From the answers to these questions, a data process diagram begins to evolve to answer questions of collaboration (who), roadmap (what will be developed and deployed and when?), how it will be developed and resourced during and after deployment, and finally a solution orientation that can answer the attributes of a specific set of technologies that will be deployed to drive value. If done this way, ongoing metrics can be established that help measure the anticipated value from the original assessment, define the scorecard for future technology, as well as be used to create a continuous improvement program.
This takes a little more time, but, let us attempt to undergird the reasoning for this approach with a simple but critical logic statement. Security executives aim for a common operating picture, provisioned by the collection of data from multiple inputs including devices and software applications, that are effectively measured to ensure continuous improvement toward actionable business value and all-hazards risk mitigation while achieving continuous compliance. If that truly is the case, then every device and application must be measured against this over-arching goal.
What many CSOs tell me is they face an inherited culture that does not understand business objectives that align with risk and security nor how to measure it in a way that would be meaningful to business executives. They also complain of a dearth of standards that prevent them from integrating in a meaningful way. Finally, they complain about the lack of IT and business insights and advice they need to have from their existing consultants and integrators.
But the industry is changing. Technology is advancing much faster than the security market can absorb or understand it, and it is pushing the end user model for security as well as the channel for products and services.
Just look at Microsoft Global Security and their implementation of a commercial off-the-shelf (COTS)-based stack that inherits full integration of all its software applications if the device or software application conforms to its 'standard'. They are actively pushing the envelope for this level of business practice and information architecture approach and security technology companies are taking note. I predict a number of devices, solutions and professional service organizations will take advantage of this in a big way in 2013.