It is difficult to imagine an organization today that has not increased reliance on information systems for everything from executive decision-making to customer service. In nearly all organizations, users rely on that increasingly complex technology environment more than ever before. While many companies boast of having the most advanced information systems, the security measures meant to control and protect them are not world-class. There is, thankfully, a growing recognition of the importance of information as a corporate asset, and subsequently a realization that information security can be a source of competitive advantage for organizations that choose to take it seriously.
The Business Model of Security presents a conceptual structure of operations for a centralized Information Security group within an organization. It details the services the group will provide, the technologies and functional roles/responsibilities needed to support each service, and the operational processes necessary to maintain an effective security program.
Knowing that the Business Model of Security cannot operate in a vacuum, and that the success of the program relies upon the many dependencies across organizational and IT functions, the Business Model of Security outlines key touch points between these functions, as well as the data flows and relationships necessary for the program to function in a comprehensive and integrated capability.
The Business Model of Security represents not another framework, but a comprehensive approach to effectively aligning information security operations to the business goals of the enterprise. It is easily customized to adapt to changing organizational needs, such as outsourcing, and can be easily adopted by organizations regardless of size, resource constraints, or industry.
This model has been taught to hundreds of organizations over the last 7 years, and continues to be refined and shaped by the generous input of thousands of practitioners across the globe. Without their continued support and feedback, this would largely be a purely academic exercise. It is only through continued dialogue with the community that this model has the actionable and pragmatic content and detail needed to be an effective means of managing security.
Managing Director of Research at Brightfly