transforming security during this economic downturn. Part 1 set the stage for the series and posed the thesis that what is needed today is adaptable security that both leverages existing investments and addresses the fact that the demands of the business will increasingly be a moving target. Part 3 focused on how the security team can take the lead on aligning security to business needs. This part discusses the next step -- a risk-based approach to organizing security services.

Comments on this post and the series are welcome!]

Managing risk is the cornerstone for security. It takes into consideration threats, weaknesses, and potential impacts to the business, providing a meaningful method for determining what controls are needed. However, in light of dramatic changes to the business and the implications of insider threats, many existing risk assessment models and processes may not be entirely effective.

Security organizations should define a risk assessment process that is modeled to reflect current company shifts, external and internal threats, and focus on specific target areas, such as business unit needs. Moreover, once the approach is refined, the assessment process must be performed quickly in order to move rapidly toward alignment. Traditionally, comprehensive risk assessments take long periods of time. However, in conditions such as these, the assessment needs to only focus on key risk attributes relating to the changes in the environment. Leveraging previous risk documentation is paramount. The goal is to adjust the model in order to incorporate new characteristics, perform a high-level assessment across the major business elements, and apply relevant data from previous assessments and audits.

The result will be a perspective of risk that provides visibility into the specific areas that represent the greatest potential for harm relative to emerging threats and business changes. Given that risk appetite has and will continue to change throughout the economic recovery lifecycle, the assessment must be rapid enough to ensure ease of repeatability, while still effective for focusing the direction of security activities.

One of the key factors in demonstrating value and ensuring business alignment is the ability to not only apply people, process, and technology, but do so in a manner that facilitates the generation of information that speaks specifically to the overall business strategy.

There are a number of security practices that are performed regularly and may be performed in different ways. However, the details of how they are employed are not always well documented, tracked, or related to clearly articulated delivery factors. The business details of security activities do not readily surface in today’s best practices, leaving the business to trust in the process. Unfortunately, trust is a rare commodity in uncertain times.

Organizing security activities into services substantially increases the ability to effectively apply resources and report in terms the business can easily digest. For example, say, based on policy, a specific security activity, such as vulnerability testing, must be performed quarterly. Historically, the activity is performed and produces a result that is used as the foundation for completeness.

Supported by a targeted risk assessment, orienting security activities into services allows the core needs of the business to be met reflecting risk appetite and recovery strategy. Revisiting the vulnerability testing example in the light of services, the policy defining when the test must be performed may be adjusted to reflect specific conditions related to a particular business unit, expectations for their systems, and the role they may be playing in the recovery process. A simple example is if an application is due for a test but that application’s role—and maybe even its continued purpose—is changing, so should the testing process.

Services can define required input, ranges in service delivery, and pre-defined outputs based on business conditions and the state of the targeted environment. Security groups can start to offer levels and rates of activities relative to what is truly needed at that point in time for a given business unit. Some may interpret this as doing less, such as only addressing critical vulnerabilities, or patching specific systems, or reducing the scope of an IDS or DLP project. But in reality it is not about doing less as much as it is about surgical application of security capabilities to those areas deemed most critical to the business in light of the changing environment, and, more importantly, the direction of the business.

Attributes of service definition and early indicators of delivery methods will come from the modified risk assessment and visibility into the business strategy. Moreover, the knowledge concerning changes in threats will play a key role in their definition.

In my next post on this topic (Part 5), I’ll describe 4 steps to establish services-based security. In the meantime, please let me know how you are managing the changing risk landscape. How often do you review and re-align your security services to match? What short cuts work between major security program reviews and audits?

By Jim Tiller

[This is the third of a seven-part series on transforming security during this economic downturn. Part 1 set the stage for the series and posed the thesis that what is needed today is adaptable security that both leverages existing investments and addresses the fact that the demands of the business will increasingly be a moving target. Part 2 focused on the key first step of aligning security with the needs of the business. In this part I get into more detail on how the security team can take the lead on aligning security to business needs.

Comments on this post and the series are welcome!]

Business stakeholders and the security group need to understand more intimately each other’s missions and goals, as well as the metrics that define success. Historically, there has been conflict between business needs and security’s desire to protect the business; where the business sees opportunity, security sees risk.

