Enterprise Security Management
Abstract: Thoughts on the fragmented and disjointed nature of security management across business functions in the enterprise. Enterprise Security Management empowered by the utilization of a broad knowledge base/engine and facilitated by Six Sigma to put it into the main stream of corporate management strategic thinking.
Business processes
are event-driven, end-to-end processing paths. Ideally one would
think this starts with a customer request and ending with a result
for the customer be it a product or service. Business processes are
often across departmental boundaries also known as Management
Operations, Business Functions, and Business Operations.
Fundamentally business functions consist of marketing, human
resources, research & development, finance, data services, etc.,
however in order to understand what a business function is, a formal
definition states that it is an ongoing functional capability
of the business that is sustained over time. A business function is
defined by the intersection of a core process with a business
subsystem. A business function applies resources to accomplish a
particular kind of work in response to incoming work requests. Thus a
business process is a prescribed sequence of work steps that is
intended to be completed in order to produce a specific result. A
business process is initiated by a particular kind of event, has a
well-defined beginning and end, and is usually completed in a
relatively short period of time.
The business subsystem is a layer either of a product system or resource system. A business subsystem provides a coordinating mechanism that extends across all stages of a key business object's life cycle. This mechanism coordinates the sharing of information and resulting actions among the business functions associated with the object. Each such business function sustains the work capability associated with one stage of the life cycle.
A core process is a major business process that produces an enterprise response to a market related event. Each Product Core Process is initiated by a Customer Market event, and corresponds to a state in the company's product life cycle. Each Resource Core Process is initiated by a Supplier Market event, and corresponds to a state in the company's resource life cycle.
Under the general concepts of “Enterprise Management” systems have been built to integrate cross functional business entities and associated processes to enhance productivity or competitiveness. Some well known systems are Enterprise Resource Planning, Customer Relationship Management, etc., and the Information Age ushered in such initiatives to integrate business information systems. These systems, among other things, empower management to achieve operational goals, maintain high quality results with optimize costs, and provide a quality service to internal and external clients.
In recent years, some visionaries in the security industry have recognized that Enterprise Security Management has been left out of the equation. It has never had the high visibility in the corporate board rooms as other business functions. It is and has been treated differently. Some say because security was more a physical or facilities based appendage to a company. Others feel it is a consumer of resources within a firm rather than a producer. And in fact, a security department may be better operationally as a unaffected third party in conducting its business within the firm. Regardless of its traditional or conservative nature from historical events, Enterprise Security Management is sadly lacking and misunderstood by executives even by firms with some of the largest budgets for conducting security operations in multinational corporations.
So the question is, what enables the idea of Enterprise Security Management (ESM)? The answer to this question is exposed by the fact of a wide body of knowledge available to facilitate the strategic utilization of ESM based on data and statistics instead of abstractions. This knowledge however has never been aggregated across the enterprise and consequently the semantics that goes with it are never recognized as a valuable asset. This vision has been realized by the development of Securitydirector's Enterprise Security Portal (ESP). A platform that provides the distribution and management of content across the enterprise, incident management to corporate governance, it immediately becomes a concrete accountable business object.
As it turns out, many business functions are effected by events in the workplace. For example, security is usually called on as soon as an event like workplace violence takes place. HR is usually responsible for hiring employees and it seems like there is a difference when comparing businesses that vet employees through HR verses measures a security department takes. More often than not guidelines within the precepts of policies and procedures are poor to non-existent. The ESP facilitates initiatives such as the “Employee Assurance” portlet. Postmortems on incidents prove this mediocre circumstance out consistently, particularly when policies seem to be evident yet incidence repeat themselves.
Security departments often times are not integrated into other business functional areas for many reasons. This almost seems ludicrous in today's world that exclusions exist such as IT Departments that handle the firms cyber-security totally outside that of the corporate security department. This fragmentation is a logical result of the evolving nature of technological events within a context of unstructured operations. Enterprise Security Management can be the next means to structure all these loose ends. But what makes this concept a viable proposition? First, the aggregation of data, plans, policies and procedures is the knowledge base yet to be harvested across the enterprise. Second, the qualifications of falling into the realm of a “Enterprise Management” system as a validated implementation or deployment requires qualitative attributes. Usable hard data comes about as a result of applying the principles of Six Sigma to security operations. In conjunction with other models whether it is the application of the Total Quality Model or as applied to software development the Capability Maturity Model, Six Sigma is the statistical basis that empowers the Enterprise Security Management system. And because a firm is customer event driven within the context of Six Sigma, the term security takes on a whole new meaning. To secure the firm means to insure its successful future across all plains. To be secure does not result from securing technical infrastructure alone. The approach has to be mission-centric because the paradigm is now risk-based. ESM represents a mission-focused strategic security management process laid in the hands of the strategic drivers.
Strategic drivers gain the control and the realization that now ESM is a core competency within the firm. Prior to this dawning day, the security department may totally rely on vendors to tell them what hardware and infrastructure to purchase. Expenditures of limited resources where totally out of the hands of strategic drivers. The organization-centric approach to security management considers the impact of risks and their effect on the organization to determine which security activities and practices are best for them. Security is so inextricably tied to the success of the organization in accomplishing its mission and improving its resiliency that it is in the organization's best interest to be competent at securing itself.
Risk management is a basic business function and must be done at the organizational level to be purposeful. This is not without its challenges! The organization must ask what they are trying to accomplish with their security activities. What benefits are to be derived?The organizational perspective is essential to determining these benefits and for setting appropriate targets for security. Risk management may simply be driven by a need to meet regulatory compliance. Consequently, it is not a panacea for solving all problems or for elevating security into the spotlight of recognized persistent business problems.
ESM is a conceptual way of viewing "the whole" while filtering out details about its parts. This is sometimes referred to as "seeing the forest for the trees." It recognizes the identity of a "higher level" aggregate objects whose characteristics transcend the characteristics of its component parts. Aggregate objects such as IT Security, Logistics Security, Intellectual Property Protection, Workplace Safety, Executive Protection, Incident Management to name a few all have underlying component parts. The component parts become integral in computing the Process Capability Calculations. In Six Sigma lingo this means measuring a sample of items or transactions from a business process to make a projection of the number of defects expected from the process in the long term. The defect rate, expressed as DPMO (Defects Per Million Opportunities) is part of the essence of Six Sigma. Expressing a business problem as a defect rate typically provides a more direct way to communicate with stakeholders, members of the project team or the strategic drivers who utilize ESM.
We believe this scales well and is congruent with other Enterprise Management systems in place today. In fact, once this mind set is adopted, the firm begins to look at their vendors to ascertain whether or not Six Sigma is also employed. If you license a piece of software from a vendor that does not care or even knows about Six Sigma, your firm automatically inherits all its defects that come with that product. The incidence of failures across 10 or 10,000 desktops becomes a significant financial concern as well as degradation to Product Core or Resource Core Processes. Embedded software systems in flight avionics systems may not tolerate even 1 defect, so why should an enterprise desktop? Such licensing gives no recourse for defect remediation since the source code is not readily available.