Current Filter: Network>>>>>>

   

Justifying network security expenditure is always problematic, particularly in these austere times. Organisations cannot defend against every threat and so security planning has become of even greater importance, with risk assessment, impact assessment and crisis response all integral to a desirable outcome. Traditional security professionals have their work cut out in today's cost-cutting environment, but they're also guilty of a certain amount of complacency in recommending blanket security measures. Utilising a multi-skillset approach is far more effective as it demonstrates value to the organisation, regardless of size, ensuring efficiency and improvements through changes made securely.

Information security planning continues to take a security-centric as opposed to business-centric approach. When it goes wrong is it therefore just a security issue or a business one? Time after time, history proves it's the second. A business-centric approach widens the picture and analyses how the business functions, what data it has, where it is, who it is being accessed by and what for. The key work is conducted at the process level, enabling a true picture to be created of where data has the most value. Then the security specialists can provide security protection accordingly.

It's often the case that while the security measures might be robust they are not aligned to business objectives and are soon rendered obsolete and not fit for purpose. Network security planning needs to be sensitive to the nuances of the business as a whole and this requires the application of a strategic agile discipline called Business Process Modelling (BPM). BPM relies on careful cataloguing and communication to document how processes work today and the data being used. Analysis of data should already be a key part of a good security practitioner's mandate, but looking at it from a different angle at the same time will recover MROI (Measurable Return On Investment) across the business, not just in the IT environment. The result is that the value of security projects is perceived across the business and therefore more likely to be resourced and embedded.

BPM is unique because it enables resource to be utilised more effectively and improves efficiency, ensuring the business functions more productively and harmoniously. By combining the two, it is possible to ensure security planning is both efficient and beneficial. BPM sits well with information security because the two have a great deal in common. BPM is usually implemented as a framework and involves conducting simulations and testing which can be used to inform security planning. Once information security controls have been decided upon, BPM can ensure these are executed in such a way that they complement the business, improving efficiency rather than hindering working practices and preventing security plans from being shelved - which is usually the case if they are not fit for purpose and users don't see the benefit.

BPM is not just an add-on. If implemented incorrectly it can complicate matters, compromise business processes and place the person with the wrong skillset in the wrong job. For this reason, it is necessary to seek advice from those with BPM credentials; consultants that can work alongside your existing network security team and talk their language. This does not mean the BPM/security blended approach is beyond the reach of the SME but rather that it should be viewed as a similar service to penetration testing, with the added benefit that it can improve security and the bottom line.

Done well, BPM can identify weaknesses and vulnerabilities and propose security implementations that can ultimately improve network functionality and the business. A combined strategy of BPM and Security Planning has to be where the smart money lies. NC