The Colliding Worlds of Business, IT, and Security
Sep 15, 2020Thanks to Rick Gamache for a great offline conversation that is worth sharing publicly.
Thesis
The number of new technologies isn't helping the dispersion of workforce in the industry, and it is making security harder than it has to be.
A few things to consider:
- Complexity! Technology is much more complex today than it was 20 - 30 years ago. Identifying weaknesses in your technology infrastructure is almost impossible because most people don’t understand 100% of what is deployed to support business operations. Even worse, few people understand what is deployed. For businesses, how do you depend on processes and technology you don’t understand? For security, how do you protect processes and technology you don’t understand?\
- System security engineering helps solve some of these problems. A dedicated effort to achieve a defined level of trustworthiness in systems is valuable. Building security into the SDLC is an effective approach to ensure the system that is delivered has the features and functionality that support the business and support security goals. Unfortunately, SSE is hard to apply to existing systems that were not well documented. SSE is also hard to apply to cloud services that you depend upon but have little control over.
- Enterprise architecture frameworks like TOGAF and SABSA also help. EA is imperative to ensure an organization understands business processes and the technology and communications layers that allow those processes to function. Once you understand the business process, you can evaluate the risk to the process and put controls in place to manage that risk.
- Understanding business processes is also critical for evaluating emerging technology. Do I *really* need that shiny new "next generation" solution that is "best in class" if it provides no meaningful improvement in the operation of my business processes or my security posture? Probably not! Considering these items will help manage risk effectively and reduce technical debt from investing in the wrong products too soon.
What do you think? Please reply and share with friends. I am sure other people have great ideas that add value to the conversation.
Please join us on LinkedIn to continue the conversation.
Don't miss a beat!
Get regular content, event updates, cybersecurity news and much more delivered straight to your inbox.
We hate SPAM. We will never sell your information, for any reason.