Discover Performance

CIOs need their security teams making decisions based on business value, not knee-jerk fear. Get there in four steps.

Sometimes, your security team shouldn’t deploy every software patch that comes along. Your team may find this counter-intuitive, but security decisions must be based on more than fear of hackers and blind faith that patching is the way to ward them off. Running IT like a business means running IT security like a business. This often means repairing security vulnerabilities at maximum speed—but not always.

Getting your security team to think in terms of managing overall business risk is not easy.

“Security speaks a different language from the business,” says Eliav Levi, HP CTO of Risk Management. “So reporting typically focuses on technical operations information. Most organizations don’t take that extra step to translate it into business meaning.” With no business context to reports, executives have a hard time balancing risk, costs and budget—and there’s no means of prioritization. Adds Levi, “There’s little sense of how to spend the security budget in a way that will benefit the business most.”

Yet with the rapid rise of cloud computing, consumerization and mobile devices, executives are increasingly concerned with security. An InformationWeek report says that in 2011, 34 percent of CEOs or presidents were involved in security policy, a 7 percent increase over the previous year.

Shifting security priorities
To run security like a business, CIOs and CISOs need to drive a change in mindset. Reliance on key performance indicators and analysis must prevail over the fear of “Hackers will get us—on my watch!” To assess where your organization is, ask yourself: Are you and your security leaders focused on the business of information security, or is your organization still mired in reactive fire drills? Can you measure the impact of security activities on the business?

For example, instead of asking, “Are we up to date on patches?” the more important question is, “How is patch management affecting business performance?” Correctly done, a security function such as patch management should be saving the organization on planned downtime. Instead, organizations often patch themselves into poor performance. Abandoning your considered update schedule to patch blindly—without assessing priorities and risk—can cause more downtime when the “fix” brings down an application server than you’d have by choosing not to deploy certain low-priority and higher-risk patches.

“There are many tools that play a role in day-to-day security practice,” Levi says, “and most generate mountains of prioritized data. The challenge for security is to tie together this data coming from different tools to provide a holistic view on the security state of the organization.”

Four steps you can take to start running security like a business
To shift from reactive mode to what HP Enterprise and Cloud Security Strategist Rafal Los calls “smart security,” start with these steps:

1. Assess your organization’s asset inventory and understand what’s at risk. Knowing what you have is half the battle. Can you identify your organization’s top three business-critical applications?
2. Establish sound change management. A solid, ITIL-based change management process is crucial to a good security foundation. Map your patch management to ITSM best practices.
3. Apply a business context to KPIs. Two key performance indicators are especially important as you begin treating security as a business. One is velocity of change: How fast can the business react while still staying safe? The other is how much business disruption is caused by security: How much downtime has been taken with outages?
4. Analyze the impact of security actions. How do you decide whether you should update that patch or not? Remove fear from the equation and make decisions based on analysis and numbers instead. Your most effective practice here is to use a Failure Mode and Effects Analysis (FMEA) to assess potential security risks. (For more on FMEA, see the related article, “Security: Separating fear from risk.”)

These steps should allow you to not only decrease security-related downtime and disruption, but you’ll also see a change in security’s overall role in the organization. “As security steps into the board room,” Los predicts, “it will start to disappear as a separate discipline and dissolve into the fabric of the business.”

Find out more about HP’s solutions for Enterprise Security, and join the discussion around security on Rafal Los’ Following the White Rabbit blog.