Security and the Business The Need for an Adaptive Security Management Architecture
The adaptive security management architecture (ASMA) seeks to take advantage of existing security practices and build upon them to promote the value of security to the business and to ensure a meaningful security posture. The ASMA is as much about the business and the security organization operating as a business unit as it is about security, risk, and compliance. There are many facets to the ASMA to achieve this, including capability maturity, applying security through services, and performance, security, and quality measurements that combine to ensure effectiveness and efficiency. Moreover, the characteristics of the ASMA provide clear visibility into operations and security that ultimately translate to adaptability and enabling the business.
Why a New Architecture?
Today, security is predominantly a collection of practices that are applied based on policy and standards to ensure consistency to meet overall expectations in the management of risk and compliance. These practices are horizontal in nature given they are usually performed equally across the business and similarly across industries. In fact, most security organizations work very hard to ensure consistency throughout the environment to reduce the potential for gaps in compliance and to maintain reasonable uniformity in the environment to manage risk effectively.
The ASMA closes the gap between business needs and security needs, and redefines security in the eyes of the business to be seen as a valuable, enabling force. It does this by doing two simple and fundamental things. First, it exploits the sophistication that exists within most security organizations today. Second, it does not try to fight the consistency battle causing the divide, but rather it embraces it in the form of business intelligence and operations.
As security evolved it produced a great deal of standards in the application of security practices. And as previously discussed this presents a degree of rigidity and inflexibility. However, beneath this lie extraordinary capabilities to address virtually any scenario. We've all experienced a situation where common approaches fall short and the "go-to-guy" is called in to connect the dots. The resulting activities may be non-standard and unorthodox, but the ultimate goal is achieved. Essentially, the "go-to-guy" understands all of what is possible and what exists within the realm of security in the organization as ingredients, takes time to understand the need, and composes a solution that utilizes existing nuances to fine tune security to meet the specific objective. Moreover, this is performed in a manner that not only satisfies the business demand, but also ensures it has value in the larger security posture, such as compliance and risk.
Finally, today's security architecture is the manifestation of standardization and stability and reflective of controlling the business. Many security architectures are inherently assumptive of strategic direction within the business conflicting with formation of such things as business and IT governance. IT governance has a connection with the business to drive strategy and how this materializes in IT business services. Some security organizations have formed a tight bond and have become integrated with IT governance, but for many the conflict remains. The balance is for security to understand the "why" of change. This is not learning about the change to dismantle it or fight it, but rather to fully understand the business drivers so that security can plan more efficiently, and more importantly, respond effectively to the change.