How Information Security Can Help You Sell More Business

As an IT professional, have you ever thought of the Chief Security Officer function as an extended arm of the sales organization? Maybe you should. Whatever the title - CSO, VP of Information Security - these guys and gals can really help sell the benefits of doing business with your company. The number one value prop they can tell your existing clients and prospects - Here's why your sensitive information is safer with us than the competition. These guys can explain why. In today's competitive environment, with the increasing need to show differentiation and a unique value proposition, information security seems like a no-brainer to talk about. Here are a few tips for developing your Information Security Organization into a key differentiator for your company.

Sell Your Strengths: Think about your company's Security strength and sell it. Now, I'm not talking about giving away the keys the farm and talking about HOW you are doing things. That would defeat the purpose of having security controls in place. But the basic standard of keeping the bad people out and enabling the authorized people to securely do business has many interesting facets and there are many ways to achieve security. I like to call this the "art of information security" - What your company is doing + how they are doing it = differentiator. Is it a sophisticated physical security turnstile badging system leveraging the latest technology to reduce manual intervention? Is it enabling your company's regulatory compliance through cutting edge processes and technology? Whether you are in the business of securing bank account information, human resources files, medical records, or customer credit card information you can talk about what you are doing and how you are doing it that makes your Information Security Program a key in your company's ability to meet customer expectations.

Case-in-point, one of my clients, a Fortune 500 bank for high net worth individuals and corporations, has a world class Access Control program in place. Their Information Security group designed a set of Identity Management processes based on securely enabling business functions. To gain operational efficiencies in system access request and set up, they customized a leading IdM technology and automated much of their IdM workflows. Why is this important to a bank customer? The SVP of Information Security can tell you why. He can articulate the value that this brings to a bank customer in terms that are meaningful to a customer - Speed of access to critical account reporting applications AND the reassurance that only those authorized are seeing the account information. He's called on by relationship managers to help sell the value of doing business with this bank and communicate the edge this institution has over another. The SVP has the soft skills necessary to navigate a conversation with clients and prospects. And the instinct to know what aspects of the Information Security Program matter most to each client. These soft skills are really the differentiator for his company's Information Security organization. It's not just about what a security organization is doing but also about how they tie it back to meeting customer expectations.

Develop Your People: Let's face it, Information Security is technical. The people that are really passionate about security tend to be very technical. But when that passion comes out in a way that's easy to understand and meaningful to those on the receiving end you've got a value proposition worth telling would-be customers. The challenge is developing the soft skills necessary to communicate that value proposition. As an information security manager it's just as important to develop the communication and soft skills in your staff as it is to keep them technically trained and abreast of the emerging threats. These soft skills also come in handy when communicating to executives the funding required to execute your Security program goals and why they are important. I recently had the pleasure of hearing Sara Santerelli, Chief Network Security Officer at Verizon, speak at a conference in October. Sara spoke about the duty that information security managers have to articulate a security program less in terms of tactics and more in terms of long term strategy. This helps executive management understand the drivers, gains their support, and the funding necessary to execute. She also hit on the importance of alignment of your security plan with business goals and defining the trade-off between the cost associated with your security initiatives and the risk of not doing them. All of this articulation requires soft skills and big picture thinking.

Information Security is a compelling value proposition if communicated in meaningful terms to your customers. I would love to know how you are talking about your Information Security program and how it helps differentiate you. Comments welcome!

RBAC...Why Bother? 4 Reasons to Start an RBAC Program Today

Role Based Access Control (RBAC) is the process of granting people within similar job functions the same access to resources (systems, data etc..) required to do their job. The concept centers on putting into business friendly terms the logical grouping of resource access. These resource access groupings are called "roles". It's a daunting task when you consider all the various systems that can exist within an enterprise - there are the common applications everyone uses like email, the company portal, conference scheduling systems. And the one-offs that are very specific to performing a job function - HR payroll processing apps, CRM tools for Sales personnel, other business specific applications... So why do it? What are the benefits?

Simplification

The process of ensuring that new hires have access to what they need when they need it on day one is not easy. Often it requires several system set up requests before the right access is granted. Not to mention decomposing what someone else in a similar job function has access to. Wouldn't it be easier to have access automatically granted based on the job function someone is in? It's not an "auto-magic" process. There is upfront work involved in establishing the link between job function and system access needs. But once it's done (and the maintenance process is established) the on-boarding of new hires and department transfers becomes a lot easier and quicker.

Action: Get a sense for how much work you are in for. Look at a slice of the enterprise - one job function within one business unit or department. Analyze the system access granted to a few people within the same job function.

Consistency

Even if you know what access is required to do your job the process for getting that access established may vary. You make a phone call to so-and-so to get access to system A, send an email to a mail group to get access to system B, and submit a request through an intranet based system to get access to system C. Sound familiar? With all of these disconnected and differing processes for granting access, how can an organization know that the appropriate scrutiny is being applied to verifying who SHOULD have access to certain applications and information? Is the same approval required for all resource access? In an RBAC environment the role setup process is defined and can evolve as necessary. Based on the specific requirements of an organization the proper controls required for assigning access by job function area established and consistently applied each time that role is requested for a person. Ensuring the right level of approval is applied.

Action: Pick a set of applications and for each ask the question "Who needs to know who is accessing this application?". If the answer results in a Visio diagram, consistency is important.

Accountability

Central to an RBAC model is the governance. Governance takes the form of placing accountability for role definition with those most appropriate to validate what a role should have access to. For roles mapped to job functions that means accountability is placed within the business unit or department where that job function exists. Using business friendly terminology to link a system access permission to a job function is also key. Those accountable for making sure people in that role have what they need to need to understand what the underlying components of a role are.

Action: How easily understood is the system access terminology within your organization? Take one application and create business friendly descriptions to describe the access levels. This will kick start the analysis necessary for establishing a framework to maintain these business friendly descriptions.

Risk Mitigation

If it wasn't apparent already, all the of the above are risk mitigation tactics. The easier and more consistently something can be done, the more predictable the outcome. Predictability helps control risk. An RBAC model reduces the risk that inappropriate access is granted to or retained by someone that shouldn't have it. RBAC is a key control in information protection.

What benefits has your organization seen from an RBAC? implementation?