Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.

Data-centric or Business-centric security?

Absent Member.
Absent Member.
0 2 3,281
0 Likes
Christofer Hoff has an interesting post on his Rational Survivability blog site from yesterday regarding the devolution of security functions from centralized IT Security to the interested (and therefore theoretically responsible) business units.

It sums up very nicely the tension existing between centralized security functions and the business operations of organizations trying to use the (hopefully) secured resources to get actual work done.  The problem is that a desire for stronger security has often resulted in increasingly centralized security power which can be at odds with the needs of the operational business teams.  The current debate (and interest) around data-centric and host-centric security is an important one to have, but the real root of the problem lies with who owns the security, not how it’s implemented.

Ultimately, security is simply one more facet of the total organizational genetic makeup.  The really smart organizations are aligning their security functions more and more as a service to their business, and less like a centralized bureaucracy that issues dictates which are promptly ignored by the guys on the ground.  Security teams (the good ones) are focusing on driving strategy, selecting technology, and enabling the business, not disabling functionality and access to information.

The technology to deliver security capability is improving and improving fast, especially in the areas of security workflow/process automation (something I will be covering at the Jan 20th ISC Security Leadership Seminar.)  As a result, the day-to-day security functions really can start to devolve to the business operational units themselves.  Automated processes get defined by the security teams, but owned by the business units and their local IT staff.  This lets the business user make the business decisions that they need to, take ownership of the risk associated with those decisions, and yet still operate within the corporate security policy defined centrally.  Data-, host-, and network-centric security are all very important.  Maybe a little business-centricity wouldn’t hurt either.
2 Comments
Absent Member.
Absent Member.
This is a tough one, our corporate security folks seem to think that running real time virsu scan on my company laptop is the desired way to go. But this kills my system and often comes during a customer presentation. They also like to add now software and then request a mandatory reboot. This again doesn't go well during a customer presentation. I understand the need for security, I just don't think the security folks understand my need to get quota relief.
Absent Member.
Absent Member.
Don: I know exactly how you feel. A few weeks ago I was all set up to start a major presentation at a security forum in Canada when my PC went into full "scan everything" mode. There's nothing quite like rebooting while the host is giving your introduction to get the pulse racing...

The reality is that there's always going to be some degree of tension between security goals and business goals.
Organizations are trying to minimize this, although it's changing slowly. The organizations that 'get it' are re-evaluating security to focus on helping the businesses meet their business goals. The downside is that the business units are going to have to start taking a more active role in deciding what they need, what level of risk is appropriate, and how to integrate policy with objectives.

Even so, I'm thinking virus scans are going to be with us for a long, long time...
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.