Security tools and solutions abound. Firewalls, intrusion detection, intrusion prevention, anti-virus, anti-malware, logging and SIEM if there is a threat from the big bad hackers and pirates, someone has written a tool or solution to address it. But what is most often forgotten by the IT Ninja is connecting security to the business and to do that you need…process.
What do you do when your IDS goes off? How do you respond when a worm wiggles its way into your network? How do you go about reviewing your logs looking for unauthorized activity and what do you do when you find it?
Process is what helps organizations answer these sorts of questions. In order for security to separate the wheat from the chaff it needs to truly connected to the business and understand how the business works and what it does in order to protect it.
Everything that occurs inside an organization has a series of steps that must be followed to completion. Each of those steps as I mentioned in an earlier post must be documented and repeatable. Security must then be aware and familiar enough with the process to be able to follow it and determine when something went off the rails and and why.
Incident Management, Problem Management, Change Management, Release Management are all processes that security must be familiar with to truly be able to protect, detect and correct issues in the environment and yes…those are all some of the components of ITIL.
For example change management is one area for security to be involved in business. When looking for events of interest from a security perspective, the IT Ninja needs to know what constitutes and authorized change and what makes up an unauthorized change. Or in order to understand what hacker traffic looks like, security personnel must know what legitimate traffic on the network consists of.
If ITIL is not your bag, then the ISO 27K series would be another international standard worth looking at (although it is probably considered more of a framework rather than a codified series of processes) that a security ninja should be familiar with.
In any case in order to be able to tell the difference between a pirate and a swabbie security must be connected to the business. As organizations develop and improve upon their business processes, security must take the opportunity to make itself heard and contribute meaningfully to the conversation.
Not in a screaming from the rooftops that the sky is falling sort of way. I think we can all agree that the fear, uncertainty, and doubt approach is one of the quickest ways for security to find itself on the outside looking in.
Security needs to integrate itself into a process and not subvert it or subjugate it to its own purposes. The business owner can be made to understand that un-reconciled change or un-reviewed logs not only presents a risk from a security perspective but from a risk to their business perspective as well. Security Configuration Management solutions can provide a level of analysis of potential holes in the network similar to how businesses use GAAP analysis to study and understand business risk.
Security must also understand that too much emphasis on technology over process leads to a business that is unable to be inflexible to the demands of the market which is a different kind of risk that organizations may not wish to take. Its not enough to deploy a set of critical security controls and call it good. They need to be wrapped in the business process context to be fully effective.
A careful blend of security and process helps to mitigate much of the risk while still allowing the business to do what it does best…
Image Credit: Stuart Miles