CSO Focus on the Business

Most companies spend too much money on the wrong security projects. That is largely because business managers and security staff sometimes use the same language to mean different things. IT security staff generally use security terms and principles to describe minimizing technical threats with technical means. Business managers, on the other hand, are more concerned with the success and performance of a business process than with the underlying technology. By talking about security using technical terms, you will often leave business requirements unmet.

Security initiatives should be mapped directly to business needs, not motivated by assumed technical threats. The technical vulnerabilities that accompany internal network and business-to-business transactions may or may not pose any significant threat to a company.

The key to success in focusing security efforts on business value is effective communication between business leaders and IT management. Too often, business managers surrender strategic risk management decisions to IT staff incapable of properly assessing business requirements. As a result, those companies suffer greater risk exposure and higher costs of infrastructure overhead - usually funding an inefficient infrastructure driven more by technical innovation and novelty than by sound and conservative business requirements.

Authentication, Authorization, Administration and Audit

Instead, the business and security managers should share a common language. In order to map their respective needs to one another.

The four A's answer the following questions:

  1. Authentication: "Who are you?"
  2. Authorization: "What may you do?"
  3. Administration: "How do we manage the users and resources?"
  4. Audit: "What happened?"

If I am a business manager with an application that serves my customers, I need a few things. I need to know who is using my application with some degree of confidence. I need to make sure that they can do everything they need to do on that application. I have a lot of people doing a lot of things, so I need an easy way of managing it all. And at the end of the day or end of the quarter, I need a report saying who did what and what happened, so that I can improve quality of service, customer satisfaction, improve efficiency, and increase profits.

There. I just explained my requirements for all four categories of security, and I did not mention security once!

Authentication

IT professionals generally think of authentication as the domain of passwords, certificate authorities and single sign-on. But business managers don't have much interest in those technical aspects. Instead, authentication is all about knowing who is using their application - so that the manager can improve customer satisfaction, quality of service, etc.

Sometimes, a business manager needs to know the user's name as part of the business process. Other times, the business application only requires a valid credit card number. Sometimes, anyone in the named user's office is satisfactory, for example, if a doctor has the account, but anyone on that doctor's staff could perform tasks on the doctor's behalf. And sometimes, the high-value user must be identified beyond the shadow of a doubt. Concurrently, the business manager has costs in mind. The expenses associated with knowing the identity of a user should not exceed the value of knowing that user's identity.

From the IT manager's point of view, that business manager is simply describing qualities of authentication, and each may be mapped directly to authentication types. The figure below is a helpful tool for IT and business staff in mapping the degree to which the business manager or application truly requires the identity of a user, relative to the costs of the process. While not intended to be a scientific portrayal of the relationships between quality and costs of authentication methods, the chart does demonstrate the relative association of overall cost, user impact, value of the transaction and quality of the authentication.

insert image here >

When considering the need for authentication - for knowing who the users are - business managers should consider the following:

  • Level: With what degree of certainty, or confidence, do you need to know the user's identity?
  • Value: What is the financial value or risk of a typical transaction or user session?
  • Impact: How much impact on the end user is acceptable? Consider that stronger authentication is often more intrusive on users or requires control of their workstations.
  • Cost: What are the relative costs of one authentication type compared to the next alternative?

By sharing a language of authentication, business managers and IT departments can communicate their requirements clearly. The business determines whether it needs to know the user's identity beyond a shadow of a doubt, simply needs someone's authorized credit card number or needs something in between. Then it decides how much expense or inconvenience to the user the process can withstand. With that information, IT can map the requirements directly to the appropriate authentication type and infrastructure.

These four points (level, value, impact and cost) should be part of every dialog between the security manager and the business manager.

Authorization

Similar to authentication, the term authorization means something different to business managers than to IT. Instead of indicating firewalls, antivirus and modes of encryption, in the business manager's vocabulary it refers to ensuring that users have easy access to any application or data they need. Business managers know how to identify the degree of authorization. Yet they cannot tell IT which ports to open in the firewall or how to construct the access-control list. Instead, business leaders should consider the following questions:

  • Level: What is the level or degree of confidentiality or integrity that specific data requires?
  • Value: What is the value to the company of the data being used by the application?
  • Impact: How much inconvenience or limitations to data can users be expected to tolerate?
  • Cost:What is the cost of an unauthorized leak of data in the context of a particular application, compared to the cost of protective measures?

