The Sage Group works with many organizations to assess their baseline performance and construct a viable business plan that will help them with their short and long term goals. We see many different business models and varying degrees of operational performance.
Within the security ecosystem, our experience spans most of the main elements of the security value stream. We thought we would give you insights, from our experience, into what each of these “supply-side” sectors are experiencing and what the next year may hold for them in their “path to value.”
There are five main elements to the value stream:
1. Risk and Resilience
Risk, threat and vulnerability and the security master plan: This step is fundamental to every security program.
2. Performance Baseline and Optimization
Security and business process assessment: This step provides the baseline measures around people performing roles within a core process using the technology that has been provided them.
3. Information, Intelligence and Response
Standards-based roadmap for an information management architecture: This step intersects with IT and leverages the future use cases (or workflow scenarios) that are derived from the assessment. This allows the technology architecture to evolve and conform to the needs of the business.
4. Design, Build, Implement and Maintain
This step demands leadership and accountability to the roadmap. It falls under security program management. It manages all the people, processes and tools needed to deploy, train, and maintain the program initiatives.
5. Operate, Improve, and Innovate
This step also demands security program management. It defines the leadership and accountability tools that will leverage the reports from the security information management system to effect:
- Process optimization
- Technology optimization
- Risk optimization
- Compliance optimization
- Resource and project management to support:
- Internal processes
- External vendors and internal resources
We believe the first element of the value stream that is served by risk, threat and vulnerability consultants and their role in the master security plan, is one of the most under-leveraged assets in the security and business community. The world of business is constantly changing. And change is not always predictable. The risk assessment process provides the means to identify what risks are meaningful to the business.
We predict that this community has the opportunity in 2014 to create new levels of value for their clients by:
- Creating a repeatable process that integrates into the practices of the organization and delivers persistent value. Ensure that the assessment is never seen as episodic. Rather, it is seen as part of a continuous process and quality improvement strategy, as well as real-time continuous compliance.
- Adapt this process to new technology platforms that can accelerate the aggregation of data, create real-time communication between client and consultant(s), and provide an online report and database that can be hosted, stored and repurposed within a master security planning process. (Ensure this data is refreshed and dynamic as part of a security operations plan.)
- Capture the security operation workflows, the tasks performed by their people, and the actual use patterns of the technology they use to deploy as part of the assessment.
- Capture how security intersects with the core business workflows (processes) of the organization. How does this intersection mitigate risk and still maintain or improve performance?
- Leverage the measures from the workflow analysis to form the basis for monitoring of performance (program management):
- Technology performance (To a .99999 standard like other mission critical applications)
- Vendors that support the operation
- Identify and mitigate risk by providing the means to generate real-time, highly visual reports to monitor how evolving risk conditions may intersect with the business to allow for a disciplined and proactive response.
- Ensure that optimization of business (and security) processes are focused by generating persistent reports that monitor value and return on investment in the language of the business.