Introduction

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Previous Chapter

Acknowledgments

Next Chapter

Preface

xvii

Introduction

I need you to ﬁ nd a way to keep compliance from putting us out of business!

Ron Markezich

Corporate Vice President, Microsoft Online

Security as a business—what a concept! And to many security professionals it’s a concept that few

have had time to consider or have needed to consider. Compliance changed all that; it pushed

information security into the executive suite where it’s not only a jail sentence but a huge drag on

the bottom line. Combine that with a major economic downturn and one has a lot of incentive to

make security a value proposition. Both of us have watched this requirement develop in corpora-

tions and have witnessed security professionals struggle to get a handle on what it means to be a

valued business partner.

We see two recurring themes: ﬁ rst is the lack of good business processes on the security side

and second, a diminished understanding of the value of security on the executive side. It is these

two issues that have inspired us to write Security Strategy: From Requirements to Reality. Our pri-

mary goal in writing this book is to teach security leadership and security practitioners how to

select, develop, and deploy a security strategy appropriate to their organization. Our secondary

goal is to support the implementation of strategic planning initiatives, goals, and objectives with

a solid set of security tactics. It is also our hope that executive managers, marketing, and other

business units will use this book to better understand the value security brings to the organization

in the compliance-centric 21st century.

Businesses cannot survive in today’s marketplace without information technology (IT), and

IT cannot survive in today’s computing environments without security. Today’s leading compa-

nies are those that have solved the security conundrum and learned to leverage security to pro-

mote innovation, grab market share, and enhance brand. When Microsoft was being ﬂ ogged by

the industry for poor security, Bill Gates created a trustworthy computing initiative that united

the company behind a single strategic goal: “to focus our [Microsoft’s] eﬀ orts on building trust

into every one of our products and services.” In less than 10 years Microsoft propelled itself from

whipping boy to market leader through innovation, commitment, and solid strategic planning.

One of Microsoft’s key initiatives was to consolidate security services into a single-customer-facing

entity (the Microsoft Security Response Center).  is is a strategy that we see as critical to the

future success of security management.  ere should be one person to contact, one number to call,

one website to visit, and one operations group to receive and respond to security events. It should

never be the customer’s responsibility to ﬁ gure out who to call while dealing with a diﬃ cult or

emergency situation.

TAF-K11348-10-0301-C000g.indd xviiTAF-K11348-10-0301-C000g.indd xvii 8/18/10 2:48:01 PM8/18/10 2:48:01 PM

xviii ◾ Introduction

We also believe in building a culture of security. Employees are your ﬁ rst line of defense; none

of them leave their houses in the morning without locking the door, and none of them should leave

their worksites at night without locking their computer and sensitive documents away. If you really

want your employees to be your ﬁ rst line of defense, you need to teach them how, and you must be

readily available, helpful, and responsive when they call. When the quality of Ford products began

to diminish, the company moved Quality Assurance from a business unit to a business culture.

Quality became “job one” for everyone working at the company from Bill Ford’s Quality Council

to the autoworker at the St. Paul assembly plant.  is is our view of security; it is job one for every

employee, and it needs to be promoted as such.

 e challenges are substantial but not insurmountable. It will require a lot of eﬀ ort on the part

of the security group to build the strategic planning skills required, and it will take a fair amount

of forbearance on the executive management side as things stumble forward. But the end results

in cost reductions, brand enhancement, and operational eﬃ ciency are well worth the eﬀ ort. Let’s

get started!

Approach

 is book presents business strategy for security groups and tactics for implementing that strategy.

It is unique in its approach because it focuses entirely on security strategy planning and execution.

 e book is about ﬁ nding the strategy that works in your organization, building it, and imple-

menting it to see real results. You won’t ﬁ nd any point solutions here, no silver bullets, no magic

formulas. What you will ﬁ nd is a comprehensive look at the structures and tools required to build

a security program that really does enable and enhance business processes in your organization.

 e book is based on our experiences in working with large security groups to build and imple-

ment strategic plans and tactical solutions, but the book is equally applicable to smaller organiza-

tions looking for long-term security solutions.

We have divided the book into two parts.  e ﬁ rst part is about business strategy. Although

it is security-centric, executive managers reading this portion of the book will totally understand

it.  e second portion of the book is about tactics—the means needed to implement strategy.

Security professionals will completely understand this portion of the book.  e real value for

both groups of readers will be reading the portions of the book that are not familiar to them. It is

our hope that in so doing a viable synergy will develop between the two groups—one that allows

security to take its place as a valued partner and contributor to the success of the enterprise.

