NEWS AT SEI

As their understanding of security deepens, organizations are looking for new techniques to manage security. Enterprise security management (ESM) is an emerging research area that aims to help organizations in this quest for a better approach to security by making it an enterprise-wide competency. This means a fundamental shift in focus as an organization ensures that security is used to achieve its goals and become more resilient, while managing security as a core competency instead of as an extension of information technology.

In an outgrowth of fieldwork deploying information security risk assessment methodologies, a team in the Networked Systems Survivability program at the Software Engineering Institute (SEI), consisting of Rich Caralli, James Stevens, Bradford Willke, and Bill Wilson, is identifying and examining the core capabilities that define a framework for security management in an organizational and operational context. In this context, the practice of security is viewed as an activity that keeps the organization’s productive elements—people, assets, and technology—free from harm or disruption so that they can perform their intended functions and help the organization accomplish its mission.

Managing for Enterprise Security

When managing for enterprise security, an organization cannot separate security from its other goals. Making security one of the business goals of an organization elevates that organization’s ability to realize an effective security approach. With enterprise security, the focus expands to all of the processes of an organization. In addition, if an organization is aware of and supports its core competencies, security benefits and protection of critical assets and processes will result even though security is not the main focus.

In developing the ESM approach, the team is concentrating its efforts on several key processes.

• Identify core capabilities The immediate focus of the ESM research is to develop a capabilities framework that represents the essential capabilities necessary for addressing security as a business problem. This framework is intended to document and describe the core capabilities necessary for a systematic, managed, and measured process for securing the assets and processes of medium to large organizations.
  
  The team studies real-life organizations as they confront various aspects of security management and interact with high-performing organizations that are achieving security effectiveness through expanded focus on other organizational functions such as IT operations and asset management. The goal is to identify common core capabilities that can be used across organizations. These core capabilities
  • do not always have security as their main focus
  • represent many of the horizontal competencies that organizations already have to conduct business
  • are necessary for organizations to achieve their critical success factors and accomplish their missions
  • are executed throughout the organization, not concentrated in any one operational unit or department
  • are both strategic and tactical in nature
• Develop the appropriate tools, techniques, and methods. Throughout this work, the ESM team continues to develop additional supporting tools, techniques, and methods that facilitate an enterprise approach to security management. One of these methods—the Critical Success Factors Method—has already been documented in an SEI technical report.1 This method helps organizations to establish a foundation for ESM by identifying the organization’s strategic drivers and using them to guide security strategies.
  
• Leverage best practices. In their work with ESM, the team studies multiple sets of best practices to synthesize them and determine what capabilities are being recommended to organizations. The SEI is in a unique position to take a critical look at best practices and to identify the capabilities that they represent. These best practices are beyond the scope of security and relate to many different organizational capabilities. Some of the practices used span the topics of security, IT operations and service delivery, and compliance and regulations. They represent administrative/managerial, technical, and operational practices.

The team has found that by virtue of employing best practices prescribed in some methodologies, some organizations are implicitly covering their security needs while attending to the overall needs of the organization. For example, the practices prescribed in CobiT2 and ITIL3 methodologies easily translate to potential improvements in security and resiliency: if an organization’s configuration and change management capabilities are performed consistently and with high quality, many of the vulnerabilities that exist become less of a threat because software updates are regularly installed.

Plans for ESM

ESM continues to grow and be shaped by lessons learned in fieldwork with customers who are trying to improve their security effectiveness and success. The team is currently developing more analysis methods to allow organizations to assess their capabilities for enterprise security management and is actively looking for collaborators who are interested in improving the effectiveness and efficiency of their security efforts at the enterprise level. Potential collaborators include—but are not limited to—large banks, insurance companies, manufacturing organizations, large county and state governments, as well as Department of Defense agencies. The ESM team welcomes interaction with this community so that the emerging capabilities framework represents the best cross section of organizations that are using security as a way to accomplish their goals and mission.