One way an Enterprise Security Architect can add real value is by having a more meaningful conversation about security and it’s role and purpose. More often than not securing an enterprise is not discussed in a meaningful way with those senior executives who can choose to commission and invest in security transformation.
It seems to me that we’ve forgotten that a meaningful conversation starts with a focus on what ultimately we’re trying to achieve. In the context of Enterprise Security effective security risk management happens when relevant security objectives are continually and consistently with their agreed tolerances even in the face of threats within an enterprises’ operating environment.
With this as a foundational view progress towards a mature security posture becomes measurable in terms of increasing the predictability of consistently achieving the agreed security objectives. Success then becomes defined as the on-going achievement of the security target relating to that objective, and not whether an incident has or has not occurred.
In setting contextual security objectives there’s the introduction of the recognition that security is not total invulnerability to all attacks, but rather is a consciously risk managed and economically efficient level of vulnerability given competing claims upon business resources. In this sense security objectives show what the enterprise expects for its information security investment. Or, put a different way, the act of defining security targets also specifies the risk appetite, or the variance tolerance against the objectives.
As a result of such an approach the enterprise security strategy is then driven by a desired set of outcomes, rather than being driven by the latest technologies, most recent incidents or media hyped attacks.
This piece by Farhad Manjoo is so spot on….
“Imagine you run a large technology company not named Apple. Let’s say you’re Steve Ballmer, Michael Dell, Meg Whitman, Larry Page, or Intel’s Paul Otellini. How are you feeling today, a day after Apple CEO Tim Cook unveiled the new iPad? Are you discounting the device as just an incremental improvement, the same shiny tablet with a better screen and faster cellular access? Or is it possible you had trouble sleeping last night? Did you toss and turn, worrying that Apple’s new device represents a potential knockout punch, a move that will cement its place as the undisputed leader of the biggest, most disruptive new tech market since the advent of the Web browser? Maybe your last few hours have been even worse than that. Perhaps you’re now paralyzed with confusion, fearful that you might be completely boxed in by the iPad—that there seems no good way to beat it.”
I think Chris Chant has hit the nail on the head with his recent Institute of Government piece.
“It is unacceptable at this point in time to not know the true cost of a service and the real exit costs from those services: the costs commercially, technically and from a business de-integration standpoint. So, how do we untangle our way out of a particular product or service. I can’t tell you how many times I’ve had the discussion that says, we need to get away from that, and we can’t because of the complexity of getting out from where we are, and of all the things that are hanging on to that particular service, that we can’t disentangle ourselves from.
I think it’s completely unacceptable at this point in time to enter into contracts for longer than 12 months. I can’t see how we can sit in a world of IT, and acknowledge the arrival of the iPad in the last two years, and yet somehow imagine that we can predict what we’re going to need to be doing in two or three or five or seven or ten years time. It’s complete nonsense.”
It fills me with hope that there are people out there working to highlight that the command-and-control approach to technology and systems no longer holds up. Can the few break out of the force field of the incumbent suppliers? I really hope so.
Full audio of Chris’s piece is available here.