This document discusses the perspectives and attributes necessary for information security leaders to effectively integrate security into the business. It argues that the traditional "Tao of information security" approach is outdated, and that today's security leaders must take a multi-dimensional perspective that incorporates business acumen, financial savvy, risk visioning, and sustainability. The document outlines these leadership attributes and provides examples of how security professionals can address business needs and priorities from an information security lens.
2. Disclaimer
This presentation and the concepts
herein are my opinions through private
research, practice and chatting with
other professionals.
It is not the opinion of past, present or
future employers.
3. Overview
Security Leaders today have become the
psychologist of the business. Part
scientist, scholar, practitioner and
professional, they must possess a multi-
dimensional perspective to meet the
competing business requirements. The
Sacred Tao of information security is
passé.
This discussion will focus on the top
attributes necessary to integrate
information security in the business.
5. Defining Leadership
Business Acumen
Financial Savvy
Risk Visioning
Sustainability
Start with what they know. Build with
what they have. The best of leaders
when the job is done, when the task is
accomplished, the people will say we
have done it ourselves. [Lao Tzu]
9. Governing Perspective
Business priority
Business risk
Organizational maturity
Program maturity
Technology investments
People investments
Process investments
15. Presenting and Building a Business
Case
Scope
Constraints
Assumptions
Metrics
Forecast
Recommendations
Reasoning
Risk Analysis
Actions and Next Steps
16. Numerical Forecasting of
Compounding Investments
22% 24% 24% 23%
25%
27%
14%
25%
4%
3%
2%
5%
8% 5%
6%
6%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Vendor A Vendor B Vendor C Vendor D
RFP Results
INTEGRATION
ACQUISITION
REPORTING/LOG
GING
ADMINISTRATION
EFFECTIVENESS
17. Managing Risk
“All of life is a risk; in fact we're not going to get
out alive. Casualness leads to casualties.
Communication is the ability to affect other
people with words.”
Jim Rohn
18. Risk Visioning
Business Level
(Ask)
Information Security Level
(Response)
Capital Project Investment
The investment requires protection.
Capital Project Support
Information Security determines if current asset
portfolio is adequate or a new investment is
required.
LOB Applications in the Cloud
It is most cost-effective to outsource some of our
services and processes. We need the same level
of protection and privacy provided by on-site
hosting.
LOB Applications in the Cloud
Extend protection model to include technologies
that are hosted off-site adding minimal processes
and operational overhead.
Customers
Bad presses, recalls, natural disasters, cyber
crime, and economics put customer retention at
risk.
Customers
Implement protections for external customers to
sustain and boost retention rates. Internal
customers protected to sustain business
operations.
21. Sustainability
“The bravest are surely those who have the
clearest vision of what is before them, glory and
danger alike, and yet notwithstanding, go out and
meet it.”
Thucydides
26. Credits & References
General Professional Influencers
Business Model Generation
www.dictionary.com
Google: www.Google.com
Oxford Dictionary
Wikipedia: www.wikipedia.com
Measuring the Business Value of
Information Technology
27. Copyright Information
Some works in this presentation have been
licensed under the Creative Common license
(CC). Please respect the license when using the
concepts or adapting them.
For more information please go here:
www.creativecommons.org
Editor's Notes
Presented at the SecureWorld Expo Seattle
I hope you laugh when you look at this graphic. We’ve got a multi-colored beast, with a funny hat, eating a carrot on a cart that no one is pulling but attracts lots of attention. This is how non-infosec business leaders some times view information security and its leaders.
This especially true when a information security leader become myopic in administering information security. They can’t see the business because they are blinded by C.I.A.
The information security Tao is passé because:
Information security does not drive the business
The tenets of CIA are meant to drive information security, not the business
The business is driven by mission and vision
Security is not a commodity
Information security succeeds through commodification
Commodification of security encompasses: Business acumen, Financial Savvy, Risk Visioning and Operational Know-how
The words leader and leadership are derived from the word lead. The Latin definition means ‘step across the threshold’.
Information security leaders must step across the threshold of the information security tenets seek integration into the business on the terms of the business.
Business integration enables the information security leader understanding of the sphere of challenges for our business partners.
What is not mentioned in leading is there is the option to draw others back across the threshold in our realm of influence.
Leadership today is about ability and capacity. Businesses are in search of leaders that are flexible and adaptive to customer requirements.
We are less flexible when we do not possess the ability to view the business from it’s perspective. The business perspective is rooted in the organization’s strategic objectives. Based on those strategic objectives is how the business is structured operationally. Get to know your business partners and how they function and what the pain points are.
Capacity is directed impacted by ability. We have less capacity when our abilities are limited. The more ability you have the more capacity you have to execute and deliver to the business.
Our chart represents real security leaders responsibilities to the business. While there is an established baseline across each position there are some who share responsibilities with other departments and at least one leader who has a non-information security responsibility.
This is why perspective is important. Information security leaders must have the ability to view all aspects of the business and capacity to absorb functions that were managed elsewhere in the business.
This quote embodies what each of must consider as business leaders when we consider how we will integrate information security in the business.
