Sage Conversations: Emerging trends in security consulting

The Sage Group works with many organizations to assess their baseline performance and construct a viable business plan that will help them with their short and long term goals. We see many different business models and varying degrees of operational performance.

Within the security ecosystem, our experience spans most of the main elements of the security value stream. We thought we would give you insights, from our experience, into what each of these “supply-side” sectors are experiencing and what the next year may hold for them in their “path to value.”

There are five main elements to the value stream:

1. Risk and Resilience

Risk, threat and vulnerability and the security master plan: This step is fundamental to every security program.

2. Performance Baseline and Optimization

Security and business process assessment: This step provides the baseline measures around people performing roles within a core process using the technology that has been provided them.

3. Information, Intelligence and Response

Standards-based roadmap for an information management architecture: This step intersects with IT and leverages the future use cases (or workflow scenarios) that are derived from the assessment. This allows the technology architecture to evolve and conform to the needs of the business.

4. Design, Build, Implement and Maintain

This step demands leadership and accountability to the roadmap. It falls under security program management. It manages all the people, processes and tools needed to deploy, train, and maintain the program initiatives.

5. Operate, Improve, and Innovate

This step also demands security program management. It defines the leadership and accountability tools that will leverage the reports from the security information management system to effect:

  • Process optimization
  • Technology optimization
  • Risk optimization
  • Compliance optimization
  • Resource and project management to support:
    1. Internal processes
    2. External vendors and internal resources

We believe the first element of the value stream that is served by risk, threat and vulnerability consultants and their role in the master security plan, is one of the most under-leveraged assets in the security and business community. The world of business is constantly changing. And change is not always predictable. The risk assessment process provides the means to identify what risks are meaningful to the business.

We predict that this community has the opportunity in 2014 to create new levels of value for their clients by:

  1. Creating a repeatable process that integrates into the practices of the organization and delivers persistent value. Ensure that the assessment is never seen as episodic. Rather, it is seen as part of a continuous process and quality improvement strategy, as well as real-time continuous compliance.
  2. Adapt this process to new technology platforms that can accelerate the aggregation of data, create real-time communication between client and consultant(s), and provide an online report and database that can be hosted, stored and repurposed within a master security planning process. (Ensure this data is refreshed and dynamic as part of a security operations plan.)
  3. Capture the security operation workflows, the tasks performed by their people, and the actual use patterns of the technology they use to deploy as part of the assessment.
  4. Capture how security intersects with the core business workflows (processes) of the organization. How does this intersection mitigate risk and still maintain or improve performance?
  5. Leverage the measures from the workflow analysis to form the basis for monitoring of performance (program management):
    1. People
    2. Process
    3. Technology performance (To a .99999 standard like other mission critical applications)
    4. Vendors that support the operation
  6. Identify and mitigate risk by providing the means to generate real-time, highly visual reports to monitor how evolving risk conditions may intersect with the business to allow for a disciplined and proactive response.
  7. Ensure that optimization of business (and security) processes are focused by generating persistent reports that monitor value and return on investment in the language of the business.

As you can see, we predict that a next generation of risk consultant is emerging whose role is not episodic but persistent; who will take the baseline gaps and measures from the assessment and use these to create powerful bridges to a role in the architecture of a security information management approach to the security program. And finally, a role in interpreting the data through advanced analytics.

They are the community that can do it. They have the formal education in risk. They have experience with the processes security operations staff deploy and the human resources they hire. They are exposed to the technology they use and the integrators who have deployed that technology.

But consultants must find a way to persistently vet the other vendors in the value stream including other consultants, integrators and info architects. Based on this vetting process, they can create healthy and synergistic relationships that will be respected by their clients, because they have gone through the rigor and discipline of accrediting and continuously measuring them over time.

This is a new world; a collaborative world. The winners will be the clients that receive immeasurable more value and continuity from their vendors. And how shall the vendors gain?  They will not only be known by their applied knowledge within their disciplines of consulting, integration, and performance management, but will also be measured by their effectiveness in collaboration, creating a sustainable value stream in security. The sum of the parts will add to their singular value.

Is this happening today? Yes, there are a few consultants who have created foundational relationships with integrators and info architects that go beyond choosing them for a particular project. They are allowing for new levels of relationship and knowledge sharing. Although this will not be a mainstream activity in 2014, the vendors who choose collaboration will see new benefits, more productive clients, and increased persistence in their presence and value within those clients.