Look, you’re probably thinking, designed things look great but I don’t need my security program to look pretty, I just need it to work. You designers can take your service blueprints, UX/UI, information architecture, graphics, and typography to our marketing team. Security Ops, on the other hand, is for serious people like us who deal with risk management, governance, controls, and audits.
To that I say, I get it, your IT and Security budgets are tighter, getting the right and competent security people is a chore, and the tools these days… each of them promises to do all-things-security but fails to deliver the basic feature you pay them for.
Audit, Remediate, Repeat
I’ve been there. I ran a sizable IT and Security operations for a 24/7 service provider for almost two decades. What bothers me the most is that even with the best tools, knowledge, and talent they have available, companies today still ran IT and Security operations the same old compliance way— Audit, Remediate, Repeat. No judgement, I did it the same way for most if it.
Now some companies implement Governance, Risk, and Compliance (GRC) systems as an attempt to get out of the vicious audit-remediate cycle to no avail. Implementing even the best GRC platform is an expensive, daunting and time-consuming affair. These projects end up being abandoned after a year, and the IT/SEC team is back to tracking spreadsheets with audit findings while spawning a bunch of security initiatives that seem to come from every direction.
Now, I’m not saying that GRC systems are worthless, companies just invest on them too early. GRC’s provide a centralized repository and inter-disciplinary workflows to ensure that stakeholders have access to the right information when performing the right processes. If only they have these figured out before implementation.
Security Design Disciplines
Information architecture (IA) - focuses on organizing, structuring, and labeling content in an effective and sustainable way.
What does Secure coding principles, Physical Security, Data Loss Prevention, and Data Backup System all have in common? They are all security related words that you will encounter in a conversation with an auditor. Followed by questions on what you do with them and what artifacts you can produce as evidence.
Without an architecture that defines the taxonomy and relationship between security concepts, providing security assurance is close to impossible.
Here is how our Unified Control Framework will define those terms:
Service Blueprints - A service blueprint is a diagram that displays the entire process of service delivery, by listing all the activities that happen at each stage, performed by the different roles involved.
If you’re wondering why your patching numbers don’t add up (or you don’t get them at all), chances are, your asset management and patch management processes are not in sync, and your governance function hasn’t performed the necessary 2nd line process to manage this issue to resolution.
Your security functions are supported by interwoven services with ownership requirements, data dependencies, and timing considerations. If you haven’t mapped out their value delivery streams, you cannot have assurance that they will produce the value you expect.
User Experience and User Interface (UX/UI) - encompasses all aspects of the end-user's interaction with the company, its services, and its products.
In IT and security, combining a clearly defined Information architecture with a mapped out service blueprint ensures that your processes exists to deliver value whether through efficient operations or risk mitigation activities.
UX/UI defines how stakeholders such as customers, users, executives, and your board of directors interact with your operational services and what value they can expect from each.
Design in Security
There you have it, three design disciplines you can apply in your IT and Security operations. Depending on the size of your organization, it can take 6 to 12 months to get all your Control Framework domains sorted out but at the end of it you can be assured of the following:
Easier and organized InfoSec Audits
Clear path to maturity on all security capabilities
Measurable risk mitigation capabilities and performance of control activities
We’re here to help
We implement control frameworks to get companies like yours out of the audit-remediate cycle. If you’d like more information or assistance on getting yours setup, feel free to contact us here.