Information Security Managers work in an industry that is new in comparison to many of our corporate peers. Because information security challenges are constantly changing, we must work diligently to update our skills and remain current. As we do this, it becomes easier to insulate ourselves in a world of information security knowledge and to segregate ourselves from the rest of the business world. It is time to shake ourselves from this habit, and recognize that business drives information technology, security and risk management. The business controls our budgets and sets the bar for risk tolerance. There has been a push in the information security industry to teach ISMs to speak in business terms. While it is born from the noble goal of communicating better with our company executives, this is bad advice. ISMs shouldn’t think of changing the way they speak to suit executives — they should actually change the way they work to become more of an integrated part of the business. ISMs should strive to be businesspeople, not just technicians. Information security should help you achieve business goals and meet business missions.
For all these reasons, it’s important to shift our focus to a process-centric view of security. Process-centric security is the third generation of the information security industry. At the birth of the industry, our view was technology-centric. How do we protect servers, networks and databases? During this time, information security was very product-driven. Firewalls and intrusion detection were our focus. As we matured, our view became information-centric. Where is the critical data? How is it classified? How should we protect it? We became more concerned with encryption and information lifecycles.
These approaches advanced the industry, and they haven’t been totally replaced. However, as we gradually see the bigger picture, we add layers of sophistication around the knowledge that we’ve already been using. On top of the technology and the information, it’s time for us to add business process.
Many people can completely secure their infrastructure. It’s not that difficult to build near-perfect security. I can encrypt data, disconnect networks, hide everything behind securely locked doors and post guards to watch the doors. The problem, of course, is that it’s impossible to be profitable in that environment (or, for public-sector organizations, it’s impossible to deliver services). The goal of our organizations is to be profitable or to deliver services, not to achieve perfect security. Obviously the quest for perfect security must be counterbalanced against the need to conduct business operations. The risks that are the most dangerous to us are the risks that we don’t know about yet. Understanding the business, identifying the risk and balancing it against the pursuit of business objectives to make effective decisions are the responsibilities of an effective risk management program.
Lately, corporations and public sector organizations have been driven by compliance as much as by business issues. While it is often effective to use regulatory and industry standards in order to ensure the completeness and modernization of our own security programs, compliance should never be the primary driver. “Security by compliance” means that you are aiming to become the lowest common denominator in your industry. Everyone must be compliant. If compliance is what drives your program, then you will never be better than your average competitor. You will never be a business enabler in this environment. In fact, if security by compliance is your plan (as it is in many organizations which I have seen recently), then you are on a path to failure. Gartner studies show that the number of new regulations that apply to our industry is doubling every six years.
So, what is process-centric security? How do we achieve it? Process-centric security is an approach to risk management that aligns security focus on the functions within an organization most important to meeting the strategic vision and goals of the organization. At the highest level, what is the mission of your business? And what business functions are required to achieve that mission? Many times, these have already been documented as a part of a business continuity or disaster recovery program. If they have not, then a business impact analysis will identify critical business processes.
Many models can be useful in your security blueprinting efforts, and I am only going to describe a few of them in this article. These critical business functions are documented in a business functions decomposition report. It describes the business functions in the enterprise that fulfill the enterprise's vision and strategy. This report captures ongoing, never-ending business activities that realize the enterprise's mission.
The next step to achieve process-centric security is blueprinting these critical business processes. Blueprinting identifies the relationship between the business and the people and technology that support it. It exposes the known and unknown complex relationships in order to see ahead of decision points, understand cause and effect and minimize risk. A business interaction model identifies the organizational elements involved in a business process. It also identifies the boundaries and major interactions between the organizations involved in a process.
