How CSOs are aligning their efforts with the goals and operations of businesses
Tripwire is a leading global provider of IT security solutions for enterprises, government agencies and service providers who need to protect their sensitive data on critical infrastructure from breaches, vulnerabilities, and threats. Thousands of customers rely on Tripwire's critical security controls like security configuration management, file integrity monitoring, and log and event management. The Tripwire VIA® platform of integrated controls provides unprecedented visibility and intelligence into business risk while automating complex and manual tasks, enabling organizations to better achieve continuous compliance, mitigate business risk and help ensure operational control. Learn more at http://www.tripwire.com or follow us @TripwireInc on Twitter.
Rake Narang: How are CSOs and other information security professionals aligning their efforts with the goals and operations of any business?
Dwayne Melançon: There’s an important shift happening – technical executives are finding that they must appeal to other parts of the business to sustain or increase their resources. To make it easier to convey the importance of information security, CSO’s are turning to “risk” as the lens to communicate value. This is a smart move. After all, most people with a business or financial background are familiar with risks and controls, so presenting things in that way makes the conversation easier.
For this to work, it’s important to gain a clear understanding of how your organization makes money and achieves its goals. You can often derive this from annual reports, business plans, or other strategic documents. When you can relate how your activities defend and enable those outcomes, the nature of the conversation changes dramatically. It becomes even more powerful when you can express the value of information security using words that are already understood by the rest of the business – division names, project names, words that mirror their key indicators, and so forth.
In many cases, the hardest part is establishing the relationship between infrastructure and company objectives. There is often no explicit “linkage” of infrastructure, applications, etc. to the business services they support, so that is often one of the first projects undertaken in this alignment process.
About Dwayne Melançon
Dwayne Melançon is Tripwire's Chief Technology Officer, where he owns a critical role in driving and evangelizing the company's global overall product strategy. He brings over 25 years of security software experience, and is responsible for leading the company's long term product strategy to meet the evolving data security needs of global enterprises.
Melançon joined Tripwire in 2000 and most recently served as Vice President of Products for Tripwire. He has spearheaded numerous initiatives during his tenure, including executive responsibility for business development, professional services and support, information systems and marketing. Prior to joining Tripwire, Melançon held leadership roles at DirectWeb, Inc., Symantec Corporation and Fifth Generation Systems, Inc. He is certified on both IT management and audit processes, holding both ITIL and CISA certifications, and is a frequent speaker at national and regional industry events.
Rake Narang: What trends are you seeing in convergence of security and risk?
Dwayne Melançon: I've seen a trend towards embracing a risk-oriented approach, but there is a long way to go. Why isn't everyone talking about risk? One of the issues is alignment. In the absence of a repeatable model to identify, analyze, and characterize risk, these conversations are hard because they end up being FUD-filled and very subjective. In these cases, it’s back to politics, posturing and gamesmanship, which isn’t good for anybody.
Without a good risk framework, it is difficult to allocate resources and you end up funding the “latest and loudest” rather than what does the most to reduce risk to the important functions in your business. If you find yourself wanting to move to a risk-based model but not knowing how, there are a lot of choices. Look before you leap - you don’t need to complicate your life - so try to find one that is simple to learn, implement and communicate, and one which has readily available training for your organization. If you don't keep these things in mind, it will be difficult to get things going, and extremely difficult to maintain a program.
Remember that a great deal of risk is about "gut" and not science. Risk frameworks should enable you to make objective decisions around inherently subjective issues - they don't create a magic formula that tells you what to do. They do create data that enable you to increase your focus on the right things and make more confident, informed decisions about where to direct your resources.
Rake Narang: What’s the best method to measure the effectiveness of security efforts? Is a proactive approach always the best approach?
Dwayne Melançon: I am a firm believer that metrics, like statistics, don’t necessarily tell the whole story. Essentially, if you can create metrics that allow you to glance at a trend line and know whether things are OK, and drive some smart questions when things don’t look right, you’re in pretty good shape.
If you know your top 5 indicators, why they are important, how they relate to what is being put into practice, and what both "good" and "bad" look like, you can be effective in using those metrics to respond appropriately and make better decisions. That’s what we’re trying to achieve with security metrics. Effective metrics should drive behaviors, decisions, and help focus the quest for a deeper understanding of what’s going on behind the metrics.
A good litmus test to determine whether your metrics are effective is to ask yourself, "If this metric were to move significantly up or down, would it drive any action or decisions in our organization?" If the answer is "No," then it probably isn't a very effective metric.
Company: Tripwire 101 SW Main Street, Suite 1500, Portland, OR 97204 U.S.A.
Founded in: 1997 CEO: James B. Johnson Public or Private: Private Head Office in Country: United States Products: The Tripwire VIA™ platform of integrated controls (security configuration management, file integrity monitoring, and log and event management) provides unprecedented visibility and intelligence into business risk while automating complex and manual tasks, enabling organizations to better achieve continuous compliance, mitigate business risk and help ensure operational control. Products include: Tripwire Enterprise, Tripwire log Center and Tripwire VIA Data Mart. Company's Goals: Tripwire is a leading global provider of IT security and compliance solutions for enterprises, government agencies and service providers who need to protect their sensitive data on critical infrastructure from breaches, vulnerabilities, and threats. Our goal is to provide real confidence to information security and risk management professionals and allow them to connect security to business goals.
JOIN NOW THE CYBER SECURITY WORLDWIDE COMMUNITY ON LINKEDIN