Posts Tagged ‘security management’

Follow the Money

When we talk about security with the business we need to talk about money.

I have occasionally run into colleagues whose answer to risk-based governance approaches and performance-based management approaches has been to say “Show me the money!”. I understood their desire to see security operate in the language of business but was always reticent to jump feet first into financially-driven security for a couple of reasons; firstly  I just couldn’t see how we could put a reliable value on what we did and secondly I was nervous about what that might expose. In hindsight I find myself increasingly becoming a financial fundamentalist for security.

Business is fundamentally the generation of profits to maximise the returns of investors. It is the result of one equation:

Profit = Revenue – Costs

(more…)

Blueprint for Security in 2013

I’ve worked with a number of organisations this year that have been refreshing or redesigning part or all of their security function. It’s brought into focus for me the tension between new security practices and organisational inertia. These have all been organisations that cared greatly about security and were in no way dysfunctional. However, they have all been fighting the battle of five to ten years ago and were only now were undergoing the discovery and self-analysis to understand how to deliver on the aspirations they have in the new context of cyber security and the changed threat landscape.

It has brought home to me the need to focus on continual improvement activities, not limited to finding greater efficiency and effectiveness in what we are doing now but regularly challenging the scope of our activities to see if we need to do more or less or do different things.

(more…)

Business Partner and Supply Chain Cyber Security

I’ve recently been involved in some strategic cyber security work in the UK financial services sector. The financial services sector is a complex and coupled system. While some components are clearly more important there are few components that are inconsequential if they cannot be relied upon. No financial services organisation is independent in what is a highly cooperative sector.

Currently the Information Assurance aspects of reliance on partners and supply chain throughout the sector is handled through third party assurance. Every organisation assesses and is assessed by every other organisation breeding an expensive and distracting industry of rolling security controls assessments.

(more…)

Security and Systems Engineering

In my experience when a business brings security people into their systems engineering process they are trying to solve a problem. Usually there has either been a painful security incident or some security testing pushed them over the edge and they feel exposed. Sometimes they are undertaking a big enough change or the security implications of a change are so obvious that they realise they need to ensure security is covered off.

However, while the senior management of the business is looking to solve the security problem there is commonly confusion amongst the system engineering teams, the new security team and the middle management of the business about what it is they are asking for and what it is they are getting. (more…)

Twitter RSS