Today’s CSOs are faced with ever increasing challenges, including budget optimization, improved organizational alignment, enterprise security architecture that incorporates virtualized environments and the cloud.
While data has always been a fundamental security concern, today’s technology permits us to integrate and correlate unstructured and disparate data under a common operating picture to provide relevant business information. This notion of a common operating platform is relatively new, and CSOs should be demanding this from their systems and operations groups. By designing and implementing a security information architecture that is aligned to the business goals and objectives, the CSO is fulfilling his or her mandate. How do you accomplish this?
To form a security information architecture, you must understand the business context, which is the business environment and operations that characterizes the organization — such as the company mission, future goals, financial performance indicators and organizational culture and behavior. In order to be successful the CSO must have a firm grasp of the business context that their security operations enable, including obtaining baseline information including all business, security system and data structures, operational risk assessments and other risk mapping efforts, stakeholder analysis, etc.
Once this is done, you can begin to develop the security information architecture and data integration program. As one colleague put it: “This can be like eating the elephant — even one bite at a time is still pretty big!”
In general, developing the concept involves a variety of people, such as information technology, end-users, security and several concept/strategy whiteboard sessions. It is important to see the broad view, at this point — don’t get bogged down in the details. Here are some of the guiding principles:
- Imagination. Imagine how you would like to see critical processes and systems interact with each other regardless of technical constraints.
- Questions. Innovation is accomplished, in part, by bringing a variety of perspectives to focus on one issue. We have seen some clever innovations born from the ideas of line staff tasked to use a system designed one way but ultimately needed to fulfill its role better than designed.
- COTS. Shift to commercial off-the-shelf products. Regardless of what information you integrate, the key is providing one common view using non-proprietary technology.
- Secure the core. The notion here is to integrate and execute under a common platform the essential (core) security services first. Effectively using a security information architecture and data integration scheme within your own domain should give you the credibility with other enterprise services.
- Benchmark. Several enterprise security programs are implementing leading edge and innovative security information and data integration programs. It is easier to imagine what you can do when you see what others have done.
Once the concept is outlined, you need an execution plan — typically in 18-, 24- and 36-month increments. A typical strategy includes:
- The Master Plan – the execution strategy taking the design concept through to actual implementation. It must include routine quality assurance process assurance cycles; and performance management and KPIs should be included, among other elements.
- Proof Point – design the security information architecture, perhaps in a sandbox environment, with just enough functionality and integration to provide evidence that the concept works. It is almost inconceivable to imagine a security architecture for a data integration project that does not have a proof point.
- Workflows – a core element to a security information architecture is the creation of standardized workflows that provide quality measurements against performance. This is a well-established notion in the Six Sigma world and should be part of this program.
- Value and Measures - a core objective of the security information architecture is demonstrating value to the company’s mission and demonstrating business value from the security service. Designing a system that helps promote service value is not easy and must be created within the business context.