64 ◾ Security Strategy: From Requirements to Reality
technological solutions. Yet, security professionals are well aware that organizational security does
not result from technical infrastructure alone. e security of an organization’s assets requires that
all organizational employees work together to ensure a secure organization. Security issues are
business issues, not just technology issues, and should be framed as such. Moving an organization
from a compliance-based security model to a holistic model requires changes not only in technol-
ogy, but also in the processes, people, and organization itself.
at being said, it is still important to review the technology arena for input into an environ-
mental scan. e key is to not overemphasize the importance of technology in how the rest of the
organization perceives security problems. ere are two major areas to consider in looking at the
technology arena: the technical environment (present and future) and the technical culture(s) of an
organization. e technical environment of the present is a survey of the infrastructure of deployed
technologies in place organizationally. A survey helps identify what systems are in place, the level
of sophistication of those systems, legacy systems that will need to be updated or replaced, and so
on. In a large and complex organization, this task can be a daunting one, for hundreds of thousands
of assets may need to be identifi ed. is type of survey will often require security to coordinate
multiple departments to get an accurate assessment. ere is also the question of “right” technol-
ogy. Does what we are doing now make any sense? Are we really providing value for the enterprise?
Careful analysis of customer requirements and the benefi ts provided will help inform future tech-
nology decisions.
A future sur vey helps identif y what technologies are likely to be employed, should be employed,
have convergence implications for security, and/or what potential cost/savings implications will
accompany those technologies. e technical culture(s) input is more a look at specifi c organiza-
tional subcultures that have developed as a result of supporting various technologies. is can be
extremely important later in strategic planning as communication and solutions are devised for
determining how best to accommodate those subgroups.
As increasing numbers of organizations begin to move toward more systemic approaches to
security, the technology drivers also began to shift. In a purely compliance environment, technol-
ogy reviews tend to remain a functional security responsibility. e focus may be on increasing sur-
veillance equipment and the like for security personnel to better monitor control access points and
information systems and to observe the behaviors of individuals on or adjacent to company sites.
As an organization moves toward a “commitment focus” for security, the technology require-
ments begin to shift as well. Technology is now evaluated for alignment with strategic objec-
tives around likely reduced impact or disruption to organizational work fl ow, cost eff ectiveness,
reliability, and consistency. When technology changes are made, they are widely communicated
through the workforce in order to create a greater willingness to accept and use new technology.
Consideration is given to how security technology will impact the entire value chain system of the
extended enterprise. is requires designing technology systems and processes that create secure
but easy access to relevant information by all partners, suppliers, and customers.
An environmental scan typically includes all of the arenas we have considered so far in its inter-
nal and external analysis. From the arenas of regulatory and legal infl uences, industry standards,
marketplace and customer data, organizational culture infl uences, national and international
inputs, and technology infrastructure come the determination of business drivers. e forces that
are primary business drivers for an enterprise versus the security group may diff er somewhat, but
it is important to understand both sets in order to eff ectively determine a strategic plan for moving
your organization forward.
TAF-K11348-10-0301-C004.indd 64TAF-K11348-10-0301-C004.indd 64 8/18/10 3:03:56 PM8/18/10 3:03:56 PM