As IT security has become a bigger part of business discussions, security teams have increasingly shifted their focus from operations to strategic business objectives.
For businesses building their security groups, there needs to be a balance between fulfilling operational and strategic goals, and a new report from Forrester Research offers advice on how businesses can find it.
"In a few cases we found that the strategic aspect of security was so important or was so highlighted in terms of the CISO [chief information security officer] role that the CISO was sometimes moved outside the IT organization, [and] sometimes wasn't as connected with the operation [of] the IT...[but] much more connected with the business side and the strategy side," explained Forrester analyst Khalid Kark. "What that does is basically creates an ivory tower for the chief security officers, and then they are not able to operate."
To avoid that, there are several steps Forrester recommends organizations take. Here are a few of them.
-- New Roles: To make your security practice more strategic, add these three positions: a business liaison to advocate for the business unit within the security team and communicate the security perspective to business; the third-party security coordinator to address outsourcing, assessments and cloud computing; and a security engineer focused on working with the enterprise architecture team to build security into the architecture and integrate specific infrastructure security components into the architecture.
-- Understand IT security vs. information risk: "Many security organizations fail to get management attention because they're always focused on the IT security activities, which the business doesn't understand," according to the report. "On the other hand, the business understands risk well, and if you articulate those same problems in the risk context, the business is much more likely to react and respond to them."
-- Develop a cross-functional security council: "Focus on 'who' not 'how.' Forrester has long professed the benefits of a security council, but one thing that is absolutely essential for the success of this council is its composition," the report continues. "The trick is not to aim for the highest ranking businessperson but the one most interested in security and risk issues who has a reasonable level of visibility in the business. When you have a passionate team working on the security issues, the 'how' will be easy to determine."
-- Equip the business to perform risk assessments: "To meet the security and risk obligations effectively, you have to delegate, and risk assessments are ideal for this," Forrester said. "Provide the checklists and basic training to the business to perform the basic risk assessment tasks so that it takes the pressure off your resources. Make it easy and seamless for the business to incorporate these into its existing processes."
Complicating things is today's economic environment in which businesses may be forced to reshuffle or even cut their security personnel. When that happens, organizations may have to refocus their attention from strategic projects and get back to basics, the report noted.
"As security organizations get leaner, delegation, formalized and documented processes, and good monitoring and metrics become key," said Forrester analyst Rachel Dines, who worked on the report with Kark. "Security organizations don't need to have direct ownership of all security-related processes, but they do need to monitor and control them."