Kent Anderson, CISM, managing director, Encurve, LLC and member of ISACA’s Security Management Committee
In a recent ISACA survey on the top business and security issues for 2008, more than 80 percent of security professionals reported that “security risks [are] either not known or only partially assessed.” If the security professionals charged with (and paid for) protecting information assets don’t understand risk, who does?
What is more frightening is the thought that billions of dollars are invested in IT security every year without understanding exactly what we are protecting against. This is probably the best explanation of why security problems just keep getting worse. These and other gloomy statistics point to a worrying problem: Business as usual in the security profession isn’t working.
Part of the disconnect between practitioners and understanding risk is a narrow-minded focus on technology. New and disruptive technologies are introduced continuously, and security managers too often jump for the first vendor that offers any type of solution without a thorough understanding of the risks involved, how they might affect the organization or what it takes to manage the vendor’s solution. In other words, they can’t see the forest for the trees.
Real understanding of risk requires a focus on the organization’s business. Too often, security managers think that a business focus on security means producing another fudged ROI to justify the purchase of yet more technology. It doesn’t. It means understanding the impact of threats on the business, and to do this necessitates collaboration throughout the organization – finance, audit, legal, HR and all the other business units.
Technology should not be ignored – it is an important element of the risk equation. However, when we take a more business-oriented view of security, three other elements quickly become clear – people, organization and process. In fact, when we look at why security technologies fail to live up to expectations, it is usually one or more of these other facets that is missing. For example, how often have we seen a security tool not perform because there was no process to configure it or properly analyze its output? How often has a security solution failed because it proved too cumbersome to integrate with existing business infrastructure?
The security profession needs a new business model for security that incorporates each of these elements and addresses the interplay between them. We need to communicate security in business terms, not technical, and we need to understand risk as it affects the organization and its operations. This is not easy and necessitates a much more proactive approach. However, when risks are understood in this strategic fashion, the organizational, process and people concerns can be addresses and communicated. Only then can we begin to realize a true risk-based approach to security; only then will we be able to make informed decisions related to the selection and operations of security controls – ones that truly reduce risk and close the disconnect between security and business.