NEWS AT SEI
This article was originally published in News at SEI on: March 1, 2005
Security-conscious leaders ensure that they are adequately and accurately informed with respect to risk management, business continuity, and organizational resilience, all of which affect security-governance actions. In our research on managing for enterprise security, we discuss the necessity of a shift in perspective,1 point of view, or frame of reference to be in a position to ask the right questions, as follows:
Security lives in an organizational and operational context, not as an isolated discipline. Effective security must take into account the dynamically changing risk environment within which most organizations are expected to survive and thrive. To achieve and sustain an adequate level of security that directly supports the mission of the organization, leaders must shift their point of view (or frame of reference) and that of their organization from an information-technology-based, security-centric, technology-solution perspective to an enterprise-based, risk management, organizational continuity and resilience perspective. This requires moving well beyond ad-hoc, reactive approaches to security (lacking process and procedure, and dependent upon individual heroics) to approaches that are process centered, strategic, and adaptive. The CSO [and CISO] must be able to draw upon the capabilities of the entire organization so that they can be deployed to address a problem requiring an enterprise-wide solution set. However, because security isn’t a one-shot activity, it also means being able to achieve it in a way that is sustainable—systematic, documented, repeatable, optimized, and adequate with respect to the organization’s strategic drivers. [Caralli 04]
The presence of this shift in perspective increases the likelihood of involving the right stakeholders and obtaining the right information required to make well-informed governance decisions about security oversight, investment, and performance. The shifts most applicable to governance are briefly summarized below and in the table below. They are covered in greater detail in our technical report Managing for Enterprise Security. [Caralli 04]
- Scope: From viewing security as a technical or technology-centric problem to viewing security as an enterprise-management problem. Scope answers the question, “What is the scope and extent of security concern within the enterprise?”
- Ownership: From security ownership by those with technical expertise to ownership by the business, which is the driver and ultimate benefactor. Ownership answers the questions “Who has the authority to act?” and “Who is accountable and responsible?”
- Focus: From an intermittent focus on security when something bad happens to treating security as an accepted and expected business process and an included cost of doing business. Focus answers the question “How is security considered with respect to other fundamental enterprise operating principles?”
- Funding: From treatment as a discretionary expense, burden, or tax to treatment as an expense and investment for the business projects and processes that security supports. Funding answers the questions “How does the organization fund the sustainment of adequate security?” and “How is security return on investment (ROI) calculated?”
- Goal: From leaders asking the question, “Are we secure?” to leaders asking the more useful and relevant question, “With respect to security, have we taken sufficient steps to ensure that the business and its critical assets are adequately protected and properly resilient?”
Scope: Security is a technical problem:
- technical network (hardware, software, infrastructure)
- technical requirements (protect the perimeter)
- technical assets (desktops, laptops, servers, databases)
- technical specialty (in the realm of IT and system administrators)
Security is an enterprise-wide problem:
- enterprise network (people, processes, business units)
- enterprise requirements (privacy, asset protection)
- enterprise assets (customer data, employee data, communication)
- enterprise core competency
Ownership: Security has a technical owner:
- IT is the driver, owner, and primary benefactor.
- Technical personnel are responsible for security.
- The CSO/CISO is considered a technical adviser.
Security is owned by the enterprise:
- The enterprise is the driver, owner, and primary benefactor.
- Business leaders understand security and have security responsibilities.
- The CSO/CISO is considered an adviser to the business.
- All employees understand their responsibilities with respect to security.
Focus: There is an intermittent focus on security:
- Security is sporadically singled out for attention, investment, and justification.
- Risk assessment is applied to security as a special case.
- Security is on the agenda to comply with regulatory requirements.
Security is integrated:
- Security is a requirement of conducting business, considered in normal planning and business-conduct cycles.
- A more secure state results from effective risk-management capabilities.
- Existing security controls meet compliance requirements.
Funding: Security is an expense:
- The benefit of security is not measured or is hard to measure.
- Return on security investments is not required or quantifiable.
Security is an investment:
- The benefits of security are measurable, measured, and regularly reported.
- Return on security investment is required and quantifiable in business terms.
- Security expense and investment is part of all applicable business projects and processes.
Goal: The goal is security:
- The focus of security efforts is on threat, vulnerability, and protection.
- There is no articulated, desired security state.
- There is a potentially excessive deployment of security technologies undertaken in a piecemeal approach.
The goal is business continuity and ultimately resiliency:
- The focus of security efforts is on impact, organizational continuity, and preservation of trust.
- Adequate security that meets business objectives is the desired state.
- Security costs, benefits, and risks are in balance.
1 Earlier work on shifts in perspective from security to survivability, including questions to ask to initiate each shift, can be found in the article “Information Survivability: Required Shifts in Perspective” [Allen 02].
Allen, Julia; Sledge, Carol. "Information Survivability: Required Shifts in Perspective." CrossTalk, July 2002.
Caralli, Richard; Wilson, William. "The Challenges of Security Management." Carnegie Mellon University, Software Engineering Institute, July 2004.
About the Author
Julia Allen is a senior member of the technical staff within the Networked Systems Survivability Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. The CERT Coordination Center is also a part of this program.
Allen is engaged in developing and transitioning enterprise security frameworks and executive outreach programs in enterprise security and governance. Prior to this technical assignment, Allen served as acting Director of the SEI for an interim period of 6 months as well as Deputy Director/Chief Operating Officer for 3 years. Her degrees include a B. Sci. in Computer Science (University of Michigan) and an MS in Electrical Engineering (University of Southern California). She is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley, June 2001).
The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.