« RSA Conference: Innovation becoming mainstream? | Main | I Want to Know Who You Are! »

April 21, 2008

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341e76b553ef00e551f1d2308833

Listed below are links to weblogs that reference Operationalizing Security:

Comments

Michael Janke

In our large (20,000 employee) enterprise, the model that we designed is essentially what you describe. We believe that it works.

In our model, the responsibility for designing, building, deploying and managing secure applications and systems lies with the operational manager of the technology. The security group sets standards, acts as consultants, advises, mentors and works closely with the operational units to ensure that the units have a reasonable security posture and are compliant with necessary standards, rules and laws.

The security group keeps us (in operations and design) informed of the threat landscape, advises operations on what they'll need to be doing a year or so from now, and keep tabs on the actual state of security within the operation units through internal security assessments, and system reviews. Security handles most incidents, with operations in a support role, but operations runs the security monitoring and detection technology.

In the event of a conflict between security & operations, the security group holds the trump card (executive persuasion), but rarely has to use it. The environment is collaborative enough, and both groups have enough of a sense for the other groups pain points, that persuasion is rarely necessary.

The operational entities, in turn, consult with the security group on any new implementations, ask advise on relative value of systems or technologies, but still assume ultimate responsibility for the implementation. But operations assumes responsibility knowing that security has a stake in the game and will back up operations in any eventuality.

I'd like to say that we paid a Burton consultant a couple hundred per hour to build the model for us, but we didn't. ;)

We simply decided that the persons implementing the technology are best able to ensure it's security.

The comments to this entry are closed.

  • Burton Group Free Resources Stay Connected Stay Connected Stay Connected Stay Connected


Blog powered by Typepad