1. Trang chủ >
  2. Công Nghệ Thông Tin >
  3. An ninh - Bảo mật >

Chapter 4. Strategic Framework (Inputs to Strategic Planning)

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (4.25 MB, 348 trang )

54 ◾

Security Strategy: From Requirements to Reality

must be framed and solved in the context of the enterprise’s strategic drivers, which are derived

from a thorough environmental scan. From the combination of internal and external analysis, the

prioritized data can be filtered through a SWOT matrix to further refine the potential strategic


In this chapter, we will review the environmental scan (see Figure 4.1) and the following inputs:

Regulatory and legal influences

Industry standards

Marketplace and customer base

Organizational culture

National and international requirements (political and economic)

Competitive intelligence

Business intelligence

Technology environment and culture

Determination of business drivers

As the environmental scan considers each arena, prioritized business drivers will emerge that

help determine an organization’s future direction. We will also discuss the need to be future oriented in day-to-day security operations.

Environmental Scan

What business strategy is all about (what distinguishes it from all other kinds of business planning) is, in a word, competitive advantage. Without competitors there would

be no need for strategy, for the sole purpose of strategic planning is to enable the company to gain, as efficiently as possible, a sustainable edge over its competitors.

Kenichi Ohmae

An environmental scan is basically collecting information about environmental characteristics. Organizational scanning is crucial to organizational survival. Good environmental scanning

Environmental scan

Internal analysis


External analysis




SWOT Matrix

Figure 4.1

Environmental scan.

TAF-K11348-10-0301-C004.indd 54

8/18/10 3:03:55 PM

Strategic Framework (Inputs to Strategic Planning) ◾


practices help an organization adapt to its environment. In terms of organizations and strategic

planning, an environmental scan involves considering the factors that will influence the direction

and goals of the organization. An environmental scan includes consideration of both present and

future factors that might affect the organization since strategic planning is for the future, not just

the present. Environmental scanning often refers just to the macro environment, but we will consider it from its broader perspective and include industry, competitor analysis, marketing research

(consumer analysis), technology trends including new product development (product innovations),

and the company’s internal environment.

The importance of environmental information depends on Look for what’s missing. Many advisors can

the degree to which the success of the organization is dependent tell a president how to improve what is proor what’s going amiss. Few are able to

on its environment. In the business literature, the organization’s posed

see what isn’t there.

dependency on its environment is referred to as perceived enviDonald Rumsfeld

ronmental uncertainty (PEU). Gordon and Narayanan (1984)

identified factors that determine PEU. These factors include the

nature of the society, economic stability, legal stability, political constraints, and the nature of the

industry, the customer base, and the organization. We will consider several elements of PEU later

in this chapter.

An environmental scan is the gathering and analysis of factors impacting the strategic direction and goals of the organization in which you work. This includes both the current as-is conditions and the possible future states of the environment. The environmental scan should include

external factors such as markets (both current and potential), demographics, technology trends,

market trends and predictions, government regulations, or pending legislation likely to impact

your organization, as well as elements from the internal environment such as current architecture, infrastructure, personnel, organizational structure, and assets. The scan should include what,

if anything, is needed to accomplish proposed strategic plans and objectives (see the Technical

Environment and Culture section of this chapter). Business drivers can be determined and prioritized after conducting a thorough environmental scan.

Environmental scans should be conducted by groups or individuals over a specified period of

time prior to strategic planning work. Scans can take many different forms ranging from Bill Gates’s

ensconcing himself in a secluded hideaway to review white papers written throughout the year by

Microsoft employees to a dedicated team that performs a thorough environmental scan, generates a

market trend report, creates future (vision) white papers, does scenarios planning, and so on.

An element or subset of an environmental scan may be a competitive analysis that looks at

your organization’s strengths and weaknesses in relation to those of the competitors in that market space. The ultimate goal is to leverage your strengths and minimize your weaknesses to more

effectively compete in your selected market space. This information should be included in a typical

SWOT analysis for the organization. Although an environmental scan helps gather the information needed, a SWOT analysis sorts the information and prioritizes it for inclusion in strategic

planning. In the following segments of this chapter, we examine the major arenas security groups

should include when conducting an environmental scan.

