How can you significantly enhance the efficiency and effectiveness of your security program in a complex IT Environment without a major investment in new products or processes?  You may want to consider shifting your security-focused activities to an earlier stage in the development and deployment cycle.  Removing your historical security silos and refocusing them on a synergistic approach can provide a relatively quick and cost-effective way to make the kind of risk mitigation impact you, as a security professional, are seeking.

Understanding and Mapping Silos

Security processes are often grouped and managed into what we call silos.  This makes more sense than it may first appear.  A security silo groups related functions into a set of tools and organizational processes for risk mitigation. This grouping allows for oversight and management by a dedicated team of security specialists who best understand how the tools and processes fit within the strictures of the organization.

Take a look around your organization.  See where the key security functions are grouped and how they are managed.  This is one of those exercises where flowcharting and graphing may be helpful.  It will allow you to get a much better overall picture of how these important functions are organized and how they are overseen.  

Ensure you take a comprehensive view of all your security-related functions and how they are managed.  In addition to ongoing security operations, you will have to consider the initial policy development stage. Who sets your organization’s security policies and standards?  Where are they codified? Do you have insight into how they are maintained and updated?  Are there assigned roles and responsibilities to ensure existing policies still meet your risk mitigation needs? How are new policies considered and proposed for adoption? The answers to these questions will be key to seeking out how they are translated into protecting your company’s digital assets.

Now you have the challenge of finding all the functions that are either explicitly or implicitly assigned to the security elements of your organization. Where do all these policies find their implementation in your program? A detailed analysis will allow you to better define the security silo(s) and how they support the revenue generating functions of your organization.

Remapping for Synergy

Now that the hard work is complete, you may have made some very interesting discoveries.  You now know where your silos come from and how they are manifested in the workplace. You should also be ready to see if there are areas for synergy.

The dictionary defines synergy as ‘the interaction or cooperation of two or more organizations, substances, or other agents to produce a combined effect greater than the sum of their separate effects.’  So synergy is just not reshuffling tasks or processes, it’s putting them back together in ways that increase their efficacy and impact.  That’s the key point with synergy: not just doing it differently, but doing it differently to make a significant improvement.

In the security business, one of the key advantages of seeking out synergy is to spread the gospel of empirical risk mitigation throughout the organization.  Some security professionals refer to that as a security culture. But culture is just the synergy of the entire organization embracing the precepts of your security policy and making it integral to their responsibilities, no matter where they sit on the org chart.

Too many articles on this Culture of Security theme, however, focus solely on hectoring company leaders and other managers to be more sensitive to your security concerns. That’s a quick way to earn your way to their Ignore list.  Instead, look to move responsibilities for security around while providing the guidance and support to make it work for your business colleagues.

One proven approach is to start by working to implement security assessments earlier into the development and deployment processes. Instead of considering security as something to be ‘bolted on’ after your IT products and services are deployed, you may want to consider ‘baking in’ security earlier in the development cycle.  You can expect support and buy-in for your risk mitigation efforts at a stage where you can make a greater impact and likely field a far better product for both your internal teams as well as your customers.

The Effects of Synergy on your Security Posture

When you seek to share responsibilities for your organization’s security posture through more equitable application of policy enforcement, you are well on your way to creating the culture of security without the need to arm-twist others. You are building the substructure of a new program that harnesses synergy rather than silos.  No matter how strong and knowledgeable your security silo is, you’ll find innumerable benefits sharing your responsibilities across all functions of your operations.

Ultimately, the responsibility for the company’s security posture will always lie with the executives charged with managing the risk to corporate assets.  They can’t delegate those or try to assign it to someone else.  However, you can have a far more synergistic (and more effective) program by using tools and processes to ensure every team and function is supporting the processes needed to implement the security policies you defined in your initial review.

Moving your organization from Silos to Synergy can be a rewarding exercise in redefining and reimplementing security roles and responsibilities across all functions of operations.  The results can help you realize that definition of synergy: producing a combined effect greater than the sum of their separate effects.

 When aligning your organization’s security posture towards synergistic approaches, consider Probely as an effective, automated, scalable, and accurate measure of security testing for your organization. Probely’s trusted DAST scanner automates and scales web application and API security testing so you can save time, resources, and avoid false-positive fatigue by benefitting from our industry-low false positive rate of 0.06%.-–

John McCumber is a cybersecurity executive providing targeted guidance for industry and government initiatives. He also develops and delivers consultative support for CIOs/CISOs in the areas of cybersecurity, data management, privacy and analytics. He is a retired US Air Force officer and former Cryptologic Fellow of the National Security Agency. During his military career, John also served in the Defense Information Systems Agency and on the Joint Staff at the Pentagon as Information Warfare Officer during the Persian Gulf War.

In addition to his professional activities, John is a former Professorial Lecturer in Information Security at The George Washington University in Washington, DC and is currently a technical editor and columnist for Security Technology Executive magazine and a featured contributing writer at Ordinary Times. John is the author of the textbook Assessing and Managing Security Risk in IT Systems: a Structured Methodology from Auerbach Publications.