I am drowning in IT security tools
In a recent Google search for IT security I was presented with 798 million results on ways to secure my IT environment. After clicking on a few of the many results; it was clear to me that every approach, product, and opinion was exactly what I needed . However, it also occurred to me that every approach, product and opinion was exactly what I was not looking for as well. How is this possible you may ask? Simple. We have been dependent on tools and best of breed products to provide us the results that we are striving to achieve. Now, lets turn our thought process in a different direction for a moment. Instead of listing security controls I need to comply with in my organization, it is a much simpler approach to focus on my organizations business goals and how security frameworks protect the business, customers, and all data transactions.
"…focus on my organizations business goals…"
Business goals instead of IT security tools, did I hear you right?
Yes, you did hear us right. When IT stops focusing solely on security frameworks, security tools, and security standards you will quickly realize that the one group that never had a voice was your business. How could the business not have a voice in its own security posture? Simple. The business trusts IT to secure the business and IT may not understand what the business is actually trying to accomplish. This is the perfect time to talk about the importance of an IT strategic business plan, but we will save that for another time. The point is to be connected and engaged with business leadership to understand goals, risks, and market adjustments. This is not a one-time conversation. This is an ongoing discussion and effort between IT and the business. Once you feel more connected to the business drivers and desired outcomes then you can start sharing the IT security controls with the business. This should lead to a collaborative discussion and not a one sided IT security framework discussion. While there are security controls for certain industries like SOX, HIPAA, HITECH and PCI these should not be used by IT as the only discussion points. Keep in mind that most of these are guidelines and should be adapted to the company's mission. Educating the business on these controls, rules, and frameworks are important. Cascading that information from the top down into the operational departments is the key to real key to achieving IT security compliance. IT Security is not a destination or a project. IT security is a business objective that must be understood at the top and practiced in each department. In your discussion with the business it is very important that they understand that security is not something that IT "does".
"…the one group that never had a voice was your business…"
I am aligned with business goals and framework, what do I next?
Congratulations, I think. Your first instinct is probably to call a meeting with your IT subject matter experts to discuss security tools, reports, and an overly complicated ETL process to share the security posture of the IT department back to the business. Sounds like we have made little to no progress. Your first step should be engagement of business and process owners. A great place to start with is department heads and middle managers. Before retooling your IT systems or asking for more budget you need to understand the daily flow of business operations and the data being produced. A part of this investigation is to also understand how the same types of data are being used between different departments and applications. After collecting the data types, applications in use, and the general flow between departments you can then have a real conversation with the internal IT security team to match the operational data, IT security controls, and business goals. Now that all three groups are aligned a comprehensive review of existing tools can be made. You now have the information to understand where all of the gaps are in your IT security journey and begin the remediation process. Now, really, congratulations!
"Your first step should be engagement of business and process owners."
Blog contributors