Regulations and Legal Environment

In some ways, with the security challenges this country has faced, we have had to put in

rules and regulations for business to be able to sustain their growth and create jobs.

Wayne Allard

TAF-K11348-10-0301-C004.indd 55

8/18/10 3:03:55 PM


Security Strategy: From Requirements to Reality

Obviously, this arena is tremendously important for anyone working in the security sector.

The legal and regulatory arena is usually one of the primary business drivers for security groups

engaged in strategic planning, as exemplified by Microsoft’s troubles early on in this arena in both

the United States and Europe or Google’s more recent issues within China. The hand of regulation

has grown heavier each year as lawmakers continue to underscore the importance of security by

enacting new laws and regulations. A security group is bound to uphold and abide by the policies,

laws, and regulations found in this arena. In many organizations, tracking this constantly changing set of compliance requirements is a full-time job for the legal department, IT security, physical

security, and organizational leadership.

In the past decade, worldwide governmental changes in data security, privacy, and information

management statutes and regulations have been continuous. Enforcement has become a major

challenge for compliance and security operations. Many security groups are subject to an increasing number of audits from numerous external agencies without any additional budget to support

those efforts. Outsourcing is also impacting compliance requirements. Keeping current with proposed legislation that will impact your industry and having strategic plans in place to absorb those

impacts are critical to the responsiveness and flexibility of a security group.

A close examination of your organization’s internal audit process can also help provide

needed corrections in internal processes and procedures that regulate compliance. In order to

leverage internal audit processes for needed corrections to security controls and processes, it

is necessary to be able to defi ne for the internal audit team what constitutes an effective security control or process, and to determine which controls and processes are under security’s

governance. Too often, we have seen audit fi ndings relayed to security for correction where

the control or process in question is outside the purview of the security group (i.e., rightly

belonging in another organization). To fully understand the drivers for internal audit, be sure

to analyze the statutory, regulatory, industry, business partner, and external audit requirements as well. These will give you additional insight into the components of your organization

that are shaped or influenced by compliance. A thorough understanding of the regulatory and

legal environment will provide better data for analysis and the determination of the business

drivers for security. Another important arena for consideration in an environmental scan is

that of industry standards.

Industry Standards

Any time you sincerely want to make a change, the first thing you must do is to raise

your standards.

Anthony Robbins

Customer demands create standards in every industry. There seems to be a perpetual flow of

changing industry standards. One of the fields where standards are changing rapidly is, of course,

the IT industry. We now have higher standards for bandwidth, power, performance, reliability,

flexibility, integration, connectivity, real-time solutions, energy efficiency, and security. Standards

in industry after industry are changing at increasing speeds

Hold yourself responsible for a higher stan- driven largely by the development of new technology. Even so,

dard than anybody else expects of you.

standards typically lag technology developments by at least a

Henry Ward Beecher generation.

TAF-K11348-10-0301-C004.indd 56

8/18/10 3:03:55 PM

Strategic Framework (Inputs to Strategic Planning) ◾


We need to include industry or business partner regulations as potential inputs to environmental scans as well. Many organizations are subject to industry-specific regulations, for example,

health care and Health Insurance Portability and Accountability Act (HIPAA) or financials and

12 CFR 208.61 (Code of Federal Regulations for banks in the U.S. Federal Reserve System). Some

business partnerships may also be subject to specific regulations; for example, if you supply components to a partner that manufactures military equipment, your organization may be subject to

International Traffic in Arms Regulations (ITAR). If you are a global supplier, perhaps ISO 27001

is a required standard. The International Standards Organization’s (ISO) 27001 is an example of

a widely recognized security standard that sets the international standards in business continuity

planning, system access control, system development and maintenance, physical and environmental security, compliance, personnel, security group, computer and network management, asset

classification, and control and security policy. The American National Standards Institute (ANSI)

is an example of a national nonprofit organization that oversees the creation, promulgation, and

use of thousands of norms and guidelines that directly impact businesses in nearly every sector.

