Every security executive has used a system integrator. To some, they are merely “installers” who conform to a specification pre-prepared by an internal committee and/or a consultant. To other security executives, integrators have specific expertise in a solution or a product.
If we fully delineate the term “system integrator,” we can see opportunities and weaknesses in how we leverage them. “System” implies a collection of technical subsystems. “Integration” involves piecing together each of these subsystems. But what if there was a new approach that took into account the organization’s “subsystems” up and down the value stream of a security operation? After speaking with security executives and industry vendors, I discovered the potential of a new definition for “integration” and the need for a new comprehensive methodology.
Here’s a look at five core elements of a risk and security organization that must be reviewed and “integrated” before advancing new technology. It’s possible to integrate disparate consultants, integrators, and product vendors across these five steps, but a methodology must exist that allows this to happen, and strong leadership to initiate, maintain and advance the outcome desired.
1. Risk, Business Model and Value Drivers
We are all familiar with the need to perform periodic risk assessments. We also know that in many sectors, compliance to external regulations is critical. The best consultants in this area also take into account how their client’s organization operates (The Business Model). This requires understanding the value they are providing, and how they quantify and monetize that value. Additionally, there are people in defined roles within core processes that drive that model. Risk should always be aligned with opportunity, so that opportunity can be realized and sustained.
2. Data, to Information, to Intelligence
We call this the “Information Waterfall.” Your organization must aggregate data from internal and external sources, and it must be organized in a way for it to be understood and leveraged. You must then attempt to harmonize all sources of information and apply analytics and strategic thinking so that you can evaluate and take action. How this becomes a core process within your risk and security operation and how you apply technology to leverage the information in powerful ways is a critical step in the value chain.
3. Security Performance Audit: Creating the Baseline for Metrics
This step is critical. It measures the unique interaction between your people/partners, processes and tools (technology) to fulfill the objectives derived from the first two steps. It also measures the velocity, value and veracity of your plan. Without this, every step you take may detract from or add to the value of your organization, but you would lack the measurements to validate progress or take corrective action. I also would include the auditing or benchmarking of any proposed new technology by first validating its conformance to the organization’s information architecture, then creating a “use case” that will be used to confirm the value we expect to gain, and finally, testing it against the use case to confirm when and how it will be introduced.
4. Design, Implement, Train
We are finally to the piece relegated to the system integrators. If we have done the other steps correctly, then this should be seamless. The integrator should be aware of the strategy, the value drivers, and use cases. The integrator should be authenticated through your core processes as an important member of your security team — after all, they will be asked to handle your sensitive building and subsystem information. Their ability to implement will also determine the success of the technology subsystems that make all the other steps more efficient and more valuable.