4Steps2MarteringSecurityKungFu

8/7/2019 4Steps2MarteringSecurityKungFu

1/5

Sponsored by:

This story appeared on Network World athttp://www.networkworld.com/columnists/2009/040109-security.html

Four steps to mastering security kung fu

Op-ed By Jim Tiller, Vice President, Security Services, BT Americas , Network World , 04/01/2009

Although vendor-written, this contributed piece does notadvocate a position that is particular to the author'semployer and has been edited and approved by Network

World Editor in Chief, John Dix.

The current economic melee is forcing a corporatemetamorphosis that, when combined with ever broadeningsecurity threats, presents information security groups with anopportunity to radically change their identity and value tothe business.

To capitalize on the moment, security groups need toreassess their approach, add visibility and transformsecurity's very role.

The timing is good because maintaining security duringtough economic times is critical. Besides external threats that evolve even more rapidly in economic downturns,business slumps increase the probability of disgruntled employees striking out using intimate knowledge ofcorporate systems.

Related Content

Risk is further exacerbated by the fact that, since the last economic crisis of this magnitude, companies havebecome far more reliant on information technology systems, which are now highly complex and essential tosound operations.

Your current security path represents existing programs, capabilities, processes, etc. The goal is to create a

parallel path that influences existing practices and allows you to refine a new strategy without disrupting currentexpectations. In time, the new path will become a dominating force and take you in a new direction.

Step 1: Tuning the Approach

During the last decade security has been virtually defined by compliance. For many companies, it has been lessabout security than it has been about ensuring that certain regulatory demands are being met. Unfortunately,compliance does not necessarily enable the business, align with core initiatives, and alone may not thwartdebilitating attacks.

Understanding this, some security groups have strived to use compliance efforts to improve their security posture.

Sponsored by:

Page 1 of 5http://www.networkworld.com/columnists/2009/040109-security.html

4/22/2009http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/export/home/httpd/htdoc ...


2/5

Unfortunately, not all companies see the value of such activities and instead simply see compliance as a cost ofdoing business.

You have to convert the security practices that fall under the banner of "mandated for compliance" into specificactivities that resonate with the business. For example, a predominant force in business is time to market and therapid conversion of investments to revenue generation. This can materialize as a new service, application,communication platform, network or alliance. The key to tuning your approach is to optimize security features tohelp the business move more quickly, reduce barriers or accommodate a requirement quickly.

Key to being able to accomplish this is institutional knowledge within the security group and leveraging andcombining resources in ways that benefit the business as much as it does security, for example: supporting securecoding practices through collaboration with the development team, optimizing standard builds to stand up serversmore quickly, security testing as part of performance testing, or utilization of directory services to supportstreamlining of access controls for a new partner.

Fundamentally, it is about operating in a risk/reward model. Prioritize activities based on risk as well as wherethe greatest opportunities are for the business. By becoming intimate with business goals and mapping againstelements of risk, what begins to surface is a common thread that demonstrates a point where the business andsecurity goals become more closely aligned.

A good place to start is within the project management arena, where risks to the initiative or life cycle willbecome apparent, in addition to helping identify critical paths and what is most important to the business unit orgroup. By using information of this nature, combined with institutional knowledge that the security grouppossess, you can begin to interpret demands and risks in business initiatives and quickly find areas of commonground.

Step 2: Adding Visibility

Related Content

Security groups typically make security efforts visible to executive management by presenting security metrics,risk dashboards, and the like. However, along the way, many encounter some key challenges.

The first challenge is that the measurements are only focused on security and typically do not provide insights toother aspects of security operations that demonstrate effectiveness. For example, a dashboard may presentcompliance risk, operational risk, technical risk and current threats. It is assumed that keeping the values in anoptimal or desired range means that security is doing its job.

However, company executives are increasingly focused on efficiency, effectiveness and overall alignment tobusiness initiatives. They want to know how well these objectives are being met, what influence they have had onother key business performance indicators (such as time to market, customer retention), and how resources andother valuable assets are being utilized.

Executives are concerned about inefficient or wasteful activities and want to ensure all activities focus on the

bottom line. Presenting to the board a risk dashboard can be helpful to demonstrate your alignment to securityconcerns, but that's only one part of the equation in the eyes of executives. The more effectively security canreduce the need to translate security results into something meaningful for the business, the better.