There are similar standards groups that shape, create, and enforce standards for each type of

security discipline from IT to every aspect of physical security. As in government regulation, all of

these elements must be considered in order to build an effective security strategy. Most industries

have external associations and other support organizations you can use (e.g., the American Bankers

Association) to identify existing standards and the minimum requirements for the industry.

There are also benchmarking standards that may drive strategic security initiatives for competitive reasons. It is important to determine the business-sensitive processes in the industry value

chain in order to better understand which industry standards are most relevant for the enterprise.

Business-sensitive processes are where the organization you support generates revenue and value

to your customers. By understanding these processes, the security group will be able to better

identify the security requirements and vulnerabilities associated with each business process. If

you don’t understand your industry’s value chain, or even know what a value chain is, then you

definitely need to get a handle on the value chain concept because it is a major part of the business

environment you are supporting.

A value chain is a basic analysis of an industry or business to identify the activities the organization engages in to develop competitive advantage and create value for the organization. Those

value-generating activities are what are defined as a value chain. Michael Porter in his seminal

work, Competitive Advantage: Creating and Sustaining Superior Performance, introduced a generic

value chain model (Figure 4.2) that captures a sequence of activities that are common across a

broad range of firms.

The value chain model is used as an analysis tool to determine the core competencies that

enable an organization to achieve a competitive advantage. A competitive advantage can be

achieved through efficiency, differentiation, and/or market focus. Organizations use this tool to

analyze business unit interrelationships and find opportunities for synergy, process improvements,

and cost reduction. Once core competencies are determined, many firms will source other activities in the value chain and focus on the core competencies that provide a competitive advantage.

As firms streamline their own value chain, they often begin to look at additional opportunities in



Figure 4.2





and sales



Value chain.

TAF-K11348-10-0301-C004.indd 57

8/18/10 3:03:55 PM


Security Strategy: From Requirements to Reality

coordinating upstream and downstream value chains with suppliers, partners, distribution channels, and customers into what Porter called a value system. Many retailers, automakers, petrochemical companies, and others have become masters at managing large value chains and systems.

Value chain analysis has been used to create dynamic systemic change in industry after industry over the past few decades. This analysis is typically part of an organizational strategic plan

that can affect many organizational strategic initiatives that the security group must subsequently

support. It is essential for security professionals to understand the value chains and systems that

their organizations support. You must be able to recognize and plan for the security challenges

that may arise as your organization moves into or expands its extended enterprise or value system.

Understanding external agency industry standards (such as auditing functions) and how they

impact the organizational value chain is equally important. Often, industry benchmarks have

already been established and these often become metric targets for the success of one or more

strategic security initiatives.

An industry benchmark, for instance, may be the average length of time that it takes a

security clearance to make it through a government clearance process. If the industry standard

is 18 months between clearance application and the granting of a clearance, and a competitor

has found a consistent methodology that moves that average cycle time to 6 to 8 months, a

security group must well consider making a 6- to 8-month cycle time their new benchmark for

a strategic initiative. The obvious reasoning behind moving beyond the industry standard in

this case is the productivity efficiency goals of the business unit the clearance process is serving.

The reduction of cycle time for a clearance by almost by two-thirds is a significant increase in


Another example of industry standards that impact a security group are changes to statutory

and regulatory requirements for suppliers. Security procedures may have to become more integrated throughout the industry global value chain as various legislative bodies change requirements in certain industries. An example is the requirements regarding controlled technical data

for any supplier that provides services for the U.S. (or any other country’s) defense industry.

Staying abreast of the regulations and finding creative solutions to conduct business across multiple cultures, legal systems, and businesses grows ever more challenging. As firms continually

move into global systems, the challenges for security to think globally and systemically also

increase. Many industry groups, alliances, and vendors help craft solutions for increasingly complex requirements.

