Information security today can be likened to a classic American sandwich – the BLT. Simply, information security is not just about the technology. It’s also about the people that manage it and the processes built around it. Just as you can’t make a BLT without bacon, lettuce and tomato, an information security program is not truly effective unless the right people, process and technology are all in place.
The recent announcement of the Heartbleed bug was a perfect opportunity for organizations to scrutinize their existing information security programs. All too often practitioners are responding to crisis after crisis and not thinking proactively about risk. People, process and technology are completely intertwined resulting in a proactive and agile risk management program or one which succumbs regularly to major security incidents.
It is clear that in an era of disruptive innovation and rapidly evolving threats, simply adding point solutions or working on incremental adjustments to traditional security approaches is no longer sufficient. A foundational change in information security is necessary to face today’s issues and prepare for tomorrow’s challenges. But what does an effective and forward-leaning information security program look like today?
Sponsored by RSA, the Security for Business Innovation Council (SBIC) combines the knowledge and vision of some of the world’s leading information security executives to answer that question in a three-part series on building a next-generation information security program. Fusing the knowledge and vision of top information security leaders, the reports deliver actionable recommendations.
- The first report, Transforming Information Security: How to Build a State-of-the Art Extended Team is a playbook for finding and developing the right security talent.
- The second report, Transforming Information Security: Future-Proofing Processes explores the forefront of information security processes.
- The third report released this week, Transforming Information Security: Focusing on Strategic Technologies, identifies some of the essential technologies for evolving information security programs.
These reports provide recommendations on transforming security programs and practices to effectively manage the ever-increasing risks.
The information security mission is no longer just “implementing and operating security controls.” It requires greater visibility at a more granular level, and the ability to leverage that visibility and new analytic methods to deduce new insights into where the problems are. Today’s security programs include advanced technical and business-centric activities such as business risk analysis, asset valuation, IT supply chain integrity, cyber intelligence, security data analytics, data warehousing, and process optimization.
The very composition and characteristics of security teams are themselves in transition. The information security function has become a cross-organizational endeavor with the right security processes deeply embedded into business processes. The right technologies strengthen and scale the organizations’ security talent.
Let’s go back to the BLT sandwich. Remove any of the ingredients and you don’t have a BLT. The same can be said for information security. The right technologies will enable higher quality analysis and achieve better scale with the talent you have. They can also help enforce and automate time-consuming processes. Without the right technologies, you’ve simply got a lettuce and tomato sandwich. Without the right people and process, you’ve simply got a side of bacon.