Is Security blindly driving your business?

From the CIO’s perspective, IT and Network Security ultimately exist for one reason: to ensure the organization’s business applications securely drive the business.

For IT this is fairly simple. Business applications is its business. IT is driven by the businesses’ needs and is responsible for enabling agility through IT. IT is involved, and has visibility into every aspect of the application’s lifecycle – from development through to delivery, performance monitoring and auditing.

But when it comes to Security the story is a little different. Security exists to protect business applications, their connectivity flows and data.

But, unlike the IT team, they are working blindly.

Think of it this way: a surveillance camera shows a thief attempting to break into a building. The security guard in the control center immediately knows which building it is and what’s in it – whether it’s the headquarters of the CIA containing highly sensitive information, or an abandoned building containing broken furniture. The security guard can very easily make decisions and take the necessary action based on the risks.

However, for Network Security teams today the reality is very different. In most SOCs, the enterprise infrastructure includes virtual servers spread out across on-premise, private and public cloud. When Security staff get an alert about a breach, they neither have the visibility nor any context with which to evaluate the threat. They don’t really know what is or will be affected or what the risk is. They don’t know whether the incident impacts a server running a critical business application (such as Point-of­-Sale software for retail, billing software for a service provider, or a trading system for financial services), or whether it affects an application that is obsolete and about to be decommissioned. They are essentially dealing with security threats while blindfolded.

Moreover, the reality of today’s cyber war means that at any given moment a typical enterprise is likely to be facing multiple incident alerts. As a result, Security staff are overwhelmed and therefore must prioritize the handling of incidents. Yet, since they don’t have the necessary visibility into the impact on critical business application show can they properly prioritize? Prioritization based on “first come first served” basis or another intuitive method is not optimal.

Working blindly and risking your business

The fact is, by working blind Security is not protecting your business the way it should. It takes time, effort and resources to investigate and understand each and every cyber incident. It often requires multiple tools, as well as collaboration with various IT silos within the organization. (I personally heard about an organization that set up a conference call with over twenty participants in order to figure out how to prioritize an incident and what to do.) Given the volume of incidents this process is simply not viable, and it directly affects your businesses’ productivity.

Yet it’s important to remember that not all applications are of equal value and importance to the business. Based on discussions with customers, only 2% of business applications directly impact the organization’s bottom line. But without any business visibility and context, Security wastes critical resources and time chasing down minor incidents, instead of prioritizing remediation efforts based on business need.

Security visibility from the business perspective

In order to manage security in this era of digital transformation, Security, like IT, needs to drive the business. Or as Gartner says, “As part of the transition to supporting a business outcome mindset, IT risk and security leaders must move from being the righteous defenders of the organization to acting as the facilitators of a balance between the need to protect the organization and the need to achieve desired business outcomes.[1]”

And for Security to be able to support business outcomes it needs business-driven visibility. Like the security guard, the SOC needs a clear business-centric view of the entire enterprise. This means being able to identify and map all the critical business applications, the servers they are using (whether on premise or in the cloud), and their flows (which are controlled by devices such as routers firewalls and load balancers). It’s only through this application-centric perspective that SOC staff can easily link vulnerabilities and cyber incidents to specific applications, assess risk and make smart decisions on how to prioritize remediation actions based on strategic, business-driven needs.

As Gartner succinctly states “Risk-based thinking is about understanding the major perils a business will face and prioritizing controls and investments in IT risk and security to achieve business outcomes. As technological complexity increases, leaders won’t have enough money to address all threats equally. Risk-based thinking allows cybersecurity investments to be targeted where the greatest risk resides — but risk according to the business itself, not IT’s view of risk.[2]”

A final word: given the impact a cyber breach has on an organization’s bottom line, cyber risk has understandably become visible issue for the Board. According to a recent report by Osterman Research, 89% of board members are very involved in making cyber risk decisions. Yet most board members are not knowledgeable about the ins-and outs of information security and don’t always understand the information presented to them. More and more, board members are therefore demanding that cyber risk information be presented to them in a business context. Only application-centric visibility can provide this context and drive business agility–securely.

[1] Source: Managing Risk and Security at the Speed of Digital Business, Tom Scholtz, 24, February 2016

[2] Source: Managing Risk and Security at the Speed of Digital Business, Tom Scholtz, 24, February 2016