Our security practice is worth more to the business when we approach it using tried and true business methodology. It provides transparency to information security, rather than cloaking it in secrecy or technical jargon. It sets the context of information security rather than chasing the blackhat community.
Understanding business context enables the business to drive your portfolio
We must understand the business in its entirety to present solutions that will satisfy the business. The baseline of every business is comprised of mission, vision, values, culture, strategy and roadmap. While it may not be possible to see all the details of the baseline, those which are most valuable are usually shared organization-wide.
Identifying the those who shape the baseline of the organization help build the critical partnerships. It also helps us to gain opposing views as well providing a pragmatic platform from which to design a practice that addresses most of the businesses concerns. Remember, the business is commoditized not a commodity.
Understanding business context leads to developing a perspective for integration into the business.
This approach provides a standard methodology to determine impacts across the business enterprise. It minimizes the tendency to focus on our area of expertise established a common language that each business partner can relate to.
It also sets us up for shifting from maximizing on short-term investments to maximizing based on capital investments. Security centric strategies usually end up focusing first on risk from a threat perspective. The business is not driven from a threat perspective but a capital investment focus.
Developing a security portfolio based on the first capital projects insures that sustained alignment to he business. For example. Your company a traditional grocery store decides it will offer groceries online. This means a website will have to be built and hosted. The priority projects in the information security portfolio will be those which offer protection to the new online website.
Risk Mitigation is a shared ownership between the business and the information security practice. The projects in this portion of your portfolio will be: (1) some pushed by the business based a lowering a risk and (2) projects you presented to the business as a risk through building a business case.
Operations projects are those who address technology and/or processes that are currently deployed in the infrastructure and require maintenance or upgrades.
Information channels - ensuring flawless information flows ensures communication is clear to all business partners and your team. Most of us will make sure we communicate with our partners and upstream management. However, it is just as important to communicate to your team. You want them to communicate the same information you’ve provided.
Goal Alignment – To attain relevance, you must align your goals to that of the business. You should be familiar with the financial and operational goals of your organization. Be aware that goals from the senior leadership suite may very which means your business case must provide alternatives to accommodate competing priorities.
Information Security Integration - Focus on efficiencies brought to the table rather than information security centric metrics. Offer metrics related to better business operations you enabled, and activities that help grow the business. Whatever the C-suite is accountable for, you must show when why and how you are supporting them.
Innovation – The C-suite is not just interested in ‘follow-the-leader’ they also find value in being presented with ideas and solutions that can lead to business growth or reduce expenditures.
Compounding Investments – provide tangible evidence of the postive impact your solution will provide in the form of people, processes, technology and sustainability.
A quick way to kill the credibility of leadership for information security is engaging in two or more of the actions listed:
Myopic Vision – realize that it is not all about information security. There is a business to run and it comes first.
Unmanaged Portfolio – build a portfolio of you’re the information security business and share it with the business, then they will know what to ask for.
Undefined Assets – understand what you have to offer in people, processes and technology. Communicate what you have an what you are capable of delivering. It can set you up for more resources in the future.
Unilateral Communication – Communication is not about talking. It includes listening which is different than hearing. Listening means to pay attention, heed other’s advice, analyze intent.
Undeclared Taxonomy – define for the business the taxonomy for information security. Define taxonomy based on industry standards, regulations and the business. The outcome is a blended taxonomy that meshes with the business and requires less effort to decipher.
Reactive Response – information security has its reactive elements. Incident Response and vulnerability management are good examples. However when reactive response is at a premium, the result is sloth and kludge.
Story Time: At one of my employers we had to respond to a business need in very short order. Thanks to the quick thinking of some very brilliant people we provided a security solution to meet the business need of an external partner. We knew it was a band-aid fix that was not up to the rigor of most of our solutions. In honor of that the host was named, “Another Fine Kludge.” We had a great laugh and moved back to proactive responses for solutions. Know when to kludge and when no to. If your security program is built with cards and band-aids, it will become obvious at some point.
Dogmatic Financials – managing financials of information security is not about handing the business you budget each year. Your budget should support the valuation of assets, identification of cyclical investments that sustain the business and innovation capital. Perhaps the most important factor(s) of your financial, explaining how the spend will support the business, not just cost the business.
Rote Bandwagon – When we first learn a new concept or business term it is exciting. We want to share that knowledge with others. The key is moving beyond rote and into analytical capacity. Understand how to use what you’ve acquired and make it fuctional.
This quote sums it up quite nicely. What business leaders want to know, is how much it is going to cost and for how long. Remember, information security is a cost center. As a leader you should provide financials that will protect, enable and enhance business growth.
Historically, the model for Information Security has been a market model. The fundamental idea is that value of services is roughly equal to the price that the IT customer is willing to pay. The market model does not answer the question of business value. Asset valuation is certainly a dry exercise. However, it can help you reaped untold rewards. Why? It provides a real-time view of current, reoccurring and forecasted expenditures.
This is an aggregate model based on a compounding investment strategy for each asset with capital projects as a catalyst. This is of value when making determinations on resource allocation. If most of your resources are consumed supporting a capital project, would you really want to present a business case pushing for an anti-virus vendor change? More than likely not.
