Security and the Business: The Need for an Adaptive Security Management Architecture
The adaptive security management architecture (ASMA) seeks to take advantage of existing security practices and build upon them to promote the value of security to the business and to ensure a meaningful security posture. The ASMA is as much about the business and the security organization operating as a business unit as it is about security, risk, and compliance. There are many facets to the ASMA to achieve this, including capability maturity, applying security through services, and performance, security, and quality measurements that combine to ensure effectiveness and efficiency. Moreover, the characteristics of the ASMA provide clear visibility into operations and security that ultimately translate to adaptability and enabling the business.
Why a New Architecture?
Today, security is predominantly a collection of practices that are applied based on policy and standards to ensure consistency to meet overall expectations in the management of risk and compliance. These practices are horizontal in nature given they are usually performed equally across the business and similarly across industries. In fact, most security organizations work very hard to ensure consistency throughout the environment to reduce the potential for gaps in compliance and to maintain reasonable uniformity in the environment to manage risk effectively.
However, the focus on consistency has created a rigid model that does not always effectively address shifts in the business. Moreover, the horizontal and standardized application of security practices does not necessarily resonate with the business for two important reasons. First, the business may be forced to have security applied in its entirety, which may include elements the business simply does not see value in, does not understand the applicability to their environment or requirement, or may be simply security's standard approach that is not tuned to the specific goal.
Second, there is limited understanding and visibility into the operational integrity of the security group and the application of security practices. For example, how efficiently are the security practices being performed, how effective is the result, what features align to the business's goals, and how do these security practices relate to the overall security program and the mission of the company?
These challenges represent the reasoning for an adaptive architecture that utilizes services as a method for applying security throughout the business. Moreover, and a very important overriding theme throughout this book, is today's security is mature, comprehensive, and quite sophisticated, yet how do we unleash that potential and change the very identity of security in the business? Arguably, the consistency fought for within the security industry has merit. Nevertheless, this has also ushered in difficulties in aligning effectively to the dynamics of the business and achieving adaptability.
While security has evolved significantly over the last several decades it has also unwittingly become a limiting factor from the business's perspective. Businesses seek to explore opportunity, increase market share, drive revenue, and differentiate themselves. This means taking on risk and new challenges and always changing. Conversely, security seeks to protect the business and put in controls to ensure compliance, manage risk, reduce the potential for debilitating events, and drive consistency. While this is exceedingly important, balance between enabling the business and protecting the business has not been fully achieved. In fact, one could argue there is a growing chasm (Figure 1) between the directive of security and that of the business. This has become exceedingly evident in the face of massive, global economic turmoil.
Figure 1. Security and business chasm.
Introduced above, the two problems can be summarized as the application of security and the operational integrity of the security group. The holistic employment of horizontal security practices in their entirety may not meet the business need, may include features that are not applicable, or worse, not include attributes that are critical to the business or the overall security posture. Moving forward security must acknowledge the business's needs as much as the desire to ensure comprehensive security. Next of course is how investments, budgets, and resources in security are employed in providing security and how this is communicated to the business in terms they can readily digest.
The ASMA closes the gap between business needs and security needs, and redefines security in the eyes of the business to be seen as a valuable, enabling force. It does this by doing two simple and fundamental things. First, it exploits the sophistication that exists within most security organizations today. Second, it does not try to fight the consistency battle causing the divide, but rather it embraces it in the form of business intelligence and operations.
As security evolved it produced a great deal of standards in the application of security practices. And as previously discussed this presents a degree of rigidity and inflexibility. However, beneath this lie extraordinary capabilities to address virtually any scenario. We've all experienced a situation where common approaches fall short and the "go-to-guy" is called in to connect the dots. The resulting activities may be non-standard and unorthodox, but the ultimate goal is achieved. Essentially, the "go-to-guy" understands all of what is possible and what exists within the realm of security in the organization as ingredients, takes time to understand the need, and composes a solution that utilizes existing nuances to fine tune security to meet the specific objective. Moreover, this is performed in a manner that not only satisfies the business demand, but also ensures it has value in the larger security posture, such as compliance and risk.
Clearly, not all scenarios can be predicted and therefore cannot be standardized. As a result, there are many security savvy professionals in the field tuning and adjusting the norm to achieve a goal. This represents monumental value to security and to the business when wielded correctly. Unfortunately, these efforts are rarely indoctrinated because they are seen as one-offs and the value is inexorably tied to the "go-to-guy", which you hope does not quit.
The ASMA, in large part, exploits this organic process by providing an interface between the business and the application of security. Security can have a wide range of depth and breadth in its application and as a result have the potential to be fine tuned to a specific need or environment. Given the likelihood for complexity and diversity of challenges and environments, traditional security standards cannot be solely relied upon. Moreover, the reliance on individual or group efforts is not scalable and represents single points of failure to the security program challenging sustainability.
By building different security services and spreading horizontal security practices over several vertical - targeted - services, the spectrum of possibilities in the execution of security can be reduced offering the opportunity to predict different scenarios. These options will manifest themselves in the service and ultimately act as governing agents in the application of security.
Although the organization of security into services begins to introduce greater sophistication in the execution of security, this represents only one aspect of the value the ASMA provides. The ASMA does focus energy into the delivery of services, but also defines mechanisms to ensure compliance, address risk, ensure people and processes are interacting effectively, and introduces specific points of interaction that ensure consistency in the operational integrity of the security organization.
What should become evident is that the ASMA is, in part, formalizing and enhancing what is already likely occurring in security organizations around the world. It's about embracing all the resources at your disposal and acknowledging the value of organizing security in a manner to truly exploit what is possible and fundamentally converting security into a business enabler. It is raising the bar on performance, expectations, and capability, moving beyond common practices to release the true potential of security. Today's challenges, such as addressing multiple regulatory demands and communicating the need for security to executives will give way to an environment where these will become byproducts. When fully implemented it is likely security organizations will discover far more intimacy with the business, have greater clarity on capabilities and expectations, and play a more integral role in the evolution and overall success of the business.
The Conflict of Change
Change is the key factor and as such represents the fundamental conflict between security and the business. It is necessary to acknowledge the opposing forces and find a balance between the heritage of traditional security and the emerging demands of the business.
Figure 2. Forces driving change.
At the highest level security is an agent for stability conflicting with the agent of change within the business. Security seeks to focus on standardization and consistency to ensure a predictable environment, whereas the business is seeking to drive change to increase market share, ensure continued competitive differentiation, or enact progressive products or services.
The key to finding balance is to ensure change is not simply for the sake of change, but rather for security to have a meaningful role in maintaining posture when change is necessary. Fundamentally, this is having the capacity within security to have comprehensive visibility into the how the security program is functioning and identifying the options for change as well as the implications of change. Comparatively, today we have change that flows down from the business into security which is forced to react and ultimately translates to firefighting. Moreover, this has resulted in a security culture of resistance and the formation of policy and standards that create an envelope for the business in how to address change, which has not been enormously successful and will likely not scale with the business over time.
The next level of conflict is the interpretation of control. Today's security has assumed the role of protector as well as enforcer leading to, in some cases, a police state. This conflicts with the fact business is in control and ultimately in control of change to drive business and meet stated goals. It is inevitable that the business will move forward. Of course there are conditions, specifically compliance, where the business must concede to the needs of security, but this has resulted in a poor identity for security. The balance is for security to accept change, accept the inability to control business's demand for change, and promote a culture of agility through maintaining control of change. It is necessary to embrace change and all this implies, and prepare a security capability that is resilient, proactive, and predictive.
Finally, today's security architecture is the manifestation of standardization and stability and reflective of controlling the business. Many security architectures are inherently assumptive of strategic direction within the business conflicting with formation of such things as business and IT governance. IT governance has a connection with the business to drive strategy and how this materializes in IT business services. Some security organizations have formed a tight bond and have become integrated with IT governance, but for many the conflict remains. The balance is for security to understand the "why" of change. This is not learning about the change to dismantle it or fight it, but rather to fully understand the business drivers so that security can plan more efficiently, and more importantly, respond effectively to the change.
However, to truly participate in change it is essential to have a method of operation that is poised for whatever the business is seeking to adjust or accomplish. Therefore, the ASMA is founded on capability, operational integrity, and clear visibility that drives business aligned security. Today we have security architectures that define security mostly from a security practitioner's perspective and not from a business perspective. It is necessary to reverse this model.
Every organization will experience change. Change will be forced upon them or be an elective dynamic to move the business farther or in a new direction. Regardless of reason or purpose, it is inevitable and as such companies have become astute at change. However, change is the least effective part of security and as a result has driven a wedge between security and the business. Within the security industry there is an overwhelming sense of responsibility and control as a protector. Unfortunately, over time as the world of business evolves rapidly, change is a constant and security must also evolve to enable change.
Read Jim Tiller's blog, Real Security
Watch an interview where Jim discusses the adaptive security management architecture.
From Adaptive Security Management Architecture by James S. Tiller. New York: Auerbach Publications, 2010.