Successful business strategy is about actively shaping the game you play, not just playing the game you find.
-Adam Brandenburger & Barry Nalebuff

When you are first starting out in redefining how you are operating your security program in a customer-centric context, you need to think about a few key concepts familiar to any new business.

What business you are actually in?

Do you want to be perceived, and perhaps more importantly, do you want to operate, as the carrot or the stick? In other words, do you want to play the role of the enforcer or the motivator/enabler? All too often our profession seems to lean towards that of the enforcer. Or, in many cases, more like a first responder. We have historically been very reactive in our approach to managing security. As a matter of fact, we have built entire product areas on managing event streams for purely reactionary purposes (like the IDS and SIEM markets).

While these are worthwhile monitoring concepts and shouldn’t be ignored, there is a vast ocean of untapped opportunity around a more consultative and proactive approach.

Who are your customers?

Just like a start-up, you need to identify who in your organization (and in some cases, those beyond your organization) are your customers. Don’t forget to include those parties that you only see occasionally, such as external auditors, and possibly even suppliers or other business partners. Your information can be a valuable part of their engagement with your organization as well.

This is a critical component to deciding the next step, which is what services and products (i.e.; packaged information for decision support you are offering and how best to ensure that it is useful to the recipients.

Choosing your product and service mix.

Now that you have decided who would be consuming your value-added information, it’s time to identify what makes up your product and service portfolio. A good place to start is to look at the controls spreadsheet that your internal and external auditors use to track the control objectives and activities they are responsible for testing.

While it isn’t a comprehensive set of controls for your security program, it is the minimum set of functions that you should look at for building out your business model. It also comes “pre-loaded” with a target market and allows you to start building a rapport with the consumers of the information you are providing so that you can make sure that you package it correctly and deliver it in a manner that makes it easier for them to use.

As always, your feedback is greatly appreciated. Not just on how this site can be improved, but also what other content or ideas you’d like to see in the curriculum or content on this site.

The post Desigining the Security Business appeared first on The Business Model of Security.

As the manager of “ME, Incorporated,” you are in the B2B space. Your customer is your employer. If he doesn’t buy your services, you are out of a job. Your employer’s employers are his customers. If they don’t buy his products, he is out of business… And so are you.

via The Only Way To Raise Your Salary | LinkedIn.

The post What kind of value do YOU bring? appeared first on The Business Model of Security.

A well-defined business model should clearly articulate your function in the market, including how you make money, what inputs you depend upon, who your target customers are, and what value you are creating for them. It is a structural representation of how your business functions that concisely articulates what opportunities and challenges you will encounter with this business. If your business were a black box machine, this would be the instruction manual.

via 7 Business Model Personalities | Inc.com.

The post If your business were a black box machine… appeared first on The Business Model of Security.

The ongoing collection, analysis, and review of attempted and/or successful compromises at the network, platform, data  and process levels.

Process Overview

The purpose of the Threat Monitoring Process is to standardize and explain the processing activities and steps involved in monitoring threat conditions to organization information assets.

Supporting Technologies

• Network threat detection software/hardware.
• Platform threat detection software/hardware.  Limited support through platform event logging.
• Application threat detection through application event logging.
• Centralized threat report repository software/hardware.

Process Dependencies

• Help Desk/Problem Management
• Data Center Operations
• Network Operations
• Contingency Planning/Disaster Recovery

The post Threat Monitoring appeared first on The Business Model of Security.

What business you are actually in?

Do you want to be perceived, and perhaps more importantly, do you want to operate, as the carrot or the stick? In other words, do you want to play the role of the enforcer or the motivator/enabler? All too often our profession seems to lean towards that of the enforcer. Or, in many cases, more like a first responder. We have historically been very reactive in our approach to managing security. As a matter of fact, we have built entire product  areas on managing event streams for purely reactionary purposes (like the IDS and SIEM markets).

While these are worthwhile monitoring concepts and shouldn’t be ignored, there is a vast ocean of untapped opportunity around a more consultative and proactive approach.

Who are your customers?

Just like a start-up, you need to identify who in your organization (and in some cases, those beyond your organization) are your customers. Don’t forget to include those parties that you only see occasionally, such as external auditors, and possibly even suppliers or other business partners. Your information can be a valuable part of their engagement with your organization as well.

This is a critical component to deciding the next step, which is what services and products (i.e.; packaged information for decision support you are offering and how best to ensure that it is useful to the recipients.

Choosing your product and service mix.

Now that you have decided who would be consuming your value-added information, it’s time to identify what makes up your product and service portfolio. The best place to start is to look at the controls spreadsheet that your internal and external auditors use to track the control objectives and activities they are responsible for testing.

While it isn’t a comprehensive set of controls for your security program, it is the minimum set of functions that you should look at for building out your business model. It also comes “pre-loaded’ with a target market and allows you to start building a rapport with the consumers of the information you are providing so that you can make sure that you package it correctly and deliver it in a manner that makes it easier for them to use.

Here is the slide deck that accompanies this portion of the Competitive Compliance curriculum we have developed. Feel free to spread the link around, or even download the PDF of the deck if you find it useful. As always, your feedback is greatly appreciated. Not just on how this site can be improved, but also what other content or ideas you’d like to see in the curriculum or content on this site.

The post Creating the Security Business appeared first on The Business Model of Security.

