Over the last few weeks I have outlined several elements of Security Operations that are bubbling to the surface in my blog series “Next Generation Security Operations”. The series really focused on the reactive side of security management and a key theme was the connection between nuts and bolts security with broader processes. A key point I wanted to communicate was not only the need for companies to remain vigilant and evaluate the detective side of security management but also look outside of the technical infrastructure for inputs to improve the reaction time within Security Operations. As most of my readers are GRC Practitioners, this connection stimulated some interesting conversations I had with customers from the GRC side of the house and I hope made some of the same connections from the security side.
One element I did not spend much time on in the series was the proactive side of security management. Threat Prevention activities such as vulnerability identification, threat assessments and security intelligence coupled with the technical management processes such as configuration management and IT change control are an important part of ensuring your company is best positioned to fend off attacks. As IT security risks are growing more and more complex, companies face threats from a wide variety of sources – from criminal elements to state sponsored corporate espionage – exploiting an extraordinary array of vulnerabilities within business processes and technology. These compound threats result in substantial and often unrecognized business risk. A key strategy to deal with these challenges is to expand tactical IT security processes such as vulnerability identification into a more holistic risk management discipline by deploying a combination of threat prevention and detection capabilities driven by a business-oriented foundation to reduce IT security risk.
I like to term this as IT Security Risk Management rather than Threat or Vulnerability management since the objective should be to build more business context into the picture rather than just traditional vulnerability management. However, no one label truly captures the combination of these two critical components of holistic security management – Threat Prevention and Threat Detection and Response. Supporting those two major elements are processes to catalog IT assets, provide business context on IT assets, enable emergency response services and a whole host of other processes. To place a singular label on this major process is very difficult. At the end of the day, an organization needs to:
- Identify IT Assets and the business context and criticality of those assets;
- Implement proactive threat management controls based on vulnerability intelligence, testing, threat modeling and analysis; and
- Monitor IT assets, detect active threats and manage incidents and investigations.
As part of an upcoming online event, I am presenting an overview of these concepts. Rather than heading straight into the weeds, my presentation will focus on a framework to fitting these pieces together in a strategic fashion. For those of you in the GRC world, this is an excellent opportunity to get an overview of this considerable challenge facing security practitioners. For the security folks, the presentation can give you a higher level perspective of a long term strategy to communicate or position your security initiatives. I would like to invite anyone interested to check out this event given by BrightTalk.
https://www.brighttalk.com/summit/riskmanagement2013.
My presentation https://www.brighttalk.com/webcast/9219/70139 will be just one piece of this two day event. I hope to “virtually see” you there.
