When I look at security organizations, I often seem them doing everything but mainly focusing on governance and compliance. The key question from my point of view is often: Where does security add value? Why should the business (besides compliance to laws, regulations, policies and common sense) even focus on security.
If we try to abstract from the key frameworks, which have a lot of reason to exist, to me there are five themes, which pop up in todayâ€™s world to really bring security forward:
Let me briefly give you a high-level view on the themes above:
- Cyber Defense: This is all about intelligence, situational awareness and response. I think we as the overall community have a looong way to go there. I am convinced that all the data needed is available from different sources but due to the lack ofÂ willingness for sharing and collaboration we are at the short stick compared to the bad guys. Something I might drill in deeper in another post
- Data-Centric Security: Basically the right term would be business-centric security but letâ€™s not be too radical. I am convinced that if we focus more on data, we will focus more on the business. My ultimate dream would be an architecture, where the data will decide about access and offline storage based on certain key criteria. Something I Â will definitely elaborate further in another post.
- Risk Management: Something we are doing for ages, arenâ€™t we? I think we are fairly good at managing risks. We know how to work on reducing impact, on reducing probability etc. However, how do we collect risks and how do we actually rate them? This is more an art than an engineering practice and this has to change. I do not (yet) have the silver bullet but I know that we need to improve.
- Legal & Regulatory: I put it on there to make sure everybody understands that I do not forget this part. I know that we have to follow some rules and rightfully so. But not everything can and shall be solved by technology. If people fail to obey, there are administrativeÂ Â consequences to be taken.
- Culture: I already hear the securityÂ people saying â€œyes, culture is important, people have to take care ofÂ securityâ€ â€“ absolutely true! No doubt about that. But what I would like to see is the security people to change as well. We need to be an asset not a pain. We need to help to solve business problems, we need to be a partner.Â I often said that I do not want to hear a â€œnoâ€ nor a â€œyes, butâ€ fromÂ security people. I want solutions, not problems
I will definitely continue to blog with more details on this line. This is my current line of thinking. I know that there is a certain probability that reality will hit me sometimes.
Any ideas? Thoughts?
I am more than happy to engage in a discussion â€“ actually I would love to get your feedback