The post Defining Security Strategy appeared first on The Business Model of Security.

Technology has moved to center stage as a partner in business enablement, and has brought along its associated risks.  IT and IT Security see massive changes daily in the very nature of the capabilities and services they provide.  Transformative changes and their resulting risks and benefits impact the business enterprise overall.

What changes?  EVERYTHING. This is a paradigm shift far greater than that of changing from mainframes and terminals to desktop computing. Potential anarchy lurks, and security risks change hourly.  IT Security can no longer manage risk in a vacuum.  The risks to IT Security are the risks to the enterprise, period.

It is imperative now for the Language of Risk to be a common element between Business and IT Security.  Each of these transformative changes in IT brings the potential for competitive advantage, cost savings and economies of scale.  The security risks bring potential for financial ruin, loss of reputation and regulatory fines.  Technology evolves, but it is past time for IT Security and Business to define what is essential, the security and availability for the resources required to do business.

We need a common lexicon.  We need “The Language of Risk.”  Let’s talk.

Here is the opening set of slides from the (ISC)² 2010 Security Leadership Series on Competitive Compliance which outlines how thinking like the business leads to improved communication between parties on risk.

The post Language of Risk appeared first on The Business Model of Security.

Tom understands what makes people tick, and more importantly how they can tap into that energy and change how they are perceived and valued within their organizations. By drawing parallels between our daily grind as white collar professionals and the work of “traditional” professional services firms such as those in advertising, legal, accounting, and other disciplines, he weaves together a model that each of us can use to great advantage in our day-to-day work.

If we choose to.

Tom’s fundamental understanding of the PSF boils down to three simple axioms. Here they are, in his own words:

The Professional Service Firms. “PSFs,” as I call them, sell one and only one thing: Creative Intellectual Capital.

PSFs depend on one and only one thing: Superb Client Relationships.

The PSF bedrock consists of one and only one thing: Superior, Animated, Creative TALENT … dedicated to…EXCELLENCE.

As security practitioners, we have been stellar at understanding and trumpeting the first point, often to our very own discredit. You see, we tend to imbue the information security universe with a certain mystique, an air of the supernatural.

Unfortunately, it has backfired, and something fierce.

In creating this atmosphere of complexity and high-tech mumbo-jumbo, we have alienated our stakeholders, the very people we are supposed to be educating and working with to manage risk. Perhaps it’s our IT backgrounds, or the glut of TLAs (three letter acronyms) in our field that have built this Tower of Babel. The root cause is irrelevant; the end result has stayed the same. We have destroyed Tom’s second point, often before we even realized it. Our “client” relationships are in shambles. We don’t have a seat at the big table. We aren’t taken as seriously as we would like, or feel that we deserve to be.

And despite our focus on Tom’ s third point, the fresh and exuberant talent we bring in gets poisoned by our own jaded worldview. We are destroying the future of our profession, one new hire at a time.

Thankfully, this trend can be reversed. All it takes is a fresh look at how our operations are run, and how we choose to measure our success.

You can just click here to jump to Amazon and pick up a copy of Tom’s book, “The Professional Services Firm 50“.

If you’re the impatient type, and just want the highlights, then click the button below to download “PSFs Are Everything”, the e-book he has been gracious enough to allow us to redistribute.

Get Tom’s Paper

The post Information Security as a PSF appeared first on The Business Model of Security.

The increased corporate regulation brought about by the Sarbanes-Oxley Act of 2002, and the increased demand for legal compliance programs, coupled with the trend in using litigation as a tool for business reform, have increased organization’s regulatory obligations. This increased scrutiny means that legal and regulatory issues may be one of the most important determinants in a organization’s external operating environment.

Compliance is quite possibly the last great source of untapped competitive advantage available today.

To download the latest research from University of Connecticut Asst. Professor Robert C. Bird, the paper that started it all, click below.

Get The Paper

The post Law, Strategy and Competitive Advantage appeared first on The Business Model of Security.

The activities that support the creation, production, sales, and delivery of a product or service are the fundamental constructs of competitive advantage. The term operational effectiveness is Porter’s way of describing how an organization performs these activities better (read as: faster, cheaper, higher quality, etc.) than market rivals. As we have discussed in presentations across the US, it was through operational effectiveness that Japanese companies, most notably the auto makers, dominated the US in the 1970s and 1980s. They used practices many of us are already familiar with, such as  Total Quality Management (TQM) and Six Sigma. Make no mistake, companies can gain tremendous advantages from operational effectiveness, but from a competitive standpoint, the best practices developed in this vein can be, and often are, easily emulated by rivals.

As the market begins to shift, adopting the same or similar best practices, the competitive advantage is eroded. Porter refers to this phenomena as the productivity frontier. The productivity frontier is a function of the application of the best technology, skills, and management techniques available to the organization and is the high water mark of value attained through this method.

As more and more companies adopt these operational effectiveness and efficiency measures, they become less and less differentiated. The marketplace then is essentially rebalanced, favoring no single player and reducing the past gains to simply a barrier to entry in the market.

As Porter sees it, the only way to achieve sustainable competitive advantage, is to do different things or to do the same things, but in a different fashion than your competitors.

What are you choosing to do differently?

The post Competitive Advantage Defined appeared first on The Business Model of Security.