Industry standards often lag behind what is occurring in the marketplace, as we have often

seen in the past with e-commerce standards, cloud computing, and social networking site, to

name just a few. When this occurs, security groups must use their own resourcefulness to find

answers to emerging technology questions such as, “What do I need to make my system sufficiently reliable and secure?” “Who can I trust to tell me what standards are required?” “What are

the minimum security requirements?” “Where are the current best-practice benchmarks?” As time

passes, industry standard security metrics become more available as various groups and agencies

begin to provide increasingly specific requirements.

In any security group’s strategic plan, industry standards are an important arena for consideration. The tensions between enterprise business drivers and security business drivers will become

more explicit as they are examined in light of regulations and legal environments, industry standards, and the expectations of the marketplace. For instance, there have been “brutal standardization” requirements for cloud-based IT infrastructure and management for companies that either

work in the government sector or supply information to it. The tension is driven by user expectations of governmental organizations to provide timely service and information, while enterprise

TAF-K11348-10-0301-C004.indd 58

8/18/10 3:03:56 PM

Strategic Framework (Inputs to Strategic Planning) ◾


architecture and conflicting governmental standards and requirements lag behind consumer

demand. Thorough investigation will help you better form your strategic plan to support the

enterprise environment in which your security group operates. Next, we will examine an important part of the overall value chain system, the marketplace–customer base of an organization.

Marketplace–Customer Base

The most beneficial type of partnering you can engage in is partnering with your customers. The benefits are compelling. You use it to gain customers, protect them from

predation by competitors, and to protect your profit margins.

Curtis E. Sahakian

Managing Director, Corporate Partnering Institute

Security services have both internal and external customers. In the past, security often was regarded

as a compliance or governance organization, and its organizational life took place behind closed

doors. The demands of organizational life in the 21st century have pretty much ended that role

except for some still very cloistered domains such as investigations and executive protection.

Today security groups face the same financial targets as other members of the organization:

pressure to reduce costs, outsource functions, and do a better job managing their business. Internal

customers are starting to ask the hard questions, “What have you done for me lately?” “Are you

managing your service like a well-run business function?” “Do the benefits you provide compel

me into partnership?”

The question facing security is the same one facing many other organizational functions. “Are

we a prime deliverer of security services, or are we moving toward a security services-integrator

business model for the delivery of security services and products?” Organizations have answered

this question in three different ways.

1. In-house security model

2. Security services-integrator

3. All security services outsourced

You retain the responsibility for all security services if you operate in the in-house model

for security services. This, of course includes maintaining customer satisfaction. As a security

services-integrator, an organization provides some security services and manages all contracted

security services for the enterprise. A security services-integrator has responsibility for establishing contract terms and conditions, as well as establishing and tracking all the performance metrics

required to monitor and supervise contractors. Finally, all security services may be outsourced to

obtain greater expertise and a greater range of services, or to decrease cost. Should security services

be outsourced, the institution retains the same responsibilities for security as if those services were

performed in-house.

The outsourcing of some or all security services can be a very painful change for a security

group, involving a number of major paradigm shifts, process reengineering, risk reassessments,

loss of in-house expertise, and so on. Once internal security functions are outsourced, security

leadership must carefully manage the transition with good communication about the reasons for

TAF-K11348-10-0301-C004.indd 59

8/18/10 3:03:56 PM


Security Strategy: From Requirements to Reality

the change, the future skills sets that will be needed (and those that won’t), changes to policies and

standards, and any new processes (e.g., a new security help desk).

By reviewing customer data and determining who your customers are, what they value, and

what their needs are, you can better position your group to meet or exceed those customer needs.

This helps you focus on business drivers and strategic objectives that matter.

We only have two sources of competitive advantage:

1. The ability to learn more about our customers than our competition.

2. The ability to turn learning into action faster than our competition.

Jack Welch

former CEO, General Electric

Organizational Culture

The greatest change in corporate culture—and the way business is being conducted—

may be the accelerated growth of relationships based…on partnership.

Peter F. Drucker

Determining the organizational culture in a security group, the business units it serves, and the

greater organization as a whole can be quite helpful in every phase of strategic planning. Carefully

analyzing cultural norms can help provide clues to successful deployment of strategic planning.

