Security and the Enterprise: Connect What?

Thursday, September 20, 2012

Tripwire Inc


Article by Michael Thelander

In the next few weeks and months we’re going to talk a lot about “connecting” stuff.

We’re going to use the phrase “Connecting security to the business” with almost annoying  frequency. Not to be annoying, but because it’s important.  Because it can change the way the business views security, and the way security views the business.

This begs a primer of sorts: What do we mean by all this “connecting security to the business” talk?

What Dis-Connected Security Looks Like:

  • “We bought some of that next-gen firewall stuff … it doesn’t impact users and it’s fun to play with.”
  • “I treat every business unit the same. I use the peanut butter approach to cover everything.”
  • “The business keeps making decisions that impact security and force me to play catch-up.”
  • “I told them their servers failed CIS benchmark 1.9.6 for anonymous SID/name translations. They  looked at me like I was speaking Greek.”
  • “I avoid conversations outside of the IT security or risk groups.”

The other side of the coin demonstrates what “connected security” is all about. It’s less technical than it is relational. It’s more about the business than it is about the technology or the threat-du-jour.

What Connected Security Looks Like:

  • “I know what the businesses’ Top 3 initiatives are for the year…and so does my team.”
  • “And we’re developing a plan to support them.”
  • “I like it that business units come to us and ask risk questions because they know we won’t peddle FUD.”
  • “The business trusts us to provide an objective measure of security posture.”
  • “We’re seen as business enablers.”
  • “I like taking conversations about IT security to sales, finance and fulfillment.”

That’s probably enough primer for now. The story will get clearer as we unravel more of it.

Cross-posted from Tripwire's State of Security

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Security Strategies Best Practices Network Security Infosec FUD Security Solution IT Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.