The IP network of the enterprise carries the blood flow of the business. If you believe that security is a business problem, and the network and its services are critical to business execution, then the security framework of your organization must embrace the entire network as a whole. Anyone tasked to do this knows that it is easier said than done.
Technologists quickly realize that in order to succeed in information security, they must understand the business needs of their organization. Conversely, non-technical business executives must to some degree understand the risks that enabling technologies bring to the enterprise. Both must see the big picture and be able to influence each other as trusted advisors toward common goals and objectives.
A common language among business and technology leaders is essential in getting security objectives understood and shared through out the enterprise. When the security objectives align with business objectives both sides succeed. Below are the top ten best ways to ensure goals are met on both sides.
Top ten ways to use controls as the language between business and technology
1. Understand your business and monitor its changes
Security is a business problem, therefore your abilities depend on your ongoing in-depth understanding of the business.
2. Ensure that your control objectives are understood by everyone
Five items are easier to communicate and remember than 300. Use this as a common language between the security organization and the adjacent business functions (CxO, business units, partners, etc.)
3. Review your systems and map them to control objectives
Control objectives allow you to put all of your security-related activities in to five buckets. As vendor's functionality consolidates, an ongoing review at this level may help you produce greater results and be more cost-effective. As new business objectives are introduced, the control objectives allow you to communicate your framework without having to get in to the technical details of execution.
4. Ensure that proactive methods are primary, reactive secondary
"Increasing investments in proactive security can reduce the impact of security events and the overall cost of an effective internet security program. However, no amount of spending in reactive security can make that claim." [Gartner, CIO Update: Answer Six Key Questions, Improve Internet Security]
This rule applies to many systems (health care, fire fighting, financial, etc.) The common trait is the fact that pre-incident efforts reduce the problem space to a value that is feasible to manage. If the proactive controls are weak, the load falls on the reactive controls which quickly cross the threshold to unbudgeted time and resources. The proactive controls are directive, preventative and corrective because they all operate pre-incident.
5. The business is enterprise-wide, so should the controls be
You must be a systems thinker or your adversaries will win. Security vendors have advanced product functionality, but their value is isolated to a particular area in the topology, a specific operating system, or class of threat. If you start thinking about the entire network being a single computing base you will begin to address security at the business level.
6. Compensate weak controls with strong ones
There are tradeoffs everywhere you turn. The control objectives allow you to step out of the execution level and up to a level that will allow you to see how other controls may be able to compensate. As long as security and the business share common goals, execution is made accurate by having the context of the whole.
7. Take full advantage of complementary controls
Once you have qualified your processes and technology in to the control objective categories, complementary opportunities will emerge. The complement often is driven by an objective that can't be met by a single control because of restrictions regarding computing environment, topology, threat classification, or political boundaries.
8. Understand the adjacency of your controls
You can view control objectives as being functionally adjacent. When you execute a control, understand what adjacent function will bring the best value. Example: the detective control objective is to sense if directive or preventative controls have failed, causing a loss. Another example is that within a preventative control you can perform a sampling of your computing environment for exposure prior to loss and invoke some corrective control to remediate pre-loss.
9. Avoid controls that are deterministic
Controls should be predictable for their owners and unpredictable for perpetrators. If it can't be avoided, then complement the procedure with some functional jitter.
10. Cultivate the enterprise before the introduction of a new control
When controls are introduced or modified, make sure that your IT peers, operations and other critical functions of the business are educated and prepared. Failing to perform the proper social groundwork may result in groups working to neutralize the control, moral issues, or in the extreme case a loss of intellectual capital.
Tim Keanini, CTO at nCircle (www.ncircle.com), has more than a decade of technical expertise in information security and e-commerce infrastructure.