The Business of Security is the Business

Feb. 10, 2012
Why integrators must focus on their customers' business need, not just the customer's security needs

Some of you reading this may be a competitor at some level. Why would an integrator want to share their strategic perspective on the market with their competitors?

My answer: I absolutely believe that change is inevitable in our industry. I believe we can thrive in the midst of change by helping others advance the value of our profession. We are in an industry that requires a certain trust fabric. Our clients need us to collaborate, share lessons and leverage the sum total of our knowledge and skill. If we can collectively increase the value of security to our clients we all win.

The ASG Summit in Seattle each March has always been a ‘Great Conversation.’ This year, more than ever, we are hearing from the knowledge leaders in our industry and from the next generation security executives that the ‘business of security is the business.’

Whether we are prepared or not, our world is changing significantly. Our business is now an information business. We must be prepared to build business intelligence around our client’s industry and their organizations. We must use this intelligence to understand the context of their risk. And finally, we must understand how to build or support the ‘information technology architecture’ around the management and reporting of that risk.

What is implied in all of this is that we have benchmarked technology solutions before we have recommended them to our clients. ‘Benchmarking’ means we have applied the business and risk intelligence to the performance of the technology. We have tested it. We understand how it applies to their regulatory, risk and organizational objectives. We know how it conforms to the IT architecture that supports enterprise applications. We know when, where and how to integrate with those enterprise applications to fully leverage the network, storage and computing resources that support the organization’s objectives. This will demand a different approach.

I see five key trends security integrators need to be conscious of as the market evolves. Integrators must then be mapped against the appropriate organizational pillars of our client in order to function as an engine of growth and a value generator. These trends include:

 1.       The Trusted Fabric: As I mentioned in the January issue of SD&I, page 46, integrators need to create and leverage their networks. They must form partnerships to drive and accelerate into emerging markets. They must do this because, for most companies, the risk and investment are too high to go it alone.

  1. The Risk Value Equation: A methodology for measuring and reporting on value will become the tool for the leading consultants and integrators. The business, not just risk management or security will begin to pay attention.
  2. Optimization to Innovation: Integrator’s assessment practices will find the client’s redundancies within their infrastructure. ‘Convergence’ will return as a term for optimizing their client’s at a management, process, people and tool level. In certain cases, performance-based contracting (billing based on performance) will become a specialty of a few leading organizations. These savings will fund innovations that will compress cycle times, reduce budgets and connect to the business in ways that would not have been possible previously. Virtualization (the cloud) will begin to be a part of every engagement on one level or another. Identity consultants and architects will be in high demand, especially when they create the ROI and contract model needed to re-architect how identity gets managed.
  3. Information and Intelligence: A portal or dashboard with a backend database will begin to be hosted and/or architected with every risk assessment. Aggregating and updating by subscription the critical documentation around regulations and compliance and connecting it to protocols (managed workflows) that fulfill the mandate will be in high demand. Some companies will also recognize the value of aggregating the stored but scattered knowledge residing within the organization and will move to aggregate, organize, store and manage this information as well. Business (competition, supply chain, and socio-political/country) risk will also be recognized by leading integrators as a potential source of data that links to the value.
  4. Methodology and Metrics: Templates for managing the data that is derived from the people, processes or tools including the network, applications, and/or the sources that are being monitored, will lead to reports that begin to connect to organizational goals for budget optimization, process optimization and velocity (Service Time to Value).

A ‘next-generation’ integrator for the’ next-generation’ security executive, will be able to articulate all of these in a manner that relates to the client’s organizational objectives because ‘the business of security is the business.’