Security tools are often seen as silver bullets, but end up as “pitchforks in sheds”.
That is a phrase I first heard used almost 10 years ago in an enterprise that had invested millions of pounds in an asset management database, thinking it would solve all its IT issues, from release management to risk management to procurement cycles.
Of course, it was deployed without sufficient management buy-in from the relevant departments and without an understanding of the processes it would be required to integrate with, and of the costs of deployment and management.
Tools can be very useful if they are part of a wider project or programme, but this has to come as the result of a need, a set of requirements from across the business. Without this buy-in, a tool (for example, a pitchfork) just gets left on the shelf (or in the shed).
So how do we measure the effect any security measure is having on our enterprise?
First of all, we need good governance, This simple phrase is often underestimated or misunderstood, but it is the cornerstone of enterprise security. If you have a baseline you can reference consistently, risk management and metrics suddenly become repeatable and meaningful, and the executive buy-in you were lacking to start your project is now ingrained in policy.
Metrics do not just measure the effectiveness of technical controls, but of processes and people-based controls, such as awareness and training. Again, they should not be underestimated, because these are your tools for reporting back to the executives who have sponsored your projects, based on guiding governance.
Read more on context-aware security
Security could be described as managing human behaviour. That may include context, but only if the behaviour is already expected. The hype around context-based security is focused on context, rather than this behaviour. The marketing is technology-based, around the ability to create the required contexts, without knowing whether it is required or not – and whether the behaviour is expected.
Suppliers are scrambling to create technology that solves a problem that may not yet exist. The processes and people do not yet require the tools, and will not until governance is in place to change behaviour and, more importantly, how changes in that behaviour are measured.
Some enterprises are good at applying governance, measuring risk, implementing change in line with operational requirements, measuring control effectiveness and feeding this back into governance and compliance. But most are not.
Unfortunately for context-based security, it does not consider the business context of security, just the context of the users. Until this can be fully integrated into workflows and business process, via governance, it will remain a useful marketing point without a proper set of requirements.
Robert Newby is an analyst and managing partner at KuppingerCole UK
This was first published in March 2014