Business-Driven Information Security – Part 1
Why you should consider overall risk – and every permutation of that risk – when developing your security architecture
Imagine the following conversation.
Customer: “We are launching a new product in our portfolio, and we need to sell more of that product.”
Vendor: “Then you need a firewall.”
This is probably a familiar scenario to many of you – customers and vendors alike. I would describe this as called a flawed approach to addressing a problem statement.
But why? And if so, what would a credible approach sound like?
This is what I’ll be exploring in this blog series on successfully addressing information security and the approaches we can use to identify and deliver the right solution.
Let’s set the scene with a quick example of risk. Consider a house located in a dry, wooden area:
- The potential threat of a fire exists, irrespective of the materials used to construct the house, e.g. wood, concrete, brick, etc.
- The probability of a fire starting where the house is located – a dry wooded area – is distinct from the probability of the house itself catching fire and burning down.
- Looking more closely at the building material, a house made of wood is inevitably more vulnerable to fire than a brick-built house.
- Still focusing on building itself – the likely impact of a fire will differ depending on the vulnerability of the building materials.
- A potential consequence of this that the house is destroyed. Another is temporary homelessness for its residents, together with the financial impact, e.g. the costs for short-term accommodation and the replacement of essential items e.g. clothing.
It therefore makes sense to take precautions that minimise the potential impact of such an event.
This could include insuring the house against fire and/or installing a fire-suppression system. However, hiring a full-time fire crew to keep permanent watch on the house would not be reasonable, as over time, this outlay would exceed the costs associated with a fire.
Therefore, when implementing any precautionary measures, it’s important to know and understand your assets.
Applying the same logic to Information security
The importance of knowing and understanding your assets reminds me of the 3 rules of OPSEC (Operational Security):
Rule Number 1 says “Know your assets”
Rule Number 2 says “Know the threats to the assets”
Rule Number 3 says “If you don’t know the answers to the 2 rules above, the enemy wins!”
First steps to holistic security architecture
The SABSA (Sherwood Applied Business Security Architecture) whitepaper Enterprise Security Architecture – A Business-Driven Approach is a useful document. It outlines how many of us mistakenly believe that securing their information systems requires little more than working from a checklist of technical and procedural controls and applying the right security measures from that list.
It also offers a couple of useful analogies, for example, viewing security as a chain that consists of multiple links. As we all know, any chain is only as good as its weakest link; if one fails, the entire chain is broken.
For this reason, holistic approach is essential when developing your security architecture.
Next time, I’ll explore this approach – and the second analogy – in more detail. This will set us on track to constructing a more credible approach to the flawed scenario I outlined at the start.
* Enterprise Security Architecture – A Business-Driven Approach: John Sherwood, Andrew Clark and David Lynas.Tags: