Security Strategic Context

The Security Strategic Context model for use in Security Governance.

Organizations that rely on a decentralized security management approach to improve the flexibility of their information security and create a dynamic security posture will need to develop governance on how the organization is expected to identify business objectives for their information security and ensure that relevant strategies to achieve those objectives are developed. Further more, security management will then need guidance on how to control and coordinate the operationalizing of those strategies in a security architecture consisting of security policies and security applications.

The way an organization develops and operationalizes its strategies is called that organization's strategic context, and to provide governance at all levels of decision making an organization will, therefore, need to develop a security strategic context suitable for that organization. As current security standards and literature on security governance provide little guidance on this concept, we had to develop a new security strategic context model from scratch.

Depth of Security Strategic Context

For the first dimension of our security strategic model, we borrowed a strategic context model from IT governance. This dimension of our security strategic context model consists of five layers:

Security objectives

Security infrastructure

Security architecture

Security application needs

Security investment and prioritization

These five layers extend the traditional 3 layer model used in security management that splits management in to strategic, tactical, and operational issues. We believe the separation of objectives and strategies, as well as the explicit prioritization layer, will help an organization to provide more depth to their security strategic context. At the same time, there is extensive literature on the use of this model in IT governance to help organizations in tailoring their security governance. Literature of IT governance based on this model, for instance, addresses the need to provide diversity in decision making by setting up at least three separate committees.

Coverage of Security Strategic Context

Unfortunately, information security governance is a lot more complex than IT governance and will therefore need a more extensive strategic context model. In particular, the IT strategic context model we adopted does not explicitly address the most important aspect of information security: The need to ensure adequate coverage of every security domain. Hence, we extended our model with a second dimension of coverage. The number of layers in this dimension is not fixed and can be extended when circumstances change. Traditionally, at least the following layers will be present:

Network Security

Systems Security

Physical Security

Personnel Security

Data security

Miscellaneous security

The last layer of miscellaneous security already indicates that we can always find additional domains that need to be addressed, but we leave it to the organization to decide whether such domains, such as mobile security or wireless security, are important enough to warrant their own layer or should be addressed within the existing layers.

More details on the above two dimensions can be found in our 2005 papers on security strategic context (Tan et. al. 2005). However, since then I have extended our security strategic context model with a third dimension as a response to the consistent prevention-dominated approach we found in our case studies. For now, I have called this third dimension "Control Balance."

Control Balance of Security Strategic Context

While many larger organizations now have a incident response capability, this capability will have been mainly developed to respond to major incidents. Based on the belief that the main approach used to secure an organization's assets should be based on the use of preventive controls, incident response is seen as something you do after your prevention fails. Very often, however, prevention of an unwanted event may not be the optimal security approach. A detection and response approach might be more cost-effective and could make it more difficult to circumvent security as well.

To ensure that an organization does not fall in the common trap that security is about prevention only, security governance should emphasize the need to balance the controls used in information security across the following 5 categories:

General Usage Restriction

Proactive Damage Limitation

Detection

Response

Direct Prevention

One of the potential most cost-effective approaches to securing your assets is based on a general usage restriction of an asset or a system containing assets. The two most well-known examples of this approach are trading off availability of an asset for confidentiality, for instance by removing internet access or USB ports on a system, and hardening a system for one single application. This principle, however, can be applied in almost every situation. And, ensuring that restricting the usage of an asset is considered before costly security mechanisms are added can improve the cost-effectiveness of your information security dramatically. How about, for instance, a policy that restricts the use of email for certain highly sensitive documents. Having a shared directory (or a document management system) for such documents and monitoring access to that directory is often to be preferred over having such documents dispersed all over the organization.

The second most powerful approach to reducing the cost of security is ensuring that, when an incident does occur, the damage is only limited. This can often be done through such simple measures as redundancy and compartmentalization. Proactively Damage Limitation has the additional advantage of dramatically reducing the cost of incident response, which includes recovery.

Only after these two control categories have been considered, the balance between detection and direct prevention will become an issue. In our view, their is no security if there is no detection of incidents. And prevention, without detection of the potential failure of that prevention, is just a disaster waiting to happen.

There are currently no general guidelines that we could develop to help organizations arrive at the right balance between the above 5 control categories for their organization. Every organization will be different. However, having added this control balance as a third dimension to the security strategic context will ensure that every level of the organization's security management will examine how changing this balance in each of the security domains can improve the ROI of the organization's security investments.