The second challenge relates to the "gap" factor. The gap refers to the difference in what security is providing toexecutives as visibility and the ability for the security group to influence the system to enact change.

For example, a report may demonstrate that the number of vulnerabilities in Internet-facing applications isincreasing significantly quarter over quarter. However, the security group may not have the capacity or capabilityto reduce that number to a reasonable value. As a result, some senior security managers find themselves tasked tocorrect an issue they simply do not have the ability to accomplish.




3/5

In short, information from the security program is misaligned with its ability. Some use this to justify investmentsthat would address the gap. But unfortunately this pattern is growing increasingly ineffective as business ownersdemand more accountability. The solution is to create a security program that not only presents good and badtrends, but more importantly, has the ability to have a meaningful impact in changing them.

The challenges can be summarized as providing visibility into more than security in security terms, but also in amanner that is more readily digested by executives and easier to align to business goals. Secondly, build asecurity program that not only produces meaningful information relative to security and business metrics, but alsohas the inherent capability to institute change and thereby meet expectations.

Providing additional visibility to existing risk-based perspectives can be enormously valuable. To accomplishthis, you need to become more intimate with what resonates with the executives the measurements they focuson day in and day out, the performance indicators they study beyond the financial ones. Each company isdifferent and each business unit may have a different spin. Moreover, many may seem like the furthest thing fromsecurity, such as shipping metrics, warehousing, capacity indicators, system use or even collaboration indicators.You have to look behind these to begin to see where security can begin to mimic the same philosophies.

From a security perspective, look to report on areas within your domain of influence and help reflect how wellyou're running as a business. It can be as simple as resource utilization, project involvement or performancequality scores from your peers.

From there you can start tying to other reported information and trends, such as the planned decline in effort toperform regular vulnerability testing, but an incline in report quality and effectiveness, essentially demonstratingthat you are meeting security and business objectives. Or show how, through collaboration activities (which havebeen measured) and modifications to technologies, you've helped reduce the number of security related helpdesktickets. These are, of course very basic. Nevertheless, the point is to find related information between what youare doing for security and how well you are doing related to business expectations.

This approach helps form your new path for security, drawing from your original strategies and enhancing them.Start small, test the waters and seek mentorship within the organization. As more confidence grows in providingadditional perspectives on activities, you can move into closing the gap.

Step 3: Service orientation

By this point you've learned how to orchestrate your core competencies to help the business reach its goals usinga risk/reward method. And you've started experimenting with adding visibility to the executives on alignment. Asa result, the identity of security is beginning to shift. It may not be obvious, but it's happening. However, this is acritical stage and the time to innovate. Once executives see something they like, they want more, expectationsincrease, and that "good job" turns into "what have you done for me lately?"

One of the common pitfalls is not following through to ensure a foundation exists to keep up with newexpectations. As a result, massive ground is lost and you're back to square one.

Adopting a service orientation can help you continue to move forward. Service orientation has three primary

objectives:1) Convert tactical best practices that were once hidden within compliance efforts into business services that canbe consistently utilized.2) Close the gap between what you can control/influence and what you're reporting on.3) Create a foundation for building a highly agile security approach.

The key is to learn from experimental practices in tuning activities and report on additional metrics and indicatorsrelative to business goals. For the development of security services, it's the tuning of the approach that providesthe information you need to get started.

In the most simple of definitions, a security service is a well-formed package of related processes, technologies




4/5

and capabilities that has a predictable outcome that is needed or in demand by the business. What makes securityservices differ from traditional security activities is input.

Just about everything requires input to feed a process to produce an output. For security, the input is usually "self-assigned," meaning the business must meet a specific policy or some other documented requirement to havesecurity perform an action. For example, a policy may read, "Any material change to an Internet-facingapplication requires a penetration test." That's a sound approach, but it's reactive and misses the opportunity togain valuable insights to underlying business needs and goals.

While looking for risk/reward scenarios, you will see a pattern emerge and the tuning efforts outlined aboveshould help you identify opportunities to incorporate specific business attributes into what you're performing.

The basis for security services is taking advantage of this pattern. In fact, you're doing this today to some degree.For example, an application is due for a test, but you've learned that the changes relate to one of several rolesdefined in the system. As a result, you may limit testing to that one area because of your knowledge and comfortwith the application from previous tests. Now, extrapolate this to all things in security. It's less about simplydoing what you do and more about giving the business additional opportunity to feed the process in order torefine the activity or service in this case to the business need.

