IT professionals wear many hats these days. Not only are they charged with keeping the lights on, they must establish and maintain a defined security posture, ensure compliance with a long list of regulations, while also aligning IT operations with the organization’s broader strategic goals.
In addition, IT executives must find a way to communicate the business value of IT and risk to various business leaders within the organization. In order to do so, they must have an understanding of the organizational structure which supports corporate IT risk management, measures and enhances capability, and can communicate IT risk in business terms. Currently, organizations are deploying a number of strategies and frameworks to assess their organization’s risk and security posture – everything from ISO to COBIT. While these frameworks are often helpful, they generally provide information that is most relevant and specific to security professionals and IT risk champions.
An enterprise organization also needs to fill the gap between IT and business, a comprehensive “security blueprint’ which enables an organization to evaluate their IT security posture and allows them to communicate the current state back to business leaders. Using such a methodology allows security and IT professionals to evaluate the maturity of security program capabilities, identify areas of strength and opportunities for improvement, recommend an action plan, and communicate the overall security posture and plan of action with executive management. A security blueprint gives IT the tools to engage senior management, business stakeholders, and technical owners, and provides a roadmap for achieving goals.
A complete security blueprint includes an assessment of strategy, operations and technology, and can be conducted by understanding seven key elements contributing to an organization’s security and risk posture. Within each of these categories are a number of sub-categories comprised of all elements that need to be considered.
- Network and Systems Security: The Foundation. Have a clear understanding of how the organization’s infrastructure is architected. For example, what is the technology deployed for prevention, detection, and management around the infrastructure systems and the network.
- Application Security: Both Internal and External. In order to maintain an optimal security posture, management should assess both internal applications, as well as those procured by third-parties. A solid understanding of the risks associated with each application will help eliminate potential risk before applications are deployed.
- Data Security: Protecting Critical Assets. Data is considered the most important asset of an organization. Management needs a plan for protecting and recovering data throughout the lifecycle. Data should be kept safe from corruption and also suitably controlled.
- Secure Operations: People Drive Process. Managing and protecting assets includes a method to distribute products and services, and a process created to drive change among people. In many organizations, operations are the weakest link, yet it is also the first and last line of defense.
- Business Continuity: Ensuring Uptime. Understanding an organization’s availability requirements is fundamental to establishing priorities. There should be a clear plan to keep the business up and running, despite any potential threats or outages.
- Security Strategy: Aligning with Business. Security strategy should always be aligned with an organization’s business strategy. To do so, security professionals should ask the following questions: What do I want to protect? How do I want to protect my assets? Finally, what are the metrics to evaluate for success?
- Security Organization: Sharing Risk. Along with security strategy, a security organization should also be aligned with the business goals and objectives. Security professionals should also be able to illustrate how their programs and initiatives will drive the business goals and objectives.
When to Implement a Security Blueprint
There are several scenarios in which a security blueprint can be particularly helpful in balancing an organization’s overall IT risk and security management program. One is when an organization needs to evaluate the current state of their existing program capabilities and define their desired state of program maturity. Applying a blueprint approach against the aforementioned seven core program pillars provides a portfolio model for aligning the value of security with business objectives and associated risk tolerance. For example, when a CIO, CSO, or executive, needs to identify, evaluate and address gaps in their security and IT risk program. The result of this blueprint assessment enables the executive to prioritize their initiatives around program elements which bring the greatest business, security and IT risk management value.
Another security blueprint use case might be during a merger or acquisition. During an acquisition, an organization will examine their maturity level with regard to security and risk. They might plan to use some integration dollars to bolster the acquired company’s security posture to bring it in-line with their desired level. A security blueprint will identify the areas that need the most improvement. It will also give them the insight into what the acquisition company’s strengths are. This way, they can also leverage these strengths and apply them across the board.
Similarly, for a large organization with a number of subsidiaries, the security blueprint process will examine each different business unit, along with the parent company, to determine the strengths of each subsidiary. Rather than the parent company investing and bolstering each area to one level, they can borrow and implement programs from its subsidiaries. This allows executives to take what exists and leverage it across the board, rather than investing in designing a program.
A security blueprint gives an organization a good understanding of the breadth of information security capabilities that should exist within the organization. It also allows the executive team to visualize and measure an overall information security program, greatly simplifying the overall equation in managing security.
By following seven simple steps that address the strategic view, the operational view, and the technology view, executives, security practitioners and business stakeholders can evaluate overall capabilities and align their security program portfolio with the risk expectations of their business.