By Scott Alldridge, President, IP Services
Cybersecurity breaches seem to occupy too many headlines these days. There seems to be so many attention-grabbing examples of how inadequate information, applications, and IT security can impact our businesses. There is documented evidence that security breaches can affect brand, marketplace trust, customer privacy and identity, not to mention the bottom line. The proliferation of security laws and regulations demand an ever increasing share of our attention and effort with escalating consequences for noncompliance. In spite of this, somehow we see vendors influence the cybersecurity space with another “point-based” solution…promoting a better firewall, or some angle on threat-intelligence when security breaches and incidents are out-pacing spending on security almost 2 to 1. Certainly we need best of breed and proven “point-based” solutions such as identity management, firewalls, and security training, but also we need to look deeper and focus on the right things that have proven to prevent breaches from causing catastrophic consequences. Often though, with the glut of information out there and so many solutions to implement, we are left spinning in a quandary.
Answering the question “How much security is enough?” is a tough proposition. Security is hard to put your finger on. It does not reside in a particular location and is accomplished through a diverse combination of people, process, and technology controls. Adequate security for any given product, service, or organization is determined based on tolerance for risk – easy to say, hard to quantify, and constantly changing.
While we’re trying to get our heads around these complex issues and make sure we’re not the next press release (or court case!), there are a set of proven, sound practices that allow enterprise IT operations and security teams to effectively operate and maintain production systems and meet security-based compliance requirements while providing new business-driven services.
Visible Ops Security derives from years of operational experience, customer engagements, and rigorous research and benchmarking performed by the IT Process Institute. Working with top performing organizations to tease out what differentiates them from medium and low-performers, the authors have found that high-performing security teams have unique cultural characteristics and have employed some “key” foundational processes to drive highly secure postures within their organizations.
Based on this research, Visible Ops Security identifies 4 phases for integrating information security into development and operations so that it becomes business as usual. The steps for each phase offer a prescriptive sequence of measurable actions, supported by true life examples that readers can easily identify with and use to help build momentum and support. By working together, development, security, and IT are in a better position to achieve common objectives and demonstrate business value.
I would propose the following working thesis around security; no breach happens without a change or a need for a change. So, the somewhat obvious solution is; managing change. This begs the question- how do you effectively and appropriately apply change management with your IT Assets? Our research and data collected in partnership with the IT Process Institute has used quantitative data analysis that shows using the three following processes; Configuration Management, Change Management, and Release Management together in the appropriate way creates a “closed-loop” process for effective Change Management.
Finally, coupling these foundational process controls (Change-Config-Release) with proper tooling, such as Security Event Information Management (SEIM) and Integrity Management (IM), can provide an organization with the ultimate “back-stop” in security. But remember “a fool with a tool is still a fool”, so having the right expertise, tools, and experience is vital and delivering meaningful monitoring at this level is always challenging, so looking to a security-as-a-service model can be the most cost effective and efficient decision you will ever make. To learn more, visit: http://ipservices.com/managedcybersecurity.html