Many hypothesize that IT solutions with security “built in” are as rare as the mythological unicorn. I propose quashing such a hypothesis and making security “built in” a reality. What could enable that goal to be achieved?
A critical first step is truly appreciating the power of the IT value chain. It is, after all, the complete IT lifecycle. Its fundamental parts span the first spark of a creative idea through its development, fulfillment, delivery, use and ultimate demise.
The value chain lives both within and beyond our own enterprises. To effectively make security “built in,” we must embed security into the very foundation of that value chain. How might we rally the creativity and commitment of our value chain partners to join the cause of ensuring that security is built in?
Security practitioners should create a map of their respective value chains. Only after we understand the “who, what and where” of our enterprises' value chains can we take the next step: putting in place a flexible and adaptable architecture to begin the journey of making security “built in.” Is your map complete? Do you know what organization in your enterprise owns the relationship with your distribution channel?
Once you have a map, establish what threats should be part of the mindset of your value chain members. Manipulation, disruption and espionage in the IT value chain is an essential place to start.
Next, establish foundational requirements that can be applied across the product lifecycle, from design to decommission. The key driving those requirements is collaborative partnerships with your value chain partners. After all, our goal should be to enhance integrity with security “built in,” regardless of the functional area of the company or external partner handling any aspect of that lifecycle.
Such a flexible and adaptable architecture for your value chain might include the following essential areas in which to “build in” security:
Security governance: a governance and information security program; security policies, standard operating procedures; and security risk management.
Security in manufacturing and operations: tracking and accountability; security in inventory management; security in handling proprietary items; and scrap management.
Asset management: identification and classification; media protection and disposal; and records management.
Security incident management: incident identification and reporting; and incident response.
Security service management: security in business continuity planning and business continuity plan testing.
Security in logistics: warehousing and storage; shipping and receiving; and packaging security.
Physical and environmental security: physical access control and monitoring; perimeter security; highly secure areas; security during equipment maintenance; and power and lighting.
Personnel security: security training and awareness; contracts and enforcement; and termination or change of employment.
Information/data protection: data classification and handling; cryptographic controls; backup, retention, and disposal; information access controls; network security; information system logging and monitoring; information exchange; and information infrastructure security (including cloud and SaaS).
Security engineering and architecture: secure design and development lifecycle; product security baselines; and configuration and change management.
Third-tier partner security: methods to drive your security goals throughout your multi-tiered value chain.
Real-world solutions and truly frank conversations around such an architecture can and will get us to the pinnacle of realizing security being “built in.”
Edna Conway is chief security officer at Cisco Systems.