Security Takes People and Processes, as Much as Technology
By Chris Cathers, Director of Business Development, SDS
Value. This is the quintessential problem for information security leaders. How does one effectively measure and communicate value for a business function filled with known unknowns?
In corporate culture, functions such as accounting, sales, finance, and manufacturing have the benefit of practical, structured and deeply ingrained value propositions. Business executives are fluent in the language of these organizational functions, and understand their view and objectives. In short, these corporate divisions have little problem making their current and future contributions clear to the organization as a whole, in terms of money earned and saved.
Information security leaders get few such luxuries. Historically, business leaders do not understand what is done by IT or the controls they put in place. Demonstrating real, substantive value to executive management is often difficult, if not impossible. Part of this difficulty is our own doing, as information security professionals, So many of us are just throwing point solutions at problems.
Point solutions are not enough.People, process, and technology: We need all three to achieve anything more than mediocrity.
Threats, breaches, and board involvement require organizations to take a broader look at information security beyond point solutions. For example, a recent client I was serving was asked to put in an Intrusion Detection System as part of their vendor management requirements.. Putting an IDS in place without understanding the bigger picture is a recipe for failure. I understand you can “check a box” with that installation, but does it also lull you into a false sense of security? If you haven’t considered what you aim to protect, what you are going to monitor, who is going to monitor, what the reporting structure looks like, and what comprises the best escalation process, you are missing the important pieces of “people and process.”
Speaking to business decision-makers in terms they understand requires first establishing metrics and measuring your processes and solutions against the following:
- Automation – Does the tool do what we need it to do and speed up the process?
- Accountability – Are process owners enabled and is a clear path of escalation defined?
- Awareness – Are the requirements fully understood and is communication defined?
- Policy/Procedure – Does the tool integrate with other standard tool sets and enable detection?
- Expertise – Do we have the right skillset in place?
- Measurability – Are we tracking the appropriate metrics?
Documenting metrics around these six critical dimensions of information security maturity—and speaking in terms of impact to the business—will not only help communicate and show value; it will help protect the assets of the company more effectively through alignment. It has been said for years, “If it can’t be measured, it can’t be managed”.
Secure Digital Solutions, along with our robust assessment platform, TrustMAPP, assists you in taking this holistic view of information security. Our blueprint shows gaps not just in point solutions, but in the people, processes, and technology that make those solutions effective. In fact, you might call our approach “front-end solutions” versus “endpoint solutions.” Tied to business values like return on investment and business impact, this is the language decision-makers need to hear if our security profession is to ever achieve the credibility we need to do our jobs.