Security: Going Beyond No
What makes our coverage of security at EMA different? Simply this: We do not see security management as something confined to narrow segments of technology, isolated from other aspects of IT or from the people and processes that make up the business. At first blush, this may seem fairly obvious, considering that security is, after all, about human behavior. It is also about assuring the confidentiality, integrity and availability of information and the systems that handle it (the “CIA” values with which many are familiar), which takes us directly into intersections with the management of the business, as well as the management of IT.
And yet, many security organizations – and, unfortunately, too many security professionals and the vendors that cater to them – see their interests as somehow isolated and separate from the rest of the business.
This is unfortunate, albeit understandable, in a domain of expertise that for a long time was characterized primarily as being in “the business of no.” Security has too often been the last stop of a train rushing headlong over a cliff of apathy or outright ignorance, as businesses charged forward with IT initiatives that later left them exposed to breaches, embarrassment, and in some cases, tangible loss. Raising objections to risk was seen as hindering the business. This perspective has not been helped by security controls that interfere with users to the point that they are either evaded or ignored.
Today, many organizations recognize their security issues and are willing to deal with them more realistically than in the past – a change brought about in no small measure by the alarming advance of attack sophistication and the sheer volume of today’s threats. They may recognize that security is more than “no” – yet many still fail. Why?
We at EMA believe that a good deal of the reason is because too many approaches are either incomplete or isolated – or both.
What does this mean? In essence, it boils down to the “Plan – Do – Check – Act” (PDCA) philosophy inherent in guidance such as the ISO 27000-series of security management standards. In our research, the highest-performing organizations in terms of security outcomes are consistent in achieving all four milestones of:
- Defining their objectives (“Plan”)
- Actually implementing them in practice (“Do”)
- Monitoring for deviations or for issues that warrant a response (“Check”), and
- Responding accordingly (“Act”)
These activities must cross boundaries of interest and responsibility to be truly effective – such as complementing the vulnerability assessment performed by security teams with vulnerability remediation, typically carried out by IT operations through system patching and reconfiguration, for example. It also means engaging business stakeholders in a more consistent conversation about risk – risks that the business understands and can take with confidence, and those it cannot.
Compare this approach to the cases studied in Verizon Business’ landmark series of Data Breach Investigation Reports. From the first of these reports published in 2008, we noted findings such as the following:
- In 59% of cases, the organization had established policies and procedures, but these were not enacted through actual processes. (In other words, these organizations “planned” by defining their objectives, but failed to “do.”)
- Evidence of events leading up to 82% of data breaches was available to the organization prior to actual compromise, but was either not noticed or not acted on.
In the latter case, these organizations “planned” to collect event data, “did” by implementing tools such as log management, and “checked” by monitoring the environment – but they failed to “act.” The moral: all four aspects of PDCA are necessary, and failing at any of them may result in exposure.
EMA sees successful organizations taking a thorough approach in three ways (with a tip of the hat to the organizers of the ShmooCon conference for their handles for two of them):
- Build it: Designing and constructing IT systems that are resilient to threats
- Break it: Putting IT to the test and maintaining visibility into threats and activity both inside the organization through monitoring, investigative and forensic tools, as well as outside through intelligence.
- Put it together: Overcoming the isolation of security through integrating processes across security, IT operations and the business that foster a more complete and thorough approach.
As concepts such as cloud computing continue to advance, organizations should expect that these approaches should also embrace abstracted, virtualized environments. Cloud computing also raises the stakes on information-centric security, as do gaps in feasible approaches to securing IT that increase the emphasis on protecting information directly. In short, if the organization has limited control over the computing environment, security that “travels with the information” increases in value.
These are the broad outlines of security coverage here at EMA. In upcoming posts, I’ll go into more detail on the various aspects of building security, breaking it, and putting it together, as we follow how security adapts to the ever-changing nature of IT.