Business Model for Information Security: Security right the first time

The Business Model for Information Security eschews the traditional, linear-thinking approach in favor of "systems thinking" and presents a holistic, dynamic solution for managing information security. As an alternative to applying controls to apparent security symptoms in a cause-and-effect pattern, BMIS examines the entire enterprise system, allowing management to address the true sources of problems while maximizing elements that can most benefit the enterprise.

Though this model excels at problem solving, it can do much more than that. However, problem solving does tend to be a struggle for many organizations and BMIS can be of significant assistance.

Abraham Maslow famously said, "When the only tool you own is a hammer, every problem begins to resemble a nail." Most organizations apply the same approach to problem solving, regardless of the nature of the problem: a little bit of self-protection mixed with a few excuses and a lot of "we can't."

Many times, management does not like to hear problems -- just the solutions. No opportunity for dialogue or discussion is afforded to the bearer of bad news. It is not atypical for an organization to fix a problem and forget about it. When the problem recurs, it gets fixed again -- usually the same way as last time. This results in recurring problems that could compound to become systemic problems such as poor morale and technology implementation as well as a lack of adherence to policies, leading to data leaks and security breaches.

Systems-thinking perspective

Organizations reveal their character in the way they solve their problems. The act of problem solving is tied to the way people think and the organization's culture. Do people talk about issues openly? Or is it always behind closed doors?

BMIS views problem-solving from a systems-thinking perspective. It ensures that organizations first identify all stakeholder components and obtain a broad, systemic view of the problem, which may involve taking a deeper look at organizational processes and technical solutions.

Systems thinking is defined by the Field Guide to Consulting and Organizational Development, as a "way of helping a person to view systems from a broad perspective that includes seeing overall structures, patterns and cycles in systems, rather than seeing only specific events in the system. This broad view can help them to quickly identify the real causes of issues in organizations and know just where to work to address them."

In this approach, clearly one must first define what is meant by system. The human body can be viewed as a system. Body parts each have functionality, however, altogether, they create the "human system," which behaves in its own unique way. In the real world, people most often focus on the "body parts" rather than the whole system.

The systems-thinking concept was utilized in 2005 by University of Southern California researchers Dr. Laree Kiely and Terry Benzel to develop a systemic security management framework under the auspices of the Institute for Critical Information Infrastructure Protection, with a grant from the U.S. government. The application of systems thinking to security management was quite innovative and appealing, as it allowed people to see security not as its own island but as a bigger part of the whole organization.

The resulting framework, also known as SSM, is a management approach to security that serves the extended enterprise, going well beyond the boundaries of the company to include not just people, process, technology and organization, but also partners, suppliers, customers and communities. It seeks to involve senior management and makes sure that the organization doesn't just buy security, it "buys into" security. Security in this framework is built around a set of core principles with the intent of ensuring an optimal balance among maintaining protections, sharing information and developing innovation.

SSM is the foundation upon which BMIS has been developed, with the concept of systems thinking preserved. While SSM was meant to be a framework with major concepts defined but not mandated, BMIS is a model with a well-defined structure and usability guidance.

Systems models vs. frameworks

It is important to understand the difference between a model and a framework. A framework tends to be built on variable concepts that need to be further defined by an organization. A model provides the structure and defines the interrelationships among variables. Organizations frequently use models to simulate real world situations and solutions.

The business model, as it utilizes the systems-thinking approach, helps organizations by identifying and focusing on all of the factors that may contribute to the problem. It also assists in the development of action plans that not only solve the problem but also establish a roadmap for proactively implementing an effective security management program. It is predictive as well, as it can accept existing organization data to provide a view of the future system.

BMIS views the system as an interrelationship of organization, people, process and technology. These are known as the "elements." These interrelationships define practically all areas of security concerns and include architecture, governing, enabling and support, culture, emergence and human factors, and are known as "dynamic interconnections." Each element and each dynamic interconnection has a definition. For example, the governing interconnection provides a way to support corporate governance by examining organizational processes within the context of governing the organizational system.

Organizations reveal their character in the way they solve their problems. The act of problem solving is tied to the way people think and the organization's culture.

The elements and dynamic interconnections that form the basis of the model establish the boundaries of an information security program and model how the program functions and reacts to internal and external change. The BMIS provides the context in which frameworks such as COBIT and information security standards come together. In doing so, they form a holistic and dynamic approach to information security that is both predictive and proactive as it adapts to changes, considers the organizational culture and delivers value to the business.

BMIS helps by establishing and examining dynamic interrelationships and leading to the right solution by way of the right diagnosis. More often than not, senior management's understanding of security issues is seriously deficient due to a lack of internal communication and goals alignment. Senior managers may view information security managers as spreading fear and uncertainty by highlighting potential threats. This results in a lack of commitment to information security initiatives. There is also a lack of security planning before implementing new technologies as organizations tend to work in silos and do not communicate across departments. Most importantly, there is a lack of alignment between the business objectives and the information security objectives as information security managers are rarely invited to senior manager meetings.

By helping to create balanced solutions that may involve improved communication and cultural changes, BMIS enhances an organization's ability to relate critical influencing factors and cultural, architectural, human, governance and support issues as well. BMIS does not replace the many sources of security program best practices. It does, however, provide a view of information security program activities within the context of the larger enterprise, to integrate the disparate security program components into a holistic system of information protection.

BMIS has been introduced to ISACA's worldwide membership according to its tradition, which is to say, opening it up for discussion. During a presentation I did at an ISACA conference recently, I was delighted to witness the enthusiasm and excitement with which the model was received. ISACA values audience feedback and all attempts are being made to make the next version a robust and practical guide to be published at the end of 2009.

With renewed focus on cybersecurity across our nation, information security managers need tools that help them not just renovate but also innovate security solutions. Many innovators and pioneers have contributed to information security by developing standards and guidelines, creating domains of security and helping us choose the right technical solutions. With the addition of BMIS, information security managers, business managers and senior managers now have the tool to "do security right the first time" and address many management challenges proactively and creatively. It is time to think differently about our approach to security, and BMIS helps us do exactly that.