Four steps to mastering security kung fu

Although vendor-written, this contributed piece does not advocate a position that is particular to the author's employer and has been edited and approved by Network World Editor in Chief, John Dix.

The current economic melee is forcing a corporate metamorphosis that, when combined with ever broadening security threats, presents information security groups with an opportunity to radically change their identity and value to the business.

To capitalize on the moment, security groups need to reassess their approach, add visibility and transform security's very role.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Although vendor-written, this contributed piece does not advocate a position that is particular to the author's employer and has been edited and approved by Network World Editor in Chief, John Dix.

The current economic melee is forcing a corporate metamorphosis that, when combined with ever broadening security threats, presents information security groups with an opportunity to radically change their identity and value to the business.

To capitalize on the moment, security groups need to reassess their approach, add visibility and transform security's very role.

The timing is good because maintaining security during tough economic times is critical. Besides external threats that evolve even more rapidly in economic downturns, business slumps increase the probability of disgruntled employees striking out using intimate knowledge of corporate systems.

Risk is further exacerbated by the fact that, since the last economic crisis of this magnitude, companies have become far more reliant on information technology systems, which are now highly complex and essential to sound operations.

Your current security path represents existing programs, capabilities, processes, etc. The goal is to create a parallel path that influences existing practices and allows you to refine a new strategy without disrupting current expectations. In time, the new path will become a dominating force and take you in a new direction.

Step 1: Tuning the Approach

During the last decade security has been virtually defined by compliance. For many companies, it has been less about security than it has been about ensuring that certain regulatory demands are being met. Unfortunately, compliance does not necessarily enable the business, align with core initiatives, and alone may not thwart debilitating attacks.

Understanding this, some security groups have strived to use compliance efforts to improve their security posture.

Unfortunately, not all companies see the value of such activities and instead simply see compliance as a cost of doing business.

You have to convert the security practices that fall under the banner of "mandated for compliance" into specific activities that resonate with the business. For example, a predominant force in business is time to market and the rapid conversion of investments to revenue generation. This can materialize as a new service, application, communication platform, network or alliance. The key to tuning your approach is to optimize security features to help the business move more quickly, reduce barriers or accommodate a requirement quickly.

Key to being able to accomplish this is institutional knowledge within the security group and leveraging and combining resources in ways that benefit the business as much as it does security, for example: supporting secure coding practices through collaboration with the development team, optimizing standard builds to stand up servers more quickly, security testing as part of performance testing, or utilization of directory services to support streamlining of access controls for a new partner.