Canadian banking outlook 2014
Lean security operations: Value-add to the organization
We’re living in a threat environment where information security is one of the top considerations of management and the board. Chief Information Security Officers (CISO’s) face a dilemma — reduce security risks to acceptable levels within acceptable costs and in a manner that doesn’t disrupt the business or attempt to change the culture of the organization. The concept of a lean security operation is based around the optimization of the current processes and tools to reduce “waste” and adding value to the organization. “Waste” is defined as any use of resources that does not add value to the organization.
Lean security operations focus on applying lean concepts to specific aspects of security operations, such as security operations at the site level, or within supply chain operations. This can be done independently of the rest of the security function. Some examples of strategies in a typical information security operations group that can reduce waste include:
- Business alignment and value: Map the business objectives to the areas of IT risk and determine the IT controls relied upon. Controls should be implemented at an appropriate level that ensures that value is being delivered while risks are mitigated.
- Compliance processes: In today’s regulatory and compliance environment, organizations are required to carry out multiple audits/assessments such as financial audits, payment card industry (PCI) audits, and regulatory audits. Consolidating the audits/assessments and determining the commonalities can cut down on waste during the overall audit cycle.
- Re-use of policies and procedures: Rather than creating policies and procedures from scratch, purchasing and then modifying policies, procedures and security awareness programs to suit current requirements can add value in an efficient way.
- Managed security services: Certain non-value add and time-consuming security functions such as log management and firewall monitoring can be outsourced to a managed security services provider who has the tools and resources to manage and provide these services, as well as, advanced security metrics.
- Convergence of security functions: Develop a unified IT and physical security oversight team that works together for the oversight of organizational risks.
- Employ a part-time IT security expert: Small and mediumsized organizations cannot justify employing a full-time seasoned IT expert. Employ the services of an expert on a part-time basis such as two or three days per week to fulfill this need.
- Security workflow automation: Automate the current security processes such as user administration. For example, set up the HR system to automatically assign and remove security privileges for employee onboarding and departures processes.
- The biggest bang for the buck: 100% security is unachievable so the available resources should be allocated in a method that will result in the highest return on value — that is, what will address the biggest risk. Rather than focusing on perfection in one area, a series of partially effective solutions may provide enhanced protection. An example is deploying various layers of protection tools (e.g. firewalls, proxies) than deploying the most expensive, complete and narrow protection available on the market.
Managing security operations is a delicate balance of process, technology and people with a limited available budget. Lean security operations provide new methods of achieving the balance and still continue to add value to the organization while making better use of tools, technologies and people that you already have in place. Security operations teams that get involved with implementing lean security will benefit greatly by learning to value efforts by what the business values.