http://www.networkworld.com/columnists/2009/040109-security.

html Page 1 of 5

Sponsored by:

This story appeared on Network World at

http://www.networkworld.com/columnists/2009/040109-security.html

Four steps to mastering security kung fu

Op-ed By Jim Tiller, Vice President, Security Services, BT Americas , Network World , 04/01/2009
Sponsored by:

Although vendor-written, this contributed piece does not

advocate a position that is particular to the author's
employer and has been edited and approved by Network
World Editor in Chief, John Dix.

The current economic melee is forcing a corporate

metamorphosis that, when combined with ever broadening
security threats, presents information security groups with an
opportunity to radically change their identity and value to
the business.

To capitalize on the moment, security groups need to

reassess their approach, add visibility and transform
security's very role.

The timing is good because maintaining security during

tough economic times is critical. Besides external threats that evolve even more rapidly in economic downturns,
business slumps increase the probability of disgruntled employees striking out using intimate knowledge of
corporate systems.

Related Content

Risk is further exacerbated by the fact that, since the last economic crisis of this magnitude, companies have
become far more reliant on information technology systems, which are now highly complex and essential to
sound operations.

Your current security path represents existing programs, capabilities, processes, etc. The goal is to create a
parallel path that influences existing practices and allows you to refine a new strategy without disrupting current
expectations. In time, the new path will become a dominating force and take you in a new direction.

Step 1: Tuning the Approach

During the last decade security has been virtually defined by compliance. For many companies, it has been less
about security than it has been about ensuring that certain regulatory demands are being met. Unfortunately,
compliance does not necessarily enable the business, align with core initiatives, and alone may not thwart
debilitating attacks.

Understanding this, some security groups have strived to use compliance efforts to improve their security posture.

http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/export/home/httpd/htdoc... 4/22/2009
http://www.networkworld.com/columnists/2009/040109-security.html Page 2 of 5

Unfortunately, not all companies see the value of such activities and instead simply see compliance as a cost of
doing business.

You have to convert the security practices that fall under the banner of "mandated for compliance" into specific
activities that resonate with the business. For example, a predominant force in business is time to market and the
rapid conversion of investments to revenue generation. This can materialize as a new service, application,
communication platform, network or alliance. The key to tuning your approach is to optimize security features to
help the business move more quickly, reduce barriers or accommodate a requirement quickly.

Key to being able to accomplish this is institutional knowledge within the security group and leveraging and
combining resources in ways that benefit the business as much as it does security, for example: supporting secure
coding practices through collaboration with the development team, optimizing standard builds to stand up servers
more quickly, security testing as part of performance testing, or utilization of directory services to support
streamlining of access controls for a new partner.

Fundamentally, it is about operating in a risk/reward model. Prioritize activities based on risk as well as where
the greatest opportunities are for the business. By becoming intimate with business goals and mapping against
elements of risk, what begins to surface is a common thread that demonstrates a point where the business and
security goals become more closely aligned.

A good place to start is within the project management arena, where risks to the initiative or life cycle will
become apparent, in addition to helping identify critical paths and what is most important to the business unit or
group. By using information of this nature, combined with institutional knowledge that the security group
possess, you can begin to interpret demands and risks in business initiatives and quickly find areas of common
ground.

Step 2: Adding Visibility

Related Content

Security groups typically make security efforts visible to executive management by presenting security metrics,
risk dashboards, and the like. However, along the way, many encounter some key challenges.

The first challenge is that the measurements are only focused on security and typically do not provide insights to
other aspects of security operations that demonstrate effectiveness. For example, a dashboard may present
compliance risk, operational risk, technical risk and current threats. It is assumed that keeping the values in an
optimal or desired range means that security is doing its job.

However, company executives are increasingly focused on efficiency, effectiveness and overall alignment to
business initiatives. They want to know how well these objectives are being met, what influence they have had on
other key business performance indicators (such as time to market, customer retention), and how resources and
other valuable assets are being utilized.

Executives are concerned about inefficient or wasteful activities and want to ensure all activities focus on the
bottom line. Presenting to the board a risk dashboard can be helpful to demonstrate your alignment to security
concerns, but that's only one part of the equation in the eyes of executives. The more effectively security can
reduce the need to translate security results into something meaningful for the business, the better.

The second challenge relates to the "gap" factor. The gap refers to the difference in what security is providing to
executives as visibility and the ability for the security group to influence the system to enact change.