Interestingly, the impetus for change lies with the security group. For security to be effective it must completely understand the pressures business units are dealing with, what services they are responsible for and how they map to larger strategic plans, what business risks (not just security risks) they are facing, and what elements define their success. Armed with this information and knowledge, the security group can more accurately apply itself for the overall betterment of the company.

The first step in accomplishing this fuller understanding of the business is to review the company’s mission and values. These act as guideposts for organizations as they navigate rough seas. A great deal can be garnered from monitoring how executives leverage mission and values in the decision process. This can provide visibility into key directional changes in which security can actively participate and support.

However, this is simply the beginning. Security managers need to know what the cost-cutting strategy is, and how the organization is being physically adjusted to not only accommodate reduction in resources, but to ensure long-term efficiency. Take Dell as an example. After incredible growth for several years, Q4 FY09 presented a 16% drop in revenue and a 48% drop in profits. Prior to this Dell announced a $3 billion, three-year, cost-cutting goal (later revised to $4B billion) to be met by 2011. As a result, Dell realized a more than $363 million drop in operating expense year over year. But to meet its goal, more dramatic reductions are necessary. In addition to reducing costs, Dell reorganized into four global, customer centric business units “to better meet customer and partner requirements through direct relationships, and to innovate without ties to costly, complex legacy technology.”

Therefore, Dell is not only seeking to protect profitability, but changing the fundamentals of the business, which, interestingly include implications for information technology. This proves that economic times are not simply about cutting back. Companies are making fundamental changes to the operational structure of the business that have the potential to introduce additional security challenges.

It is important for security to understand the company’s investment strategy and the performance metrics for those investments. Although investment generally decreases during economic downturns, spending in some areas may increase to accommodate plans, and executives will have very specific expectations of returns, impacts, and timelines. It is important for security groups to be involved in helping determine potential risks and finding common ground with the business stakeholders to demonstrate applicability and value of security in meeting objectives.

In my next post on this topic (Part 4), we’ll get into the next step — a risk-based approach to organizing security services. Are you positioning your security team to take the lead on aligning with the business? What are some of the proactive approaches you’ve taken that we can learn from?

By Jim Tiller

This is the second of a seven-part series on transforming security during this economic downturn. Part 1 set the stage for the series and posed the thesis that what is needed today is adaptable security that both leverages existing investments and addresses the fact that the demands of the business will increasingly be a moving target. Part 2 is focused on the key first step of aligning security with the needs of the business. Comments on this post and the series are welcome!

At the board level, the value of security is predominantly associated with compliance, with few people relating to its true value in providing business enablement. To change this mindset, security must function in a manner that is more aligned to the business’s needs and produce information concerning how it is being applied in business terms that are easily digested senior management.

Companies facing economic challenges are not entirely fearful of spending, and will do so when there is clear alignment to the mission and processes in place to ensure long-term success. What companies are demanding, and more so now than ever, is effectiveness— not only doing more with less, but ensuring the process is fine tuned to achieve their goals economically and meaningfully.

Traditionally, security practices have been broad, basing operational integrity strictly on managing risk to the business. While this is a well-founded approach, the information resulting from these activities is not easily aligned to the corporate stability strategy. Moreover, the risk appetite of a company may change dramatically when under extreme economic pressure. In short, the environment is becoming far more dynamic, outpacing traditional risk processes. Risk management must operate more aggressively and quickly in order to address business challenges as they evolve. Therefore, a security program solely reliant on annual risk assessments, outdated threat tables, and limited visibility into the business-level risks as the only method for communicating effectiveness will experience substantial challenges. The important factor is to create agility in the existing foundation of risk management that will set in motion radical improvements to the adaptability of security and the ability to demonstrate value.

Exacerbating the situation is that security tends to be presented as an “all-or-nothing approach,” which is simply not possible in today’s environment. Security practices must ebb and flow with the dynamics of the business and become adjusted to be applied in a way that is meaningful in protecting the business and doing so economically.

In my next post on this topic (Part 3), I’ll get into more detail on how the security team can take the lead on aligning security to business needs. In the meantime, please let me know to what extent you’ve managed to align your security program with board-level or C-level programs? What’s worked for you to accomplish this?