Much of the security conundrum organizations ﬁ nd themselves in didn’t develop overnight; it

has been a long time in the making. While corporate (facilities) security is a long-standing disci-

pline, information security, especially in the network arena, is a relatively new discipline, one that

has been in an almost nonstop ﬁ ght against an onslaught of attacks and a continuously changing

landscape. It has taken time to develop the tools, processes, and skills needed to build eﬀ ective

security solutions. Although much remains to be done, the security industry has ﬁ nally found

itself in a place where it can begin to be proactive. A major part of that proactive eﬀ ort is learning

how to become a full-ﬂ edged partner in the business.

Security must become part of an organization’s standard business processes and a partner in

the promotion and proﬁ tability of the business. For years security professionals have been talking

about how security enables the business; well, now it’s time to step up and prove it. So roll up your

sleeves, bolt on your armor, and get ready for some giant-killing ideas. Welcome to the business

of security.

TAF-K11348-10-0301-C000g.indd xviiiTAF-K11348-10-0301-C000g.indd xviii 8/18/10 2:48:01 PM8/18/10 2:48:01 PM

Introduction ◾ xix

SIDEBAR: HOW TO READ A BUSINESS BOOK

1. Decide, before you start, that you’re going to change three things about what you do all day at work. Then,

as you’re reading, ﬁ nd the three things and do it. The goal of the reading, then, isn’t to persuade you to

change, it’s to help you choose what to change.

2. If you’re going to invest a valuable asset (like time), go ahead and make it productive. Use a postit or two,

or some index cards or a highlighter. Not to write down stuff so you can forget it later, but to create march-

ing orders. It’s simple: if three weeks go by and you haven’t taken action on what you’ve written down,

you wasted your time.

3. It’s not about you, it’s about the next person. The single best use of a business book is to help someone

else. Sharing what you read, handing the book to a person who needs it…pushing those around you

to get in sync and to take action—that’s the main reason it’s a book, not a video or a seminar. A book

is a souvenir and a container and a motivator and an easily leveraged tool. Hoarding books makes

them worth less, not more.

Seth Godin

Terms Used in This Book

Business unit—To eliminate confusion between the organization as a whole and the business

suborganizations such as departments and divisions, the term business unit has been chosen

to refer to these suborganizations.

Consumer/Customer— e terms consumer and customer are used in a general sense.  ese

terms include those external entities that purchase products or use services from the orga-

nization as a whole, as well as those external or internal entities that use the services of a

business unit within the organization—for example, business units that use security services

and/or products and are subject to security governance.

Core Competencies—Core competencies are the speciﬁ c strengths of an organization that

provide value in a market space.

Core Values—Core values are the operating principles that guide an organization’s conduct

and relationships.

Corporate security— e terms corporate, physical, and facilities security refer to the group

that manages the security of physical assets such as facilities, equipment, and inventory.

Corporate security is typically responsible for surveillance, building access controls, security

oﬃ cers, loss prevention, and associated events.

IT security—IT security refers to the group that manages the security of information assets

stored, processed, and transferred on computer-based technologies. IT security is typically

responsible for the conﬁ dentiality, integrity, and availability of digital information, compli-

ance with statutory, regulatory, and industry requirements, and business continuity/disaster

recovery planning for IT services.

Organization— is term, used in a generic sense, refers to for-proﬁ t and nonproﬁ t businesses

(companies, corporations, and enterprises) and government entities/agencies.

Security— is book takes a holistic approach to security, so the terms security and security

group encompass both corporate and IT security functions.

Security group—To eliminate confusion between the organization as a whole and the security

suborganization, the terms security group or security function have been chosen to refer to the

security suborganization.

Stakeholder—A stakeholder is a party who is or may be aﬀ ected by an action or actions taken

by an organization, for example, employees, managers, board members, shareholders, cus-

tomers, contractors, vendors, and partners.

TAF-K11348-10-0301-C000g.indd xixTAF-K11348-10-0301-C000g.indd xix 8/18/10 2:48:01 PM8/18/10 2:48:01 PM

TAF-K11348-10-0301-C000g.indd xxTAF-K11348-10-0301-C000g.indd xx 8/18/10 2:48:01 PM8/18/10 2:48:01 PM

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Introduction

Create new playlist

Sign In

Sign Up

Table of Contents for
Introduction