Cultures can vary widely from group to group in an organization. For instance, a security group

may serve one group that has a very structured, process-driven, inflexible, hierarchical risk-averse

organization, while another group is loose knit, entrepreneurial, globally savvy, flexible, informal,

and cutting edge. Moving forward with successful security implementation is going to require

different strategies in each culture, as a one-size-fits-all approach will seldom be successful. By

analyzing and understanding the ways the constituents of the organization interact and how they

engage each other, the security program can be tapered to gain acceptance in an organization and

thereby function more effectively.

This particular input to strategic planning is especially crucial for newly arrived security leaders to an organization, even more so if they come from an entirely different sector, for example,

from the federal government to commercial business. Learning to understand an organizational

culture that is in place is absolutely essential in providing strategic direction and leadership, especially if that direction is going to be new and different. We have personally witnessed newly hired

executives quickly lose traction in a new organization because they did not take the time to understand the new culture, and it was never long before they moved on or retired.

Another organizational nexus important for learning about a group’s culture is in mergers,

acquisitions, and/or reorganizations that now include the resulting mix of different organizations as part of the same group. Even with seasoned leadership in place, many missteps can

occur when a strategic plan is put into action without the leaders first garnering a keen cultural


Another pivot point for understanding cultural differences may involve plumbing or delving

into an existing organization for employee descriptors of their current culture. Security leadership

can also benefit from soliciting from employees descriptors of the organizational culture that the

employees would like to be part of. The organizational values held, behaviors exhibited, and shared

TAF-K11348-10-0301-C004.indd 60

8/18/10 3:03:56 PM

Strategic Framework (Inputs to Strategic Planning) ◾


mental models and beliefs are key to understanding a group’s culture. We have found individual

and group surveys and interviews to be helpful in gathering this kind of information. To get an

idea about corporate culture, listen to what people both inside We cannot enter into informed alliances

and outside say about the culture. Corporate culture is created until we are acquainted with the designs of

by the way people speak to each other and treat each other and our neighbors and the plans of our adversaries. When entering enemy territory, in

their customers.

order to lead your army, you must know the

Of course, we would be remiss if we did not mention know- face of the country—its mountains and foring the culture of potential competitors and other significant ests, its pitfalls and precipices, its marshes

swamps. Without local guides, you are

organizational threats such as the forces of industrial espionage, and

unable to turn to your account the natural

cyber criminals, and hackers in general. Understanding the cul- advantages to be obtained from the land.

ture and ways of potential threats is imperative for good strategy. Without local guides, your enemy employs

The reader will find many examples of utilizing cultural knowl- the land as a weapon against you.

Sun Tzu

edge of potential threats in the tactical chapters of this book.

National and International Requirements (Political and Economic)

Indeed, to some extent it has always been necessary and proper for man, in his

thinking, to divide things up; if we tried to deal with the whole of reality at once,

we would be swamped. However when this mode of thought is applied more

broadly to man’s notion of himself and the whole world in which he lives (i.e., in

his world-view) then man ceases to regard the resultant divisions as merely useful

or convenient and begins to see and experience himself and this world as actually

constituted of separately existing fragments. What is needed is a relativistic theory,

to give up altogether the notion that the world is constituted of basic objects or

building blocks. Rather one has to view the world in terms of universal flux of

events and processes.

David Bohm

Many business drivers for security are the product of national and international requirements. It is

critical to identify and understand the inputs relevant to your industry in order to build a strategy

and security program properly balanced between risk reduction and efficient operations. Much

of the external regulatory environment, external audit environment, and political climate of your

organization must be factored into your determinations in this arena.

The security requirements that arise from national and international requirements are tremendously varied and in various states of flux depending on the industry and global regions in

which you function. Some industry groups like aerospace have long-standing organizations in

both national and international segments that provide guidelines, requirements, and regulations

that will be input into security strategic plans.

