When I first joined Microsoft IT, I was intrigued by the concept of offering security assessment as an optional service to the business. I was even more surprised to see how enthusiastically the business had embraced the concept. You see, like many security professionals, I came from an organization where information security was widely perceived as obstructionists and a tax to the business.
I would later discover that offering IT security assessment services to internal business is a constant balancing act, whose success hinges on the ability of IT to demonstrate and deliver real value to the business, while helping the enterprise reduce risks and improve its overall posture. Today, I will explore some of the issues you can expect to face when offering security assessment services to internal customers.
Striking the right balance between securing information assets and business objectives should be at the core of the service and drive the engagement and delivery model. This balance is all the more important here at Microsoft, where a culture of innovation and entrepreneurship often creates healthy frictions between the development community and information security. The former driven by customer demands for more features and deployment flexibility, the latter bent on enforcing security policies and closing holes. These frictions often lead to creative solutions and expose new case scenarios. A clear benefit, only if the interaction between the business and IT is orchestrated properly through a set of services that recognize the needs of both parties and can provide meaningful feedback.
The key in addressing this problem is to provide services that capture, address and drive the focus on security throughout the System Development Life Cycle. These services should include design consultation, pre and post deployment reviews, and operational assessment and compliance. Other offerings should be aligned with key business processes such as procurement, fulfillment, supply chain management, etc.
Security service should also be able to strike a balance between servicing the specific security needs of individual business unit versus those of the larger enterprise. For example, a client might want to remove antivirus software from its servers to improve application performance or refuse to migrate from a legacy and unsupported application. While these requests might have legitimate business justifications, they run counter to what it takes to secure the enterprise. Another manifestation of this problem can be during the process of prioritizing risks and allocating remediation resources.
Essential to the ability to deliver security as a service is to ensure that the organization has established security policies and a risk framework that provides a consistent way to manage risks (i.e. identify, assess, measure, prioritize) across the enterprise.
Senior Program Manager
ACE Team – Infrastructure Security