For example, a report may demonstrate that the number of vulnerabilities in Internet-facing applications is
increasing significantly quarter over quarter. However, the security group may not have the capacity or capability
to reduce that number to a reasonable value. As a result, some senior security managers find themselves tasked to
correct an issue they simply do not have the ability to accomplish.

http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/export/home/httpd/htdoc... 4/22/2009
http://www.networkworld.com/columnists/2009/040109-security.html Page 3 of 5

In short, information from the security program is misaligned with its ability. Some use this to justify investments
that would address the gap. But unfortunately this pattern is growing increasingly ineffective as business owners
demand more accountability. The solution is to create a security program that not only presents good and bad
trends, but more importantly, has the ability to have a meaningful impact in changing them.

The challenges can be summarized as providing visibility into more than security in security terms, but also in a
manner that is more readily digested by executives and easier to align to business goals. Secondly, build a
security program that not only produces meaningful information relative to security and business metrics, but also
has the inherent capability to institute change and thereby meet expectations.

Providing additional visibility to existing risk-based perspectives can be enormously valuable. To accomplish
this, you need to become more intimate with what resonates with the executives – the measurements they focus
on day in and day out, the performance indicators they study beyond the financial ones. Each company is
different and each business unit may have a different spin. Moreover, many may seem like the furthest thing from
security, such as shipping metrics, warehousing, capacity indicators, system use or even collaboration indicators.
You have to look behind these to begin to see where security can begin to mimic the same philosophies.

From a security perspective, look to report on areas within your domain of influence and help reflect how well
you're running as a business. It can be as simple as resource utilization, project involvement or performance
quality scores from your peers.

From there you can start tying to other reported information and trends, such as the planned decline in effort to
perform regular vulnerability testing, but an incline in report quality and effectiveness, essentially demonstrating
that you are meeting security and business objectives. Or show how, through collaboration activities (which have
been measured) and modifications to technologies, you've helped reduce the number of security related helpdesk
tickets. These are, of course very basic. Nevertheless, the point is to find related information between what you
are doing for security and how well you are doing related to business expectations.

This approach helps form your new path for security, drawing from your original strategies and enhancing them.
Start small, test the waters and seek mentorship within the organization. As more confidence grows in providing
additional perspectives on activities, you can move into closing the gap.

Step 3: Service orientation

By this point you've learned how to orchestrate your core competencies to help the business reach its goals using
a risk/reward method. And you've started experimenting with adding visibility to the executives on alignment. As
a result, the identity of security is beginning to shift. It may not be obvious, but it's happening. However, this is a
critical stage and the time to innovate. Once executives see something they like, they want more, expectations
increase, and that "good job" turns into "what have you done for me lately?"

One of the common pitfalls is not following through to ensure a foundation exists to keep up with new
expectations. As a result, massive ground is lost and you're back to square one.

Adopting a service orientation can help you continue to move forward. Service orientation has three primary
objectives:
1) Convert tactical best practices that were once hidden within compliance efforts into business services that can
be consistently utilized.
2) Close the gap between what you can control/influence and what you're reporting on.
3) Create a foundation for building a highly agile security approach.

The key is to learn from experimental practices in tuning activities and report on additional metrics and indicators
relative to business goals. For the development of security services, it's the tuning of the approach that provides
the information you need to get started.

In the most simple of definitions, a security service is a well-formed package of related processes, technologies

http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/export/home/httpd/htdoc... 4/22/2009
http://www.networkworld.com/columnists/2009/040109-security.html Page 4 of 5

and capabilities that has a predictable outcome that is needed or in demand by the business. What makes security
services differ from traditional security activities is input.

Just about everything requires input to feed a process to produce an output. For security, the input is usually "self-
assigned," meaning the business must meet a specific policy or some other documented requirement to have
security perform an action. For example, a policy may read, "Any material change to an Internet-facing
application requires a penetration test." That's a sound approach, but it's reactive and misses the opportunity to
gain valuable insights to underlying business needs and goals.

While looking for risk/reward scenarios, you will see a pattern emerge and the tuning efforts outlined above
should help you identify opportunities to incorporate specific business attributes into what you're performing.

The basis for security services is taking advantage of this pattern. In fact, you're doing this today to some degree.
For example, an application is due for a test, but you've learned that the changes relate to one of several roles
defined in the system. As a result, you may limit testing to that one area because of your knowledge and comfort
with the application from previous tests. Now, extrapolate this to all things in security. It's less about simply
doing what you do and more about giving the business additional opportunity to feed the process in order to
refine the activity – or service in this case – to the business need.