Some international standards have been evolving in place for some time and have created

well-recognized standards for organizations such as ISO, which was discussed in the Industry

Standards portion of this chapter as well. Other arenas have emerging voices such as a new forum

for multi-stakeholder new policy dialogue, the Internet Governance Forum (IGF), or the World

Wide Web Consortium (W3W), which is the international standards organization for the World

Wide Web, or the nonprofit public benefit corporation, the Internet Corporation for Assigned

Names and Numbers (ICANN). ICANN is a not-for-profit public-benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable, and interoperable.

TAF-K11348-10-0301-C004.indd 61

8/18/10 3:03:56 PM


Security Strategy: From Requirements to Reality

Often, the key to newly emerging standards groups that may impact an organization is early participation to affect informed change within that standards organization.

Another nexus point for strategic planning is taking into account changing international security standards as a national organization moves into additional international domains for distribution of their products and/or services. Depending on the scope of the service or product that

will become internationally distributed and supported, the international requirements complexity

factor can be exponentially increased to the point of taking years to decipher all the additional


In each of these instances, keeping abreast of potential changing national and international

policy dynamics, participating in the policy dialogue where possible, and including potential and

emerging requirements in the input for strategic planning are important considerations for any

strategic effort.

Competitive Intelligence

It is now absolutely possible to decide to abandon traditional sources of information

like subscriptions, journals, closed databases and the like, and focus entirely on getting

all of your information for free from the Internet, all of the time from the Internet.

Marydee Ojala

Social Media for Competitive Intelligence Seminar

Another rich arena for data that may be included in an environmental scan is competitive

intelligence (CI). The Society of Competitive Intelligence Professionals (SCIP) defines competitive intelligence as

a systematic and ethical program for gathering, analyzing, and managing external

information that can affect your company’s plans, decisions, and operations.

Put another way, CI is the process of enhancing marketplace competitiveness

through a greater—yet unequivocally ethical—understanding of a firm’s competitors

and the competitive environment.

Specifically, it is the legal collection and analysis of information regarding the

capabilities, vulnerabilities, and intentions of business competitors, conducted by

using information databases and other “open sources” and through ethical inquiry.

SCIP’s members conduct CI for large and small companies, providing management

with early warning of changes in the competitive landscape. CI enables senior managers in companies of all sizes to make informed decisions about everything from marketing, R&D, and investing tactics, to long-term business strategies. Effective CI is a

continuous process involving the legal and ethical collection of information, analysis

that doesn’t avoid unwelcome conclusions, and controlled dissemination of actionable

intelligence to decision makers.

In essence, CI is the disciplined process of gathering and analyzing data in order to help business leaders make more informed business decisions. CI is gathered to determine the risks and

opportunities within a marketplace before they are obvious to the average observer.

Many multinational and global companies have been engaged in CI gathering now for

decades. Petrochemical companies, pharmaceutical companies, and manufacturing groups have

TAF-K11348-10-0301-C004.indd 62

8/18/10 3:03:56 PM

Strategic Framework (Inputs to Strategic Planning) ◾


long created their own CI units to protect against threats and market changes, as well as look for

opportunities. The question for an organization that engages in this type of intelligence gathering

is, “Do we perform this in-house, hire consultants, or do a combination?”

Both large and small businesses engage in regular and ongoing CI in order to make the right

market decisions, have viewer surprises, and help put competitive data in context. Small business

that can’t afford to hire outside consultants or don’t have full-time staff devoted to CI analysis will

often collect data informally from media such as newspapers, television, and the Internet, other

businesspeople, competitors’ staff, and competitors’ customers or clients.

Security groups are often required to focus protection efforts on thwarting illegal attempts

at CI like industrial espionage or theft of intellectual property. However, legal CI gathering and

analysis have become a cornerstone of strategic planning.

Business Intelligence

Collecting information about customers is relatively easy. Analyzing customer information for potential cross-sells, increased revenue streams, and improved service is

more challenging. But getting the information to the front line in a timely manner

and thus providing further competitive edge is proving increasingly difficult for many


Gerry Davis

Business intelligence (BI) is another term used for a similar type of information gathering

from a field of industry, and it may even be considered a core competency in some companies.

