Cyber Security Process Improvement

Process driven data security

Overview

Today’s organizational principals face a multitude of challenges. These challenges include the need to innovate in extremely competitive business climates, address highly dynamic regulatory and compliance challenges, speed returns on investments to counter shrinking budgets and secure the enterprise against a wide variety of evolving sophisticated security threats.  However, unlike other business challenges, organizations typically take a technology-driven approach to securing their infrastructure, when in reality; a business-driven approach is justified.  A business-driven approach to security is unlike a technology-centric approach in that the business goals drive the requirements in securing the organization.  Organizations often take a bottoms-up approach to security because security solution vendors typically promote this approach to their clients.  To close identified security gaps, organizations broaden and bolster their defenses by continually building on top of or adding to their existing security investments.  This technology-centric methodology often creates an excessively complex and disjointed security infrastructure. It becomes difficult to manage, prone to unknown vulnerability gaps, escalates costs and eventually fosters unnecessary operational inefficiencies that inhibit business growth rather than enhance it. Instead of trying to protect against every conceivable threat, organizations should understand and prioritize the security risk management activities that make the most sense for their organization.  By understanding the level of risk tolerance within an organization, the IT security area can more easily focus on mitigating risks that the organization can’t afford to neglect.  Overemphasizing certain risks leads to wasted resources and efforts, while underemphasizing others can have undesired consequences. Organizations can find it difficult to achieve a strategic, end-to-end security approach that supports business goals such as driving innovation and reducing organizational costs, as well as operational requirements to address compliance measures and protect against internal and external threats. We wish to share some actions that an organizations can take to drive security efforts from a business and operational perspective and discusses how we can help enable their success.

Measurement

1. Must be objective
2. Repeatable
3. Relevant
4. Valuable

Sample measurements

Optimize and protect business processes

The common security model ingrained in today’s corporate world involves implementing a broad set of capabilities to protect against the most publicized threats of the day.  This security approach results in the deployment of an array of siloed security tools.  Not only do these tools lack the means to work together to effectively protect against today’s highly sophisticated and organized attacks, but they can hinder business operations, generate cost redundancies, create complexity, operate in isolation of business objectives and fail to provide appropriate metrics to allow today’s business-minded security executives to determine their effectiveness.  Security should not be addressed in isolation from other business activities within the enterprise.  Instead, it should be viewed from a business perspective — looking at security as a means to protect and enhance business processes. Most organizations have just a handful of business processes that make up 80 percent or more of their risk, while they might have many other processes that account for less than 20 percent of their risk.  To align security efforts with business concerns, organizations should focus on securing those few processes that make up the bulk of the risk.  They must also prioritize risks and vulnerabilities based on their potential to disrupt the business’ most critical processes.  This strategy involves a level of planning and assessment to identify risks across key business areas, including people, processes, data and technology throughout the entire business continuum.  Such planning can facilitate the design and building of a business-driven security blueprint and strategy that can act as an effective shield of defense for the entire organization — to meet business needs and optimize business results.