Manage Learn to apply best practices and optimize your operations.

Why policies, products, people and processes matter to enterprise security

Take cues from the policies, products, people and processes that help your company succeed and maintain enterprise security.

I hear lots of security stories -- about massive security architecture projects, attempts to implement role-based access control, techniques for fighting viruses and spam, and so on. When you listen to as many stories as I do, the "best" often bubble to the top. In the spirit of this special issue of Information Security, here are my thoughts about what defines the best People, Policies, Processes and Products in infosecurity.

The best People are those who embrace the challenge of securing the business. Most security managers are having a tough time getting their arms around this whole "business view of security" thing. As security professionals, we're genetically programmed to anticipate bad things that might happen, and then work tirelessly to mitigate the risk. But now, business units and executives are leaning on security managers to justify their actions and budget requests from a business perspective. That's new territory for most security professionals.

Ultimately, cracking this nut will fix the most serious problems facing the entire security industry. As more security projects actually help make the company successful, our profession will build a reputation as a business enabler.

The best Policies are easy to follow, well understood, refreshed often, and enforced. I often hear complaints such as, "Nobody pays attention to our policies"; "They have no teeth"; and "Our employees forget the policies right after they read them." What's the problem here? The key to effective policy is simplicity. Using detailed, technical language or long, tedious explanations is a surefire way to fail. The best security policies are written in everyday language, have simple, to-the-point instructions, and are no more than three pages long. If we can't promote proper behavior in a couple of pages, we probably can't do it at all.

The best People, Policies, Processes and Products produce the greatest benefits without excessive cost. They make the company successful.

The best Processes are efficient and effective at the same time. It's one thing to have documented processes -- three-ring binders detailing every step. It's quite another to organize all security activities so they drive toward a common goal: the fulfillment of the company's mission statement. After all, isn't helping the business succeed why we do security in the first place?

Achieving efficiency means finishing projects in less time, for less money and with less effort. We commonly call this process "security architecture," but it's also an attitude. Our job isn't securing the network; again, it's our job to secure the business.

The best Products are those that we can't remember paying for. That's because we've gotten so much value from them that they've paid for themselves. The best product is the technology or service that helps us manage compliance with business and architecture goals, regulations, industry standards, and privacy and security policies. Sure, authentication (passwords, smart cards, biometrics), authorization (encryption, antispam, firewalls) and administration (Web single sign-on, identity management) are the fundamental building blocks of a security program. But if we assume bad things will happen no matter how diligent we are -- and we should -- audit, monitoring, recovery systems and compliance management become our most effective weapons.

The best People, Policies, Processes and Products produce the greatest benefits without excessive cost. They make the company successful -- building airplanes, selling insurance policies or performing medical miracles. "The Best" really make a difference, and without that someone or something, the company will suffer.

In infosecurity, obscurity and confusion characterize every sales pitch to every prospective customer. By striving to be the best in this industry, we'll revitalize sales, protect our company and articulate the value of what we do.

About the author:
Steve Hunt, PP, CISSP, is VP and research director of security at Forrester Research.

This was last published in December 2003

Dig Deeper on Security industry market trends, predictions and forecasts

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

The best People are those who embrace the challenge of securing the business. ....  The best Policies are easy to follow, well understood, refreshed often, and enforced. ... The best Processes are efficient and effective at the same time.

I realize that the author provided detail underneath it, but those seem incredibly shallow to me. The one line I appreciated was "The best Products are those that we can't remember paying for. " - that one got me to think!
dunno. Seems to combine security through obscurity with something easily found by a port scanner. I suppose if the switch is easy to do it won't hurt.