Enterprise Information Security is About Progress

Sunday, November 20, 2011

Robb Reck

C787d4daae33f0e155e00c614f07b0ee

Successful Enterprise Information Security is about Progress

What does a successful information security program look like in an organization? The traditional answer would be something like, “Technology risks are kept to a level the organization is willing to accept.”

That sounds pretty simple right? Find the places where risks are greater than we’re comfortable with, then fix it.

That type of thinking works for a point-in-time evaluation, but comes up lacking when we consider the dynamic nature of enterprise information security. Things change. New vulnerabilities are discovered, new types of technologies are implemented, and new business requirements arise.

In reality, there is never a point in time at which we have adequately addressed all of our technological risks. The rate of exploit discovery and the lifecycle for fixing vulnerabilities ensures that we will always have open issues.

With that reality in mind, we need to reconsider what makes a successful security program. Security should focus not on an end goal of “good enough” but on an end goal of sustained improvement.

Security Over Time

Security can often come across as a demanding, RIGHT NOW discipline. And there are some good reasons for it. We know that hackers could break into the network right this moment, and that gives us real urgency. The newest hacks from researchers show that even most trusted systems are vulnerable to exploit. The reasonable first response to this is to jump into action and immediately fix the issue.

But when we work with the business, the reality is much bigger than just security. Our partners in the business have to worry about losing customers because they don’t delivery our products on time, competitors out-innovating us, risks of financing falling apart, and many other business issues that could damage the business just as much (or more in many cases) as a security incident could. In the background of all these competing interests, a security manager who continues to insist that our vulnerabilities are the number 1 priority is going to get tuned out, or worse.

As soon as we stop enabling the business to produce better and faster, we become a liability.

What we can do instead is collaborate with the business to come up with a long-term plan for implementing security that does not inhibit innovation and progress by the business, and shows sensitivity to the overwhelming demands that they are often under. Yes, the plan we agree on must take the organization to a level of acceptable risk. But we can do so over months and years instead of days and weeks, show improved security over time, and develop trusted partners within the business.

Enterprise security is a service function. We exist to enable the business to do their jobs without being crippled by cyber-attacks and unreliable systems or losing their trade-secrets to competitors. As soon as we stop enabling the business to produce better and faster, we become a liability.

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Possibly Related Articles:
11310
Enterprise Security
Service Provider
Enterprise Security Vulnerabilities Innovation Information Security Risk Mitigation IT Security EntSec
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.