In listening to Joel Snyder from Opus One discuss security agility at the most recent Information Security Decisions conference in Chicago I had a few thoughts. While I agree with some of his points I don’t think he hits the mark fully on the “security agility” topic. One of the main points he makes during his “no punctuation-style” presentation is that security must become more agile to keep up with the business. The reason for this is the business wants to innovate and be agile, and therefore security must be just as agile in order to not slow the “innovation” down. But, I would ask how many companies are fine with average, who don’t innovate. Maybe they aren’t innovative because they have the wrong people at the helm, maybe innovation in their industry or business model is an unacceptable risk? I do agree that security must remain flexible….and if the business isn’t agile then are we spending too much on creating an unnecessary agile security function?
The one thing I did take away was that security must remain flexible and not hold the business back when they want to get a little creative…which I think is different than being innovative. The general comment was also made at the conference about security groups moving away from daily operational tasks and closer to the business and risk management. From my point of view I agree that this is happening to some extent. So if this is true, and security is now performing risk management activities for the organization, of course they are going to slow the business down. I think the main root cause of why they slow the business down is that they may not have an adequate security infrastructure in place in order to have the comfort level to say, “sure, go ahead because I know I can prevent, detect, or react to any possible security issues as a result of your project.”
In basing this on what I know about other organizations and their “security preparedness” I would say some are a long ways from getting to that comfort zone. In fact, all the talk of where organizations are today made me feel good that we seem to be ahead of the curve a bit…which is a good thing given the security function is so new.
In the end I believe companies are not that innovative, and a strong security infrastructure which is adaptive to the needs of the business will win out over creating a truly “agile” security function. How many times was the word agile used? Not to mention the use of multiple vendors…how many people have trouble getting their staff trained on a few products from different vendors? And if ISO27000 series keeps stating people, process, and technology are corner stones of good management practices, and I keep changing technology, how much work did we just add to the people and process side of that equation?
Comments