The next important characteristic of security services is how people, processes, tools, methods and technology are

architected to perform the service relative to input and output. This is a lot easier to say than to do. Organizationstend to approach these elements as independent or loosely coupled. Moreover, some security architectures andframeworks facilitate segmentation, making alignment of them seem alien and uncomfortable.

One challenge is internally developed standards that are either overly comprehensive or too granular. Successfulimplementation of security services typically starts with reviewing the standards and looking at them as acommon foundation to services as opposed to specific elements for a given security function.

As with all things of this nature, a slow and methodical approach wins the race. Don't try to create a servicesmodel over night. Take what you've learned in tuning, couple it with something you're already doing today (suchas vulnerability testing, patch management, identity management, data protection, monitoring), and then pilot aservices approach with a friendly business unit.

As this approach begins to solidify, several interesting things start to happen. The identity of security andperceived value continues to shift in a positive direction. Nevertheless, you will quickly realize that you have farmore capabilities to measure operational details of your organization, and more importantly you inherently havemore influence over them as a result.

This essentially slams the door on the gap. Services facilitate the risk/reward model, they make it possible toorganize activities specific to demand, provide the means to measure those activities more effectively, and allowfor the controlled management of each element to ensure that what is being reported can be influenced. This canbe a perfect storm, but you're not done. To truly transform, you have to close the loop with governance.

Step 4: Governance Loop

The "governance loop" is the final step and provides the opportunity to realize real transformation. To this point,you've tuned, experimented, tested and created the early stages of services and are beginning to rely on the newpath and less on the old one.

This has helped increase visibility, initial alignment to the business and promotes effectiveness. Nevertheless, atthis point, time becomes your enemy -- without governance, the services will eventually break down.Governance, interestingly, provides the mechanism to ensure expectations are being met, but also the means topromote adaptability, closing the loop with the business.

Governance acts as the bonding agent between ebbs and flows in the business, compliance, risk and security




5/5

activities. More importantly, this is where risk/reward is measured and fed back into the system to instigatechange. It is also important to realize that risk (management, assessments, reporting) has played a pivotal rolethroughout the journey, and governance is the means to realize full potential. Risk remains at the top of thepyramid, but now with services underlying it, supported by governance, it can move far closer to the business.

In short, governance is analogous to "inspect what you expect" and influence change. That means creating a setof responsibilities and practices with the goal of providing direction as well as ensuring objectives are achievedand resources are used responsibly. In so doing, measurements from the oversight of security not only ensureefficient and effective execution, but also facilitate change in the program through intimate connections with riskmanagement and the business offering feedback into the system.

In some companies governance is associated with enforcement. Although partly true, a security groupempowered by services and close interlinks with overall enterprise governance through risk managementactivities will be able to put governance to work for them. This is similar to how, over the last several years,many security organizations have changed their perspective of the audit group.

Historically seen as a regular and painful exposure of operational weakness in security, audit processes are nowbeing seen as a way to strengthen security. It's turning what is usually thought of as a negative into a positiveforce. The same is true with governance processes that are outside of the control of the security group or wheresecurity is part of a governance committee.

Nevertheless, an important aspect is to understand that the security group is ultimately responsible for itsactivities good and bad. Therefore, it is recommended that governance be reflected in the security services andprogram owned and operated by management resources within the group. This is not a replacement for enterprisegovernance rather, it's an extension focused on the betterment of security.

Organizations need security more now than ever, and as a result, are more receptive to security as a community.What you do with that attention today could have enormous influences on the future of security within yourcompany. Although times are tough, don't assume this means opportunities don't exist. The economy will correctitself and businesses will emerge stronger and with a new sense of determination and demands for operationalmaturity. Taking advantage of what appears to be short-term focus on security for long-term gains is the crux ofthe opportunity, and opportunity favors the prepared.

Tiller, author ofThe Ethical Hack and Technical Guide to IPSec VPNs, and contributing author on several otherbooks, including the Official (ISC)2 Guide to the CBK, is vice president of security services for BT in NorthAmerica. He consults with organizations globally on how security can enable business. You can reach him [email protected].

All contents copyright 1995-2009 Network World, Inc. http://www.networkworld.com


4/22/2009h // k ld / i bi / il / i? d / /h /h d/h d

Documents

4Steps2MarteringSecurityKungFu