Solving “Big Problems” in Security by Building a Service Model

Remediating strategic security concerns can be very difficult, particularly in large organizations with diverse and rapidly evolving product lines. While security is critically important for every part of an organization, individual security risks are not necessarily the most urgent problem to solve for all teams at the same time.

That means our ability to effect widespread change on a reasonable (to us) timetable can be a real struggle. Oftentimes, security teams will fail because they tried to solve all of the world’s problems at once.

At first brush, it makes sense to go after the problem everywhere it exists, considering economies of scale and all. Unfortunately, that doesn’t translate so well when attempting to push work on teams with competing priorities. “Fix this now” is not really an effective motivator.There is another way though that works particularly well for the “BIG” problems, and that’s developing a service model that teams can take advantage of on a timetable that works well for them.

Metrics Develop Interest

If you can’t measure it, you can’t sell it. Regardless if your “big problem” is log management, threat management, or identity access management you can measure it specifically for every team in your organization. Some may be successful, others may struggle, but if you start measuring it regularly and effectively you can demonstrate a problem that can be solved.

Capabilities Solve Problems

Tools are not solutions (no matter how much your vendors may insist otherwise). Solutions are principally capabilities an organization must develop to evolve. Other teams in your organization have no idea what any particular tool does for them, and they have no reason to retain that information if you explain it to them.

Instead, develop a story around the capabilities you want to deliver as a service that addresses the specific problem your organization has. Remember your metrics? Those are now riding shotgun on the road to risk remediation. Keep them handy and keep them coming, month after month. Trending data is beautiful thing!

Service Models Are Tangible

A service needs to be a tangible thing. Would you buy a service from Amazon, Google, or Microsoft if you they couldn’t demonstrate it to you? Neither would others in your organization you are trying to sell to. You must be able to clearly show how the capabilities your are proposing will not only directly affect the metrics you are delivering (i.e. reduce risk), but also show how it will improve the management of that team’s solution. Good security practices often result in big operational wins.

Operationalization is key. There should be a clear path (in the form of a process flow) from service request to service fulfillment. You should also be able to demonstrate how the management of the service will be maintained over time.

That also means clearly understanding the financials. Gaining executive approval to deliver a service in this way is largely dependent on demonstrating a firm understanding of what it will cost to establish the service and maintain the service, as well as a pricing model to calculate how much it will cost to onboard typical use cases. You can demonstrate a positive cost/benefit ratio by highlighting the operational benefits.

….and keep it simple! Your target audience needs to know what you are doing for them, not how you are doing it for them. Keep it high level.

Market the Solution

At this point, you have trending metrics creating market demand and a very consumable solution with a clear cost model. The marketing is practically done for you, but there is still real work to be done. The most effective thing you can do is begin to socialize the solution across the organization in a very positive way and ensure your new capabilities are already on roadmaps around the organization.

Developing a service model like moves Information Security from being a source of unwelcome work to a solution provider that can demonstrate real, tangible value to the organization in a very consumable way.

Best of all, taking a measured approach such as this generally leads to teams taking a fresh look what caused this “big problem” with their solution in the first place. Typically, this will result in the streamlining of accounts, systems, or processes in order to reduce the cost of on-boarding the capabilities you are offering.

This is a BIG security win, a BIG operational win, and a BIG financial win!

Was this interesting or helpful? Like, Comment, or Share and I’ll write more.

Advertisements

About Rebecca Harness

Rebecca Harness is a Business Information Security Officer (BISO) for a publicly-traded, global information solutions company. As BISO, she champions security initiatives and recommends strategies to mitigate risk, facilitating innovation and new product development. She’s also responsible for representing the business unit’s security program in client facing engagements, conferences, and industry forums. Prior to her current role, she was an influential cybersecurity leader for one of the world’s largest transportation providers, known for transforming information security efforts into well-orchestrated programs. There, she developed an innovative methodology for delivering key information security priorities as a service model, leading to quicker adoption enterprise-wide while significantly reducing operational costs. She also led and modernized their global, multi-brand PCI Assessment and other compliance initiatives. In the early 2000’s, Rebecca developed one of St. Louis' leading Managed Services Providers from a startup in a spare bedroom into a mature consulting company with 30+ employees and 150+ clients in the Greater St. Louis Area. Rebecca holds many certifications, including; ISACA Certified Information Systems Auditor (CISA); ISC2 Certified Information Systems Security Professional (CISSP); and GIAC Security Leadership Certified (GSLC). She’s also a proud alumni of Hastings College and a longtime member of the Society of American Magicians.

No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s