The next important characteristic of security services is how people, processes, tools, methods and technology are
architected to perform the service relative to input and output. This is a lot easier to say than to do. Organizations
tend to approach these elements as independent or loosely coupled. Moreover, some security architectures and
frameworks facilitate segmentation, making alignment of them seem alien and uncomfortable.

One challenge is internally developed standards that are either overly comprehensive or too granular. Successful
implementation of security services typically starts with reviewing the standards and looking at them as a
common foundation to services as opposed to specific elements for a given security function.

As with all things of this nature, a slow and methodical approach wins the race. Don't try to create a services
model over night. Take what you've learned in tuning, couple it with something you're already doing today (such
as vulnerability testing, patch management, identity management, data protection, monitoring), and then pilot a
services approach with a friendly business unit.

As this approach begins to solidify, several interesting things start to happen. The identity of security and
perceived value continues to shift in a positive direction. Nevertheless, you will quickly realize that you have far
more capabilities to measure operational details of your organization, and more importantly – you inherently have
more influence over them as a result.

This essentially slams the door on the gap. Services facilitate the risk/reward model, they make it possible to
organize activities specific to demand, provide the means to measure those activities more effectively, and allow
for the controlled management of each element to ensure that what is being reported can be influenced. This can
be a perfect storm, but you're not done. To truly transform, you have to close the loop with governance.

Step 4: Governance Loop

The "governance loop" is the final step and provides the opportunity to realize real transformation. To this point,
you've tuned, experimented, tested and created the early stages of services and are beginning to rely on the new
path and less on the old one.

This has helped increase visibility, initial alignment to the business and promotes effectiveness. Nevertheless, at
this point, time becomes your enemy -- without governance, the services will eventually break down.
Governance, interestingly, provides the mechanism to ensure expectations are being met, but also the means to
promote adaptability, closing the loop with the business.

Governance acts as the bonding agent between ebbs and flows in the business, compliance, risk and security

http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/export/home/httpd/htdoc... 4/22/2009
http://www.networkworld.com/columnists/2009/040109-security.html Page 5 of 5

activities. More importantly, this is where risk/reward is measured and fed back into the system to instigate
change. It is also important to realize that risk (management, assessments, reporting) has played a pivotal role
throughout the journey, and governance is the means to realize full potential. Risk remains at the top of the
pyramid, but now with services underlying it, supported by governance, it can move far closer to the business.

In short, governance is analogous to "inspect what you expect" and influence change. That means creating a set
of responsibilities and practices with the goal of providing direction as well as ensuring objectives are achieved
and resources are used responsibly. In so doing, measurements from the oversight of security not only ensure
efficient and effective execution, but also facilitate change in the program through intimate connections with risk
management and the business offering feedback into the system.

In some companies governance is associated with enforcement. Although partly true, a security group
empowered by services and close interlinks with overall enterprise governance through risk management
activities will be able to put governance to work for them. This is similar to how, over the last several years,
many security organizations have changed their perspective of the audit group.

Historically seen as a regular and painful exposure of operational weakness in security, audit processes are now
being seen as a way to strengthen security. It's turning what is usually thought of as a negative into a positive
force. The same is true with governance processes that are outside of the control of the security group or where
security is part of a governance committee.

Nevertheless, an important aspect is to understand that the security group is ultimately responsible for its
activities – good and bad. Therefore, it is recommended that governance be reflected in the security services and
program owned and operated by management resources within the group. This is not a replacement for enterprise
governance – rather, it's an extension focused on the betterment of security.

Organizations need security more now than ever, and as a result, are more receptive to security as a community.
What you do with that attention today could have enormous influences on the future of security within your
company. Although times are tough, don't assume this means opportunities don't exist. The economy will correct
itself and businesses will emerge stronger and with a new sense of determination and demands for operational
maturity. Taking advantage of what appears to be short-term focus on security for long-term gains is the crux of
the opportunity, and opportunity favors the prepared.

Tiller, author of The Ethical Hack and Technical Guide to IPSec VPNs, and contributing author on several other
books, including the Official (ISC)2 Guide to the CBK, is vice president of security services for BT in North
America. He consults with organizations globally on how security can enable business. You can reach him at
james.tiller@bt.com.

All contents copyright 1995-2009 Network World, Inc. http://www.networkworld.com

http://www.networkworld.com/cgi-bin/mailto/x.cgi?pagetosend=/export/home/httpd/htdoc... 4/22/2009