Security has to evolve into something that supports business, rather
than the other way around, according to a senior member of the
technical staff at Carnegie Mellon University"s Computer Emergency
Response Team (CERT).
Security has got a bad rap in today"s enterprises, said Lisa Young. The
tendency is to want to start locking things down. This way security has
become something that disables, not enables, business, she added.
Young said this was still an area where boxes and technology ruled.
"Solving your security problems by buying another box is just wishful
thinking. But security is bigger than that," Young said. "As security
managers it"s up to us to elevate the profession, and include both
people, processes, not just technology.
She added that IT managers hadn"t thought of a way of incorporating
security as part of the business process. "People just haven"t thought
of security as a discipline that can be measured, managed and mapped.
It"s a new way of looking at it," Young said.
To simplify efforts to make changes to security strategy, Young"s
development team at CERT has developed the Resiliency Engineering
Framework (REF), which was launched last year.
It doesn"t compete with other frameworks, such as ITIL. REF
identifies enterprise-wide processes for managing operational
resiliency – including everything from training to compliance
management – and provides a structure from which an organisation can
start to improve.
"You can reduce cost, eliminate duplicate efforts and improve compliance efforts, for example," Young said
Deionized | Security Expert TÝM
| 