Don’t run scared—Run IT security like a business
CIOs need their security teams making decisions based on business value, not knee-jerk fear. Get there in four steps.
Sometimes, your security team shouldn’t deploy every software patch that comes along. Your team may find this counter-intuitive, but security decisions must be based on more than fear of hackers and blind faith that patching is the way to ward them off. Running IT like a business means running IT security like a business. This often means repairing security vulnerabilities at maximum speed—but not always.
Getting your security team to think in terms of managing overall business risk is not easy.
“Security speaks a different language from the business,” says Eliav Levi, HP CTO of Risk Management. “So reporting typically focuses on technical operations information. Most organizations don’t take that extra step to translate it into business meaning.” With no business context to reports, executives have a hard time balancing risk, costs and budget—and there’s no means of prioritization. Adds Levi, “There’s little sense of how to spend the security budget in a way that will benefit the business most.”
Yet with the rapid rise of cloud computing, consumerization and mobile devices, executives are increasingly concerned with security. An InformationWeek report says that in 2011, 34 percent of CEOs or presidents were involved in security policy, a 7 percent increase over the previous year.
Shifting security priorities
To run security like a business, CIOs and CISOs need to drive a change in mindset. Reliance on key performance indicators and analysis must prevail over the fear of “Hackers will get us—on my watch!” To assess where your organization is, ask yourself: Are you and your security leaders focused on the business of information security, or is your organization still mired in reactive fire drills? Can you measure the impact of security activities on the business?
For example, instead of asking, “Are we up to date on patches?” the more important question is, “How is patch management affecting business performance?” Correctly done, a security function such as patch management should be saving the organization on planned downtime. Instead, organizations often patch themselves into poor performance. Abandoning your considered update schedule to patch blindly—without assessing priorities and risk—can cause more downtime when the “fix” brings down an application server than you’d have by choosing not to deploy certain low-priority and higher-risk patches.
“There are many tools that play a role in day-to-day security practice,” Levi says, “and most generate mountains of prioritized data. The challenge for security is to tie together this data coming from different tools to provide a holistic view on the security state of the organization.”
Four steps you can take to start running security like a business
To shift from reactive mode to what HP Enterprise and Cloud Security Strategist Rafal Los calls “smart security,” start with these steps:
- Assess your organization’s asset inventory and understand what’s at risk. Knowing what you have is half the battle. Can you identify your organization’s top three business-critical applications?
- Establish sound change management. A solid, ITIL-based change management process is crucial to a good security foundation. Map your patch management to ITSM best practices.
- Apply a business context to KPIs. Two key performance indicators are especially important as you begin treating security as a business. One is velocity of change: How fast can the business react while still staying safe? The other is how much business disruption is caused by security: How much downtime has been taken with outages?
- Analyze the impact of security actions. How do you decide whether you should update that patch or not? Remove fear from the equation and make decisions based on analysis and numbers instead. Your most effective practice here is to use a Failure Mode and Effects Analysis (FMEA) to assess potential security risks. (For more on FMEA, see the related article, “Security: Separating fear from risk.”)
These steps should allow you to not only decrease security-related downtime and disruption, but you’ll also see a change in security’s overall role in the organization. “As security steps into the board room,” Los predicts, “it will start to disappear as a separate discipline and dissolve into the fabric of the business.”
Find out more about HP’s solutions for Enterprise Security, and join the discussion around security on Rafal Los’ Following the White Rabbit blog.
When users are king, how do you create IT value? Download our free ebook and find out.
Connect with your peers in our IT Strategy & Performance group on LinkedIn.
Sign up to get the best of the Discover Performance community delivered via email.
Vote for the followup to our CIO vs. CFO series: CIO vs. CMO? CIO vs. CISO? On big data? BYOD?
Do you work in the IT trenches? Get articles, demos, discussions, and downloads for and by software practitioners.
Discover Las Vegas 2013
Attend HP’s premier event (June 11-13) to hear from industry leaders, HP insiders, and experts on tomorrow’s IT trends. More
HP Vertica User Conference 2013: Driving the Future of Analytics
Strategic insights on big data and keynote speaker Billy Beane (GM of the Oakland A’s). Boston, Aug. 5-7. More
HP Protect 2013
Share security intelligence, discuss new innovations, and network at HP’s premier security conference.
Washington, D.C., Sept. 16-19. More
Most read articles
This free, original ebook—based on discussions with a group of HP’s Fortune 500 customers—strips out today’s jargon and buzzwords to help you reframe how IT can deliver value consistently in this new user-driven era, no matter how the technology evolves.
Download eBook (PDF-file, 300dpi, 3.7MB)
Download eBook (PDF-file, 300dpi, 9.5MB)