Administration

Administration has the technical meaning of creating user IDs, changing passwords, establishing role-based profiles, provisioning those profiles to target resources and building subordinate administration hierarchies. Yet business managers don't want to be bothered with all of that. They use administration as a method of making sure that all the users have access to all their appropriate files and applications. To be sure that IT implements the necessary consoles, tools and procedures for managing users and their privileges to target resources, business managers should consider the following questions:

  • Level: How quickly after a user leaves employment should his or her access be suspended?
  • Value: Which corporate applications, besides the one in question, will the end user have access to?
  • Impact: To what extent are the users under corporate influence or control? (Can you fire or sue them, or deploy special client software?)
  • Cost: How much time or effort may be allotted to the administration of each user?

IT will take that information and determine the most efficient method of managing users and their privileges, given the requirements of all similar business initiatives. In other words, for economies of scale, IT may elect to build business process around multiple business applications. That may involve migrating to role-based administration, implementing automated administration tools and assigning subordinate administrators across the organization and business partners.

Audit

Business managers think of audit as simply a category of reports that answer the simple question, "What happened?" Those reports are very useful for making sure users are gaining access to all the resources they need in a timely and efficient manner, quality of service is high and which application glitches should be overcome.

Technical employees, on the other hand, pour over the details of obscure system-level events, seeking anomalies, rare hacks and other malicious behavior. IT staff will also deploy all manner of monitors, log consolidation devices, reporting consoles and alert mechanisms to find the lurking anomaly or threat - without regard to the minor risk that a threat might actually represent.

Business managers can help ensure effective auditing by considering the following questions:

  • Level: What types of information and detail should an audit report contain?
  • Value: To which business requirements or regulations must the audit report demonstrate compliance?
  • Impact: Who will use the collected information and how?
  • Cost: With what frequency should reports be generated?

Correspondingly, IT staff should take that information and consider the likelihood of threats to data as determined in the authorization section above. Audit measures should ensure that detection of likely malicious behavior and anomalies is appropriately efficient. At the same time, IT should be sure to provide the business manager with the most useful reports. There may be real-time auditing for certain classes of events and trend analysis for others.

TCO and ROI

When discussing the value of any security effort, the topic of ROI or TCO inevitably comes up. Consider the familiar debate: best-of-breed vs. single source. An adage I coined in the context of security many years ago is "good enough is always good enough." In other words, if the efficiency and effectiveness of one option nearly or completely meets your requirements, the additional advantages of having somewhat more potent features in a more expensive option is worth questioning.

The way to settle on one option or the other is a subtle matter of value. Value is net benefit in light of costs. TCO often distracts from understanding value. We become so hung up on the costs that we lose sight of the benefits. So think of it another way. The greatest ROI is often figured to be the greatest delta between cost and benefit. That is, for x cost, we get x+n benefit. The larger n is, the greater the return on investment. Unfortunately, that thinking, so common in TCO calculations, is misleading. It leads us to focus on costs, when all along we should be asking ourselves how to eek out as much benefit for the money we have available to spend - value.

So, look at the benefits of one solution given your business and technical requirements. Then look at the benefits of the other. Remember not to become distracted by features and functions; rather, focus on your requirements and determine which option best meets your needs.

Then consider costs. You want as much benefit as possible, without overspending. (Of course, you may add one benefit to the list of the lesser-priced option - namely, that you would have some money left over to allocate in other ways. As I say, you may think of that as a benefit.)

In the end, you may determine that the less expensive and less functional option is good enough, and the money you save is an attractive added benefit. But our research shows that more often than not, a combination of the right best-of-breed products will yield the greatest benefits at greater long-term cost than single-source solutions, but still not be "too" expensive. In other words, the best-of-breed could have more value. Again, I'm focusing on what ought to be the prime directive, which is maximizing net benefit, not maximizing cost savings.

IT by itself is not in a position to assess business requirements. Ultimately, IT is a service provider that should deliver the technical requirements of the business side of the house. Without a common language and a way of mapping their understanding to one another, business and IT are prone to miscommunication - leaving corporate assets at risk. It is possible to talk about and implement security without ever mentioning the word and evoking the negative reactions. The four A's of security and the topics of level, value, impact and cost permit a dialog to attain efficiency and effectiveness.

Copyright © 2003 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.