Being in and remaining in a “secure state” requires a continuous process of awareness, preparedness and readiness. It is a highly demanding, cross-domain activity that covers nearly all aspects of an organization and involves resources with different skills and levels of expertise.
The triumvirate of People, Process and Technology are mandatory to achieve and maintain a secure state. Technology, as the enabler, is the most reliable resource to provide information confidentiality, integrity and availability. Technology by itself though cannot be a substitute for nor constitute “Enterprise Information Security”.
People are essential to both the business and information security lifecycles. People, are the information owners, custodians, clients or users and as such need to be educated, trained and motivated in all matters of security. The people aspects of information security are the ones that get us into the most trouble. We desperately need the human intelligence, the decision-making capabilities and the inquiring mind but we also have to be able to control the very human faults that usually occur when things get rough. We need to add controls into all business processes in order to mitigate these risks, whether accidental or malicious.
Processes and procedures are used as the “glue” regulating the way People and Technologies interact with each other. Procedures are critical, yet are hard to define, maintain and enforce. Getting People, Processes and Technology to cooperate has been incredibly difficult to achieve. This is why the human vector (People) have been and remain the weakest link and also why most incidents of fraud and electronic crime base their attack strategies on human foibles, lack of awareness and the desire for either money and power or “just wanting to help out”.
Up until now, the dependency on security technology solutions has been overwhelming. Enterprises continue to base disproportionate amounts of investments and resources on pure Technology as the way to protect themselves. This reliance on “set-and-forget” investments is, has and will remain a massive problem for companies of any size as they try to come to grips with the new world order of information security.
This triple problem needs a triple solution. Three-Dimensional Security Management is the new way to view, understand and manage Information Security Frameworks. Integrating People, Processes and Technology in balanced and holistic environment greatly improves an organizations information security posture by controlling and monitoring the technological aspects of security as well as human actions and adherence to established processes and procedures.
Effective and efficient security governance needs to leverage the human factors by regulating their interactions with technology. Intelligent workflows and process management thereby become the substance upon which this next generation of Information Security Management is built.
This new Security Management technology is engineered to scale and adapt while providing the necessary framework, tools and modules to design, plan, build and orchestrate Enterprise Information Security Frameworks, to integrate with disparate security and business systems and their workflows and to streamline security procedures by dynamically creating the necessary controls and audit records to eliminate the possibility for error or fraud.
Applied as a horizontal enterprise-wide model as opposed to the much more technical vertical model allows application workflows and process management platforms to significantly improve the domains of interoperability, agility and vigilance.
Interoperability
By bringing all three elements together, Information Security becomes a single system. This singular system allows for much easier measurement and can be managed and monitored holistically. Most important though is the centralization of control. This centralization allows the application of heavy automation that allows the monitoring of security processes and the introduction of sophisticated controls that focus on and minimize the impact of either malicious or benign mistakes from human actions and process related risks.
This also allows for the concept of “Measurable Security”, a concept that is well known and used in other engineering disciplines.
Agility
Agility is a key security attribute. It is though, an attribute that is very difficult to achieve especially with technology based security frameworks that have a very high tendency to be brittle, unwieldy and prone to break with the slightest change in security requirements, strategies or tactics. The benefits that come about from using a security model based on agile frameworks (such as the one advocated here) are huge.
They enable adaptive planning, evolutionary development and delivery and encourage rapid, flexible and even revolutionary responses to change. Agile security models can prevent known threats but also lay down the groundwork needed for effective reactions and responses to unknown threat containment throughout their life cycle.
Vigilance
Next generation security models must have the ability to integrate advanced security intelligence to anticipate threats, evaluate risks and make rapid and informed decisions in order to contain any impact. Process automation and the introduction of a security application workflow can produce valuable security related data that was never before visible and was never used. This data can now be fed into correlation engines and produce advanced intelligence and complete the enhanced 3D security vision.
Last but not least, the correlation of physical security with information security events further enables the effective identification of logical security attack patterns that combine property violations, bypassed procedures and improper or fraudulent human behavior.
The digitization and automation of business process models has been a key initiative and driver for efficiency over the last decades within the enterprise. It is now time to apply these same principles to the field of information security and its management.
We have found that this procedure automation and workflow integration brings about a remarkable visibility into the information security management process. It is becoming imperative that companies of all sizes rationalize their investments in the until now separate disciplines of technology, process and people aspects of information security. It is becoming increasingly expensive to build and maintain them separately from each other.
Companies and their management need to make a fundamental shift and embrace such initiatives by working through the existing shortcomings, applying 3D InfoSec platforms and adopting new concepts that balance the technical controls with existing process and methods for applying security to employees, partners and third-parties that act on our behalf.
Information Security can no longer be thought of as the application of a finite set of projects or products. A new era has dawned and we are uniquely capable to transform an organizations Information Security into an agile, interoperable and vigilant three-dimensional protection and prevention platform that is able to handle emerging threats, changes to regulatory requirements and able to adapt to changing business needs.