The balance between operational efficiency and information assurance presents some special challenges. On one side of the scale, business operations need to be as efficient as possible to meet company objectives. On the other side, information security professionals seek to secure sensitive and critical information assets to protect the business, its customers, its employees, and its investors. These two efforts have an inverse relationship; as one increases, the other decreases. So what’s the answer? How do we reconcile these two opposing forces?
In the March 2007 issue of the Communications of the ACM there is an article by Stephen J. Andriole that I believe can help with these challenges (“The 7 Habits of Highly Effective Technology Leaders”, p. 67). I borrowed from that article Andriole’s 7 habits of highly effective technology leaders and adapted them in an effort to differentiate security managers from security leaders. It’s the security leader who can strike the right balance between business need and information asset protection.
Habit #1: Information security leaders focus on business models and processes before they focus on security infrastructure or applications.
Too often security managers run out and implement the list of controls, both hardware and software, currently evangelized in the press or by their peers. The security leader pauses before jumping on the passing bandwagon.
She assesses the security controls that are reasonable and appropriate given the operational realities of the business. This is typically done by performing risk assessments and then comparing the cost of remediation in both hard dollars and productivity to the actual business impact of related security incidents. Risk mitigation objectives then become outcomes for which processes must be designed and implemented. As with general technology solutions, achieving the right level of information assurance begins with the right processes targeting defined outcomes.
Habit #2: Information security leaders track technology that matters by focusing on the distinction between operational and strategic technology…
Figure 1 depicts Andriole’s operational and strategic technology layers. According to Andriole, the bottom two layers are commodities. They add little or no competitive advantage to the business. The top two layers, if properly aligned with business strategy, can provide significant advantage over the competition.
Like business applications and solutions that move the business forward, so too security solutions must contribute to the forward momentum. Security solutions should enable the business to reach its strategic goals by protecting the integrity and availability of information assets. Further, confidentiality of customer information must be preserved to protect the company brand. However, these objectives must be reached in way that works in concert with operational processes.
Habit #3: Information security leaders identify and prioritize business pain—and approaches to pain relief—as they move toward the creation of business pleasure.
Security leaders must speak the language of business. They must develop the types of relationships with business leaders that allow them to understand the pain felt when the wrong security controls are put in place or when security controls are absent.
Business leaders are moving toward more efficient ways to achieve business results through things like cost reduction and increased customer satisfaction. A security leader understands these concerns and works closely with business leaders to achieve the right level of information assurance while acting as a partner in pain relief.
Habit #4: Information security leaders optimize the value of shared services in centralized and decentralized companies, and they organize around the distinction between operational and strategic technology. Security leaders also champion governance above and below the operational/strategic line.
It’s a common mistake for security managers to develop solutions that resolve an assurance challenge for a single line of business without taking the time to step back and see the bigger picture. The security leader works with business technology governance teams to ensure solution design that maximizes business value. This is often accomplished by implementing a single solution that solves multiple issues across departments or lines of business at nearly the same cost as implementing it for a single entity within the organization. In other words, security leaders attempt to address the concerns of the forest rather than those of one or two trees.
Habit #5: Information security leaders manage computing and communications infrastructure security professionally and cost-effectively through negotiated service level agreements (SLAs) and measurement best practices.
It’s always a good idea for a security leader to understand the expectations of the business leaders he supports. These expectations should be set down in one or more SLAs. Metrics must be created to measure the success rate with which service level objectives are met. A guide to creating and reporting security metrics can be found at SANS.org.
Habit #6: Information security leaders communicate often and predictably; leaders communicate good news and bad news in business terms…
In a large number of businesses, the successes and failures of the security team go unnoticed until there is a significant security incident. This is a fast track to unemployment for the responsible security manager. The security leader reports both successes and failures by representing the relative impact on the business. Further, she provides business management with action plans for remediation of less than optimal results.
Habit #7: Information security leaders actively market their roles in the company as well as security’s ongoing contribution to the business…
One of the worst mistakes a security manager can make is to fail to continuously sell the importance of security through the IS department, corporate departments, and all lines of business. Awareness of the importance of security translates into awareness of the value the security team and the policies, standards, and guidelines it enforces. Proper marketing of successful security outcomes can result in the security leader getting a “seat at the table” where he can help build information assurance into strategic objectives.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.