BI is the systemic analysis of historical, present, and predictive trends of business operations

of your own organization, whereas competitive intelligence focuses more on external data

from other companies and doesn’t necessarily rely on the same type of rigorous technologybased analytical processes used in BI. BI helps organizations obtain a better view and understanding of potential business trends to determine whether they are opportunities or threats.

A good BI system helps an organization to take action from a systemic data context. Many

consulting companies, Microsoft, SAS, IBM, Business Intelligence.com, and others, have

existing products and services that can assist organizations who wish to apply business intelligence analytics.

Technical Environment and Culture

If you think technology can solve your security problems, then you don’t understand

the problems and you don’t understand the technology.

Bruce Schneier

Increasingly, security is seen as a technology-driven function in

many organizations. Technology solutions are one of the “silver

bullets” from which many security promises are made. Many

security groups have a natural affinity for technology and have

spent their careers mastering the ability to ride the next wave of

TAF-K11348-10-0301-C004.indd 63

Technology is dominated by two types of

people: those who understand what they

do not manage and those who manage what

they do not understand.

Archibald Putt

8/18/10 3:03:56 PM


Security Strategy: From Requirements to Reality

technological solutions. Yet, security professionals are well aware that organizational security does

not result from technical infrastructure alone. The security of an organization’s assets requires that

all organizational employees work together to ensure a secure organization. Security issues are

business issues, not just technology issues, and should be framed as such. Moving an organization

from a compliance-based security model to a holistic model requires changes not only in technology, but also in the processes, people, and organization itself.

That being said, it is still important to review the technology arena for input into an environmental scan. The key is to not overemphasize the importance of technology in how the rest of the

organization perceives security problems. There are two major areas to consider in looking at the

technology arena: the technical environment (present and future) and the technical culture(s) of an

organization. The technical environment of the present is a survey of the infrastructure of deployed

technologies in place organizationally. A survey helps identify what systems are in place, the level

of sophistication of those systems, legacy systems that will need to be updated or replaced, and so

on. In a large and complex organization, this task can be a daunting one, for hundreds of thousands

of assets may need to be identified. This type of survey will often require security to coordinate

multiple departments to get an accurate assessment. There is also the question of “right” technology. Does what we are doing now make any sense? Are we really providing value for the enterprise?

Careful analysis of customer requirements and the benefits provided will help inform future technology decisions.

A future survey helps identify what technologies are likely to be employed, should be employed,

have convergence implications for security, and/or what potential cost/savings implications will

accompany those technologies. The technical culture(s) input is more a look at specific organizational subcultures that have developed as a result of supporting various technologies. This can be

extremely important later in strategic planning as communication and solutions are devised for

determining how best to accommodate those subgroups.

As increasing numbers of organizations begin to move toward more systemic approaches to

security, the technology drivers also began to shift. In a purely compliance environment, technology reviews tend to remain a functional security responsibility. The focus may be on increasing surveillance equipment and the like for security personnel to better monitor control access points and

information systems and to observe the behaviors of individuals on or adjacent to company sites.

As an organization moves toward a “commitment focus” for security, the technology requirements begin to shift as well. Technology is now evaluated for alignment with strategic objectives around likely reduced impact or disruption to organizational work flow, cost effectiveness,

reliability, and consistency. When technology changes are made, they are widely communicated

through the workforce in order to create a greater willingness to accept and use new technology.

Consideration is given to how security technology will impact the entire value chain system of the

extended enterprise. This requires designing technology systems and processes that create secure

but easy access to relevant information by all partners, suppliers, and customers.

An environmental scan typically includes all of the arenas we have considered so far in its internal and external analysis. From the arenas of regulatory and legal influences, industry standards,

marketplace and customer data, organizational culture influences, national and international

inputs, and technology infrastructure come the determination of business drivers. The forces that

are primary business drivers for an enterprise versus the security group may differ somewhat, but

it is important to understand both sets in order to effectively determine a strategic plan for moving

your organization forward.

TAF-K11348-10-0301-C004.indd 64

8/18/10 3:03:56 PM

Xem Thêm
Tải bản đầy đủ (.pdf) (348 trang)

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay