Security and the business: the need for an adaptive security management architecture

Why a New Architecture ?

Today, security is predominantly a collection of practices that are applied based on policy and standards to ensure consistency to meet overall expectations in the management of risk and compliance. These practices are horizontal in nature given they are usually performed equally across the business and similarly across industries. In fact, most security organizations work very hard to ensure consistency throughout the environment to reduce the potential for gaps in compliance and to maintain reasonable uniformity in the environment to manage risk effectively.

However, the focus on consistency has created a rigid model that does not always effectively address shifts in the business. Moreover, the horizontal and standardized application of security practices does not necessarily resonate with the business for two important reasons. First, the business may be forced to have security applied in its entirety, which may include elements the business simply does not see value in, does not understand the applicability to their environment or requirement, or may be simply security's standard approach that is not tuned to the specific goal.

Second, there is limited understanding and visibility into the operational integrity of the security group and the application of security practices. For example, how efficiently are the security practices being performed, how effective is the result, what features align to the business's goals, and how do these security practices relate to the overall security program and the mission of the company?

These challenges represent the reasoning for an adaptive architecture that utilizes services as a method for applying security throughout the business. Moreover, and a very important overriding theme throughout this book, is today's security is mature, comprehensive, and quite sophisticated, yet how do we unleash that potential and change the very identity of security in the business? Arguably, the consistency fought for within the security industry has merit. Nevertheless, this has also ushered in difficulties in aligning effectively to the dynamics of the business and achieving adaptability.

While security has evolved significantly over the last several decades it has also unwittingly become a limiting factor from the business's perspective. Businesses seek to explore opportunity, increase market share, drive revenue, and differentiate themselves. This means taking on risk and new challenges and always changing. Conversely, security seeks to protect the business and put in controls to ensure compliance, manage risk, reduce the potential for debilitating events, and drive consistency. While this is exceedingly important, balance between enabling the business and protecting the business has not been fully achieved. In fact, one could argue there is a growing chasm (Figure 1) between the directive of security and that of the business. This has become exceedingly evident in the face of massive, global economic turmoil.

Figure 1. Security and business chasm.

Introduced above, the two problems can be summarized as the application of security and the operational integrity of the security group. The holistic employment of horizontal security practices in their entirety may not meet the business need, may include features that are not applicable, or worse, not include attributes that are critical to the business or the overall security posture. Moving forward security must acknowledge the business's needs as much as the desire to ensure comprehensive security. Next of course is how investments, budgets, and resources in security are employed in providing security and how this is communicated to the business in terms they can readily digest.

As security evolved it produced a great deal of standards in the application of security practices. And as previously discussed this presents a degree of rigidity and inflexibility. However, beneath this lie extraordinary capabilities to address virtually any scenario. We've all experienced a situation where common approaches fall short and the "go-to-guy" is called in to connect the dots. The resulting activities may be non-standard and unorthodox, but the ultimate goal is achieved. Essentially, the "go-to-guy" understands all of what is possible and what exists within the realm of security in the organization as ingredients, takes time to understand the need, and composes a solution that utilizes existing nuances to fine tune security to meet the specific objective. Moreover, this is performed in a manner that not only satisfies the business demand, but also ensures it has value in the larger security posture, such as compliance and risk.