Scope - The boundaries of analysis should be clearly stated. If the analysis considers data from only one operation, or
one segment of a complex organization, this needs to be explained.
There are always limits to the data included in an analysis. Explain what the boundaries are. What information
was included, what was not, and why?
Constraints – explain any scenario or existing condition which may constrain the execution of the project.
Assumptions – In the assumptions and approach section, readers are given an unambiguous explanation of the background of the project and influencers. If other business cases have been approved by the same decision-makers, then use the same type of assumption.
Metrics – Explain early in the presentation which metrics will be used to judge results, and why. Let the readers know why the analysis is focused toward these metrics.
Forecast – outlines the principal data used to come to the recommendation given. This is where many readers start their reading; it is where the justification for a recommendation is revealed.
Recommendations – Recommendations are presented when the reader is being asked to agree to or approve some form of action. After reading the recommendations, the reader should understand the plan of action proposed, why it is proposed, the benefits, and the specific actions required of the reader. Make the recommendations as clear and concise as possible. You are asking the reader to do something; make sure there is no ambiguity about what the request involves.
Reasoning - provides justifications for the recommendations. This is the section that explains the logic behind your recommendations or conclusions. It details the separation between facts and reasonable assumptions. It might also be referred to as “rationale” or “key findings.” The reasoning section is the persuasive part of a report. It explains in simple terms why the author is right.
There should be three to five key points. More than five key points is too many, and fewer than three suggests
a degree of uncertainty on your part.
Each point needs to be a narrowly focused aspect of your rationale, and it should comprise a sentence or two.
Risk Analysis – Risk analysis is all about “what if.” Projections are used to predict the financial implications of various decisions based on assumptions of what the outcomes will be. What if those assumptions are not correct? What is
the worst case scenario? What is the best-case scenario? How likely are the projections to be correct?
Within a business case, only a few separate scenarios can be discussed.
Actions and Next Steps - steps are outlined that will be followed if the plan or recommendation in the report is
approved. The reader has been asked to agree to some activity, and this section explains exactly what the
immediate response will be.
Action sections are typically written in point form, in order of sequence. Each activity, or step to be taken, is
described in terms of timing, people, and method.
This graph represents data feed into a spread sheet to determine the level of investment for solution.
The aggregation of the information of all vendors and required functionality is displayed.
This particular chart can also be used to measure resource investments like people and services your practice offers. It provide you and the business with the knowledge of where your resource investments are spent and facilitates future planning.
Communication between the in business and information security is critical to reaching agreement. There is often a contrast between how the business conveys its needs and information security interprets the requirement.
This is where active listening comes in handy. Active listening requires the listener to understand, interpret, and evaluate what they hear.
Our table displays the ask from the business and the response from information security. The drivers originate with the business which sets the scope of the response by information security.
The business valuation portfolio drives the security practice rather than the security program. Out of business valuation, the security program is aligned to match the direction of the business in terms of priority.
Looking at your portfolio from this perspective reminds you of what types of questions to ask the business if they do not give you the information. What are the capital projects for the next three years? What are pain-points to productivity? What solution met the needs of the business and why? This is how you integrate security in the business.
The portfolio builds on what the business considers priority.
Capital Projects
Risk-based Projects
Innovation Projects (create efficiency and productivity)
Sustainability Projects (maintain current investments)
The business and your business partners will invest in value added solutions over commoditized infrastructure. Continued commoditization of information security results in richer and more relevant business investment portfolio. As a result, capital, risk and innovation investments will drive down the costs of information security as a cost center while enhancing the sustainability.
Sustainability occurs when a business unit participates in activities ensuring all processes, products, and processes adequately address current business concerns without impacting profitability. It is a business unit that “meets the needs of the business without compromising the ability of the initiatives to meet their own “needs.”
Information security is not an easy undertaking. Traditionally we are seen as a roadblock. Our success is obscured by our ‘cost center’ status as well. It takes a brave person to stay the course even when the vision is not always clear to others.
The building blocks of toward sustainability are:
Assets
Value Propositions
Communication Channels
Supply Chain
These are the minimum elements you will need to succeed as a leader of information security in your organization.
Processes, resources, communication channels and value propositions are assessed and created. This enables the supply chain to deliver a solution to the business.
Developing a systemic security practice provides agility by reusing the best practices and methodologies for the business with minimal resources.
At the outset of our discussion, we discussed the TAO of Information Security. We understand why the TOA has not worked well to integrate and sustain information security as a business function. The TAO does not provide alignment to the business. We must put the TAO in is proper place moving ahead and that is into the business.
Business leaders, business partners and customers want to ‘get’ Information Security. For that to happen Information Security leaders must first step across the threshold and into the business before they can lead the business into Information Security.
Build and identify communication pathways, develop your business valuations and build relationships with your supply chain.
As a Information Security Leader, show your brains to the business first then the business will want to hear about information security.
Something I’d like to encourage all of you do to…when presenting in the future, list not only your online and book references, but also your people credits. We all meet people who are pivotal in growing or knowledge or professionalism. Don’t forget to mention them.