Sage Conversations: Taking a holistic view of security operations

Why measuring the total value of security to an organization is vital

I was listening to Steve Lasky’s interview of Mike Howard, CSO of Microsoft, at The Great Conversation in Seattle, the other day, and was struck by his insight into leadership. I took away the following nuggets:

  • Leadership is self-less. A self-less leader recognizes the worth of the team and, therefore, invests in the development of the people.
  • Leadership understands the mission and goals of the organization and how to mobilize the assets accordingly.
  • Leadership builds relationships both within the team and outside the team, seeking perspective outside the four walls of an office.
  • Leadership is strategic. Blocking and tackling is important and must be measured, but it also must always have a strategic context.

Later, I had these nuggets in mind when I interviewed Benjamin Butchko, the CEO of Butchko Security Solutions. Butchko represents the tip of the spear in the security value stream - his professional discipline and business is to align board level risk with board level value and then assist his clients with creating a robust security operation that manifests that alignment. This is a great measurement of success.

When asked what he believed the greatest challenge was he used a phrase that is commonly associated with corporate bureaucracy: The self-licking ice cream cone.

According to Butchko, often within the security operations of public and private organizations there is a propensity to focus inward, missing the holistic view of how security benefits the greater organization mission. Without that perspective, much of the potential value is unrealized.

This happens in the vendor community as well, where the consultant, technology vendor or integrator are so focused on their one piece of the value stream, they miss the sum of the parts.

Butchko provided an example of a holistic view. He outlined four major data elements for one industry that might be identified to truly create an information data model and architecture for security.

  1. The business data: Such as facility, personnel and identity (active directory), and contracts management.
  2. The physical security data: Such as access control, intrusion, video surveillance and voice.
  3. The operations data: Such as SCADA, core process or workflows, raw materials, product stores and locations.
  4. The environment for safety: Such as proper certifications, medical clearances, and travel.

If this data was identified, captured and organized properly, then it could be persistently evaluated in context of reactive and proactive analysis. This would arm the organization to capture trends that could tell leaders how to improve their operation, as well as predict events in the future.

What Butchko is doing is helping his clients with a provisioning platform for leadership, as Howard has done at Microsoft Global Security with his GSOC (Global Security Operations Center).

How the Butchko’s of this new generation of leadership create the platform of the future is still in flux. The Microsoft approach uses commercial off-the-shelf software and devices that, as much as possible, plug-and-play together. This interoperability is something that Howard touches on in his interview and many of the speeches he delivers. However, Butchko is also practicing a different kind of interoperability when reaching out beyond his consulting discipline to understand the best information architecture that will deliver this value to his clients. Like Howard advises, Butchko is reaching out to technology vendors, software companies developing on Windows, SQL and SharePoint, device companies and integrators to understand and leverage their knowledge and resources. He is practicing what Howard calls “the interoperability of the ecosystem.”

This content continues onto the next page...