I thought I would post this comment which I had about the direction of my work from a conversation on my “Security Management for Critical Infrastructure” LinkedIn Group. I would love to have your comments on this topic and any suggestions for my work. Feel free to join the group for more conversations as well.
My work not to create any kind of technical body of knowledge for a specific domain approach. I look at bridging the business needs to the implementation and management of Security by an organization. I would describe my approach as mapping the business models and needs for managing features and operations which are usually performed and evaluated by corporate executives down to the type of domain knowledge which is a focus of GICSP (and other credentials). The knowledge base for the executive community often has a limited exposure to technical terminology and the mindset of separating security into domains of similar technology is not the approach that business management content usually follows.
Mapping the business content and an understanding of how the business operates, to security features for that business need is where I focus. Two separations I have made for this are to look at “ways businesses use security” and “Security Management areas”.
As a design consultant working with product and support development these “Ways businesses use Security” are the categories in which each particular business would be looking for support. For certain business models a different set of these were more or less important. But when providing support and knowledge base in these areas to business leaders the light comes on. By first speaking there language then matching their needs to the technical domains just looks at the same types of things but in a way that different backgrounds of people relate to better.
Ways Businesses Use Security:
Protecting private sensitive information
Enforcing others to act in a manor desired by the business
Ensuring business actions were performed as desired
Restricting use of digital or physical property
Identifying trends and patterns of resource use
Restrict partnership and enforce use policies
Protect revenue channels
Monitor and notification of changes
Validate authorized and deny unauthorized digital entry
Detect respond and prevent incidents
Shield corporate computer resources
Monitor system, network, and data use
Check for malicious code or activity
Identify and repair potential software and system weaknesses
Verify effectiveness of operations
Track and verify ownership of property and data
Identify future trends patterns and risks
Attempt to locate weaknesses
Design new platforms to prevent future risks
Verify industry requirements are followed
In looking at categories of Security use in Business operations, they need to be able to make the security implementation work with the continued operations of business. Technical domain breakdown is great for taking a snapshot of knowledge surrounding an aspect which solves the problem to a sequence of engineering requirement needs. However business leaders think in terms of continuous flow. I would relate this to the difference in a balancing a budget vs. and operational cash flow model.
The second separation of business needs to security correlation I have put together looks at the business flow like the cash flow model, (how the moving train is managed). For this I have looked a series of management areas which can be focused on by the business leaders. These management areas cross many portions of the business and show how and where the technical domains link together across a business environment. Once again for business minded executives the light come on when you point out all the places where one management area touches different parts of their organization.
Security Management Areas:
User Access Management
Supply chain Management
–System Integrity Management
–Operational Security Management
Data Life Cycle Management
–Data Privacy Management
–Data Utilization/Analytics Management
I hope this helps to explain my efforts here, I am not trying to create a certification credential for someone to know the basics to understand the technical aspects for a job. I am looking to bridge the knowledge gap and help to manage the moving pieces of the business and relate where all of those technical domain pieces interface and have touch points across a business.