Information Security Managers work in an industry that is new in comparison to many of our corporate peers. Because information security challenges are constantly changing, we must work diligently to update our skills and remain current. As we do this, it becomes easier to insulate ourselves in a world of information security knowledge and to segregate ourselves from the rest of the business world. It is time to shake ourselves from this habit, and recognize that business drives information technology, security and risk management. The business controls our budgets and sets the bar for risk tolerance. There has been a push in the information security industry to teach ISMs to speak in business terms. While it is born from the noble goal of communicating better with our company executives, this is bad advice. ISMs shouldn’t think of changing the way they speak to suit executives — they should actually change the way they work to become more of an integrated part of the business. ISMs should strive to be businesspeople, not just technicians. Information security should help you achieve business goals and meet business missions.
For all these reasons, it’s important to shift our focus to a process-centric view of security. Process-centric security is the third generation of the information security industry. At the birth of the industry, our view was technology-centric. How do we protect servers, networks and databases? During this time, information security was very product-driven. Firewalls and intrusion detection were our focus. As we matured, our view became information-centric. Where is the critical data? How is it classified? How should we protect it? We became more concerned with encryption and information lifecycles. 
These approaches advanced the industry, and they haven’t been totally replaced. However, as we gradually see the bigger picture, we add layers of sophistication around the knowledge that we’ve already been using. On top of the technology and the information, it’s time for us to add business process. 

Many people can completely secure their infrastructure. It’s not that difficult to build near-perfect security. I can encrypt data, disconnect networks, hide everything behind securely locked doors and post guards to watch the doors. The problem, of course, is that it’s impossible to be profitable in that environment (or, for public-sector organizations, it’s impossible to deliver services). The goal of our organizations is to be profitable or to deliver services, not to achieve perfect security. Obviously the quest for perfect security must be counterbalanced against the need to conduct business operations. The risks that are the most dangerous to us are the risks that we don’t know about yet. Understanding the business, identifying the risk and balancing it against the pursuit of business objectives to make effective decisions are the responsibilities of an effective risk management program.
Lately, corporations and public sector organizations have been driven by compliance as much as by business issues. While it is often effective to use regulatory and industry standards in order to ensure the completeness and modernization of our own security programs, compliance should never be the primary driver. “Security by compliance” means that you are aiming to become the lowest common denominator in your industry. Everyone must be compliant. If compliance is what drives your program, then you will never be better than your average competitor. You will never be a business enabler in this environment. In fact, if security by compliance is your plan (as it is in many organizations which I have seen recently), then you are on a path to failure. Gartner studies show that the number of new regulations that apply to our industry is doubling every six years. 
So, what is process-centric security? How do we achieve it? Process-centric security is an approach to risk management that aligns security focus on the functions within an organization most important to meeting the strategic vision and goals of the organization. At the highest level, what is the mission of your business? And what business functions are required to achieve that mission? Many times, these have already been documented as a part of a business continuity or disaster recovery program. If they have not, then a business impact analysis will identify critical business processes. 
Many models can be useful in your security blueprinting efforts, and I am only going to describe a few of them in this article. These critical business functions are documented in a business functions decomposition report. It describes the business functions in the enterprise that fulfill the enterprise's vision and strategy. This report captures ongoing, never-ending business activities that realize the enterprise's mission.
The next step to achieve process-centric security is blueprinting these critical business processes. Blueprinting identifies the relationship between the business and the people and technology that support it. It exposes the known and unknown complex relationships in order to see ahead of decision points, understand cause and effect and minimize risk. A business interaction model identifies the organizational elements involved in a business process. It also identifies the boundaries and major interactions between the organizations involved in a process.
Now that you understand the business units involved in a critical business function, it is critical to break down that business function into individual interactions in order to determine how well security is maintained along the way. For every individual interaction, is data protected properly wherever it is stored, processed or transmitted? One of the best ways to break down a business function for further review is through the use of a Swim Lane Model. Swim lane models represent a business process in terms of its component activities, and the flow of work among the activities. Swim lane models show you the step-by-step process that is followed for every business interaction. More information about these interactions allows you to better understand the real-world usage of the confidential data and critical technologies that we have been working for years to protect.

Business function decomposition, business interaction models and swim lane models serve as tools that allow you to look inside your business to make sure your valuable assets are protected. They help ensure your security planning reflects real usage patterns. When you look into these real-world usage patterns, you might determine that the business requirements have changed your original ideas about risk prioritization. This is good for your security program and beneficial for your organization, because now you are protecting more than technology and data —you are protecting the way your company does business to meet its goals and objectives.
A process-centric approach to security and risk management will help you meet real business goals. Security projects are always more successful if they are guided by demand from the business units and not just pushed from IT By working with executives and senior management in a process-centric approach, the business units will become more comfortable protecting their own processes. A process-centric approach helps you to understand the threat profile that you are facing, and design confidentiality, integrity and availability into the entire business function from start to finish — which eliminates gaps in security. Finally, using a process-centric approach provides context for your security program. It helps identify logical and physical assets, understand how they are used, and determine the necessary security controls that will help the business be more effective. 

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access