Security Strategy
Being computer security one of my hobbies and my job, I always tend to believe that it is important to protect of our systems as part of the due care that is supposed to be part of our job description. However, I must recognize that I was wrong.
The common acceptance of risk analysis as a tool for determining the countermeasures that must be applied and the ones that are unnecessary, has dismissed the idealistic thought that the more secure a computer system is, the better. And it is important to have done so because having a secure computer is expensive (Yes, time is money also) and, even more, a secure information system.
During the early stages of the security adoption within a company, it is very common to assign a higher priority to the recommendations of the good practices over the requirements of the business strategy. The confusion is so big that in some cases the strategy is defined based on the results of the risk analysis. Although it is true that the risk analysis should have been based on the impact that unavailability, lose of integrity and lose of confidentiality may have on the organization's business, I don't think this is the proper way to define the security strategy. The security strategy must be defined based on the business strategy of the company and must be decided before performing the risk analysis or implementing any other countermeasures (besides reactive ones, of course). As recognized in the international standard ISO 17799:2005, "the organization's overall business strategy and objectives" are identified as one of the sources for defining the security requirements, together with the legal and operational requirements.
From a business point of view, security is a cost, and thus, it must be added to the ones that are included in the value chain of the products or services that are provided by the organization. Every dollar added to the costs of a product or service must be perceived by the customer as differentiation, i.e. the customer must be willing to pay the extra money for having that level security, or else, the company will lose competitive advantage.
Security costs can be classified in three groups:
It should be quite easy to formulate a specific security strategy that includes the security objectives that produce the first two types of costs. As for the third one, there are a couple of valid solutions. Something similar to "Do a risk analysis and manage the risks to a residual level" could do. However that is very vage and I don't like it. When being specific is required, the best source again is the business strategy and, if there are no clear security needs that come from it, the Information Systems strategy, that should be aligned with the former.
As Sun Tzu said: "All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved."
The common acceptance of risk analysis as a tool for determining the countermeasures that must be applied and the ones that are unnecessary, has dismissed the idealistic thought that the more secure a computer system is, the better. And it is important to have done so because having a secure computer is expensive (Yes, time is money also) and, even more, a secure information system.
During the early stages of the security adoption within a company, it is very common to assign a higher priority to the recommendations of the good practices over the requirements of the business strategy. The confusion is so big that in some cases the strategy is defined based on the results of the risk analysis. Although it is true that the risk analysis should have been based on the impact that unavailability, lose of integrity and lose of confidentiality may have on the organization's business, I don't think this is the proper way to define the security strategy. The security strategy must be defined based on the business strategy of the company and must be decided before performing the risk analysis or implementing any other countermeasures (besides reactive ones, of course). As recognized in the international standard ISO 17799:2005, "the organization's overall business strategy and objectives" are identified as one of the sources for defining the security requirements, together with the legal and operational requirements.
From a business point of view, security is a cost, and thus, it must be added to the ones that are included in the value chain of the products or services that are provided by the organization. Every dollar added to the costs of a product or service must be perceived by the customer as differentiation, i.e. the customer must be willing to pay the extra money for having that level security, or else, the company will lose competitive advantage.
Security costs can be classified in three groups:
- Required security costs: Those are the costs produced by the countermeasures that must be applied by every company in that business. Every competitor must incur in those costs. The most common example is implementing the requirements of a law (Sarbanes-Oxley, Basel II, etc.)
- Strategic security costs: Those are the costs that are related to implement the business strategy and produce differentiation. For companies that sell hosting or that act as certification authority, security is a differenciator and its value is (or should be) directly perceived by the customer.
- Risk management security costs: Those are the costs accepted to reduce the risks down to the accepted residual level.
It should be quite easy to formulate a specific security strategy that includes the security objectives that produce the first two types of costs. As for the third one, there are a couple of valid solutions. Something similar to "Do a risk analysis and manage the risks to a residual level" could do. However that is very vage and I don't like it. When being specific is required, the best source again is the business strategy and, if there are no clear security needs that come from it, the Information Systems strategy, that should be aligned with the former.
As Sun Tzu said: "All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved."
posted by Jorge Ortiz at 11:00 PM
0 Comments:
Post a Comment
<< Home