We live in an age where there is so much exposure to risk and information security pitfalls that when data gets out -- it gets out in a big way. Devastating security breaches are becoming routine in the media, and those are only the ones we hear about. There have never been more ways for sensitive data and corporate assets to be poorly managed.
So how do large, complex companies and governments better protect themselves? How do they manage new compliance regulations that spout up and change constantly? How can people and processes be better organized to thwart bad practices before they lead to potentially catastrophic losses?
Surprisingly, the answer has more to do with management methodology than security technology. In this sponsored podcast discussion, learn from HP (NYSE:HPQ) security expert Tari Schreider how a comprehensive new security management approach, called Information Security Service Management [ISSM] and its reference model, offers companies a comprehensive framework with which to finally come to grips with myriad corporate risks and daunting compliance requirements.
Here are some excerpts:
When we read about a breach of security -- the proverbial tape rolling off the back of the truck with all of the Social Security numbers -- we find that, when you look at the morphology of that security breach, it’s not necessarily that a product failed. It’s not necessarily that an individual failed. It’s that the process failed. There was no end-to-end workflow and nobody understood where the break points were in the process.
It’s not unusual for us to present back to a client that they have three or four different identity management systems that they never knew about. They might have four or five disparate identity stores spread throughout the organization. If you don’t know it and if you can’t see it, you can’t manage it.
HP's ISSM ... positions security as a driver for IT business-process improvement. It reduces the amount of operational risk, which ensures a higher degree of continuity of business operations. It’s instrumental in uncovering inadequate or failing internal processes that stave off security breaches. It also turns security into a highly leveraged, high-value process within your organization. ... It allows you to actually make security sticky to other business processes.
When I sit down with CFOs or CIOs or business-unit stakeholders, I can ask one question that will be a telltale sign of whether they have a well-managed, continuously improving information security program. That question is, "How much did you spend on security last year?" Then I just shut up. ... They don't have any answer. If you don’t know what you are spending on security, then you actually don’t know what you are doing for security. It starts from there.
We show them that they actually have 40, 50, or 60 [security products], because they're spread throughout the organization, and there's a tremendous amount of duplication. ... Today, security controls are buried in some spreadsheet or Word document, and there is really no way to manage the behavior of those controls.
We want to work with that individual and position the ISSM Reference Model as the middle layer, which is typically missing, to pull together all the pieces of their disparate security programs, tools, policies, and processes in an end-to-end system.
Historically, businesses throughout the world have lacked the discipline to self-regulate. So there is no question that the more onerous types of regulations are going to continue. That's what happened in the subprime [mortgage] arena, and the emphasis toward [mitigating] operational risk is going to continue and require organizations to have a greater level of due diligence and control over their businesses.
It seems that you are weaving ISSM together so that you get a number of checks and balances, backstops and redundancies -- so that there aren’t unforeseen holes through which these risky practices might fall.
The beauty of ISSM is that it's very nimble and very malleable. We can assign responsibilities at an attribute level for control, which allows people to contribute, and then it allows them to have a sharing-of-power strategy, if you will, for security.
It's that cohesion that we bring to the table. How they intersect with one another, and how we have common workflows developed for the process in an organization gives the client a sense that we are paying attention to the entire continuum of continuity of business.
Businesses are run on technology, and technologies require security and continuity of operations. So, we understand that this is a moving target.