A Different Point of View

We BelieveThat Security Exists in 3 Dimensions:

 

Practice of Security

Those controls that allow you to protect business assets, limit liability, and protect the public image of the business. These must include network-based, physical security, and social engineering controls.

Operations

Those activities that keep the business going, not just from a technology standpoint, but including lines of business (service delivery, manufacturing, customer-facing activities, etc.), support functions (HR, Finance, Legal, etc.), and Technology supporting business operations

Risk Tolerance

The level of risk the business is willing to accept, recognizing that:

  • Security has a cost – it is an investment with a quantifiable return

  • Threats and their mitigation vary over time

  • Only the business can quantify the level of investment it is willing to make – but that decision must be made with an understanding of the exposure

Approached from the context of Risk Tolerance

Security, must be approached from the context of Risk Tolerance and the robustness and reliability of the Operations sectors in the organization.

While much is written about robust procedures, strategic technology directions, standards, and secure software engineering processes, the reality is that most organizations tolerate a significant amount of randomness in the evolution of their technical architecture.

This randomness is generally further complicated by business users who understand the function that they perform but are not privy to the technology decisions that went into the design and maintenance of the systems that support them.

The resulting understanding gaps provide the chinks in the armor of security, privacy and operational integrity.  Consequently, you can’t discuss security and privacy without an understanding of operations from the viewpoint of both the end user and of the technologist.

“We adapted our assessment processes to look beyond the technology to see the real issues in data handling, operational robustness, the resiliency of the business process, and the ultimate security of the operation.”

“More Than Simply Defense...”

We deliver expert advice, effective plans, processes, and documentation to guide our clients to a posture better suited to achieving their goals.

Traditionally, people have viewed security and defense as more or less the same thing.  In their eyes, security is nothing more than walling off important assets in order to protect them from danger and miscreants.  In reality, however, good security is as much about robust processes use as it is about barriers and boundaries.

Typically, new technology is selected for its functionality and its applicability to a business problem. Hand-in-hand with the idea of first-to-market, and efficient service delivery is the concept of sustainable, scalable, reliable operations, but often, that part of the vision gets lost in the excitement of the implementation.

Security is not simply in the domain of technology – how the technology is operated and maintained and how the end-user interacts with the systems and applications are also key factors.  Successful attacks often rely on exploiting the physical and human elements of the target enterprise.