Preface

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Previous Chapter

Introduction

Next Chapter

Authors

xxi

Preface

 e CEO looked up from his desk and said, “I’m sure you are all aware of our plans to form a

joint venture with Coral Reef; this is a great opportunity for us but to be honest I have some real

concerns about it. If you will pardon the pun, these guys are some real sharks. If we give them

access to our network, they could steal us blind. I need you guys to tell me what the risks are.”

 e CIO looked over his shoulder, “Matt?” With a slight grin, Matt, the CSO, replied, “ ere’s

no additional risk sir; we’ll set up a SharePoint site for the project and that’s the only thing they’ll

have access to.”  e CEO was about to express his delight when the CFO interrupted, “Well that

might be true for remote access, but what about when they’re here on campus?” “It’s not any dif-

ferent,” Matt replied, “ eir laptops aren’t part of our domain so they can’t connect to any of our

systems except e-mail, Instant Messenger, Web conferencing, and the project SharePoint.” “But

won’t they look like one of our employees if they have e-mail and IM accounts?” asked the CFO.

Matt replied, “Nope, all external parties have identities that start with F dash and their badges

have a diﬀ erent color so our employees know they are ‘foreigners.’”  e CFO continued, “But

they will have access to our oﬃ ces and workspaces; isn’t that a risk?” “ ere’s always a risk that

someone might go snooping around, but our identity and building access control systems are tied

together.  ey will only have access to the buildings they will be working in, and we can track all

other access attempts. We run a weekly report of all F dash building and computer accesses just to

make sure they are behaving. If we suspect they aren’t, we can always review the video surveillance

to see what they were up to,” Matt replied. “But they could still steal stuﬀ !” the CFO exclaimed.

Matt replied, “Yes they could, but not for long!  ey’d be violating the security policy they agreed

to uphold and that’s reason enough to send them packing.” “ ank you gentleman, I believe we’re

good to go,” said the CEO as he dismissed the meeting with a smile and a hint of disbelief. Was

his security really that good?

 e answer is yes. In three short years, Matt had managed to build a security program that not

only protected the company’s assets but also anticipated the company’s future business require-

ments and security needs. And he did it with a modest capital investment and no increases in

operational costs. Impossible, you say! Not at all. Matt was able to save a substantial amount of

money by converging the facilities and information security groups into a single team and convert-

ing older expensive video and building access controls technologies to IP network-based devices.

He used these savings and the reductions in operating costs to train and cross-train his staﬀ to

improve eﬀ ectiveness and coverage. He also got capital monies to make improvements to the iden-

tity management system and to implement some new control technologies.

Successes like this are rare in the security community, so how did all this come about? Security

strategy. Matt took the time to analyze the company’s vision, goals, and business strategies, and

TAF-K11348-10-0301-C000h.indd xxiTAF-K11348-10-0301-C000h.indd xxi 8/18/10 2:48:45 PM8/18/10 2:48:45 PM

xxii ◾ Preface

then he sat down with the key stakeholders to identify existing issues, understand their goals, and

learn what their expectations were for security. Next, Matt (with the help of his team and these

stakeholders) created a three-year Security Strategic Plan aligned with and supporting the overall

business strategy. Finally, he went out and sold that plan, implemented it, and demonstrated secu-

rity’s value to the business.

Security strategy is the missing gem in many security programs. It’s not a common skill set

among security practitioners and there isn’t a lot of guidance on how to do strategic planning for

security management. It was the authors’ goal to remedy that situation by providing you with a

practical set of tools and guidance to get you started down the planning path (Section I) and to

help you build the processes and controls for implementing that plan (Section II).

 ere are a large number of strategic planning methodologies; trying to cover them all would

be unrealistic. Fortunately, they all follow a similar pattern so we have addressed those compo-

nents and compiled an exhaustive set of references you can use to further study the method you

settled on for your company.

It is our sincere hope that this book will contribute to your success and make the practice

of security strategic planning a common discipline in the industry. Welcome to security as a

business!

Bill Stackpole

Eric Oksendahl

TAF-K11348-10-0301-C000h.indd xxiiTAF-K11348-10-0301-C000h.indd xxii 8/18/10 2:48:45 PM8/18/10 2:48:45 PM

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Preface

Create new playlist

Sign In

Sign Up

Table of Contents for
Preface