1 Reply Latest reply on Feb 9, 2015 7:34 PM by Pete Chargin

    Security is not a business service: Problem Proposal

      Share This:

      Security is a critical element of IT service warranty.  Along with availability, capacity, and continuity of service, security is a component of warranty that is vital to the successful implementation of any IT service that is expected to meet mission or business needs.  Organizations have taken a shotgun approach to IT security and have piped IT security into several places within the organization.  You will often find disparate functional groups performing various regulatory and technical functions including Information Assurance, Cyber Security Operations, and IT Operations.

      The problem surfaces when the Information Assurance group and the Cyber Operations group do not understand that Security is not an IT service in itself.  Security is a warranty component of one or more IT services that support the business. Understanding this problem is the first step to uniting the groups to ensure the mission or business needs are met.  In order to do this it is absolutely vital that process, people and tools are aligned appropriately.  A unified approach and clear communications are also a factor.

      So what kinds of things can be done with tools, processes, and people to help tackle this problem?


      “Ever have IA send an email to IT operations (or the service line) with a list of vulnerabilities?)

      “Ever have Cyber put in a service ticket that said one of the business critical application had an active exploit”?


      Ok folks, open season on question.  Looking forward to discussion!



        • 1. Re: Security is not a business service: Problem Proposal

          I really like the idea of Security being part of the overall IT service warranty.  Just as IT is responsible for providing a service level agreement on performance and availability, security should be part of the contract between IT and the business. 


          It is difficult for IT to guarantee any specific outcome in terms of security, and so it would be natural for the security portion of the service level agreement to be along the lines of "We will provide the following security activities/services for this business service."  However, that doesn't necessarily help the business unit understand that amount of risk that they may be accepting.  This means that a strong dialog is required between InfoSec, IT Operations, and the business regarding security on each business service.  Having the security component of the service level would start that conversation.