Tales of unauthorised data loss via cloud deployments are seemingly an everyday occurrence. Why is this and what can be done about it from a business management perspective?
Before I go further let us consider the business trends that have developed in recent decades to put business security in a proper perspective.
- In the 1980s Toyota and other Japanese businesses introduced Total Quality Management, a concept where quality was not a business cost added to the end of the production line to prevent defective products reaching consumers but rather a business value that could differentiate the business product from its competitors and gain competitive advantage and higher value as a quality product.
- In the 1990s automation was likewise adopted to improve business value, not a necessary way to reduce cost.
- 2000s saw businesses scramble to have an internet presence in order to be global and reach new customers not just advertise their brand.
- 2010 onwards digital and mobile apps are everywhere as business want customers to be engaged while on the move.
- Is 2020 the decade of cyber security where business data is secure not to avoid bad publicity or fines but because by being a safe, secure brand adds value to the business?
Today business security is often the province of the IT department and possibly rarely discussed at board level unless there is an issue. As discussed above, could cyber security be a business differentiator that is part of the business culture and business outcomes; its value proposition? Business security is largely governed by regulatory requirements and best practice; these are generic by nature, applicable to all situations and not based upon business decisions around a return on investment. They are mostly in the expense ledger managed by the IT department and run under an allocated budget and seen as a technology domain not a core business value. I should point out that this is not true of AWS or Microsoft Azure and other leading technology businesses where security is their first priority.
How many businesses evaluate KPIs on IT investment or audit unused or underused spend on software or hardware resources? Many businesses, in reality, might be technology businesses without realising it.
To move to a Secured Business Operations Model
Our starting point is to develop a Business Engagement Model to discuss across the business, wholistically, the right security posture and resilience to achieve the desired state of Secured Business Operations.
What does this look like?
Business Engagement Model
what do you want to prevent? unauthorised access, information leakage, unplanned failures, errors and fraud
what do you want to protect? credentials and sensitive data, confidentiality, integrity, availability
what do you want to govern? - rules and controls, decision making, life cycle management, change management, job roles
what do you want the culture to be? - culture, awareness, transitions, management and operations
what do you want? - vulnerabilities, risks, expertise, dependencies
From the Business Engagement Model it becomes possible to define and create a Secured Business Model. The diagram below shows the top down flow and left to right movement.
Having set the questions that define the Secured Business Model the next step is to define the domains that a Secured Operating Model covers.
Secured Operating Model
The Secured Business Model questions and answers form the framework upon which to build the Secured Operating Model. The Secured Operating Model looks at
- Business Management
- Operations Management
- Master Data Management
- Infrastructure Management
- Compliance Controls
- Risk Management
Four Part Action Plan
Creating the Secured Operating Model is an iterative one of moving over four processes.
First Assess and quantify how developed the business is already in terms of its management of risk, identify gaps, set goals and objectives
design capabilities, architect a solution, KPIs, change management
build and validate a solution and put into operation
operate solution, measure KPIs, identify areas for improvement and develop an action plan
The Four Part Action Plan involves people, process, information and technology.
Business may think IT is responsible for security but they cannot set expectations, define capabilities, set KPIs, and determine what risk profile to assume.