An often overlooked risk for CSOs is the security technology management process. Security technologies present risks to the enterprise that must be managed. Security applications aren’t inherently secure; installation practices due to standards deficiencies can open up holes; lax logical security practices and proprietary, end-of-life components are all risks to the enterprise. The bottom line: managing security technology is a complex problem for security leaders today. Mobile technology, cybersecurity concerns, dynamic and disruptive technology being introduced into the security technology stack are factors that warrant technology planning. Our industry is coming to the conclusion that security technology planning should be enabled by, and conducted within, a framework we call Enterprise Security Risk Management (ESRM). And the vendor community needs to respond to this by aligning their services. We call this emerging ecosystem and best practices Security Risk Management Services (SRMS)
As an example, video surveillance is a tool within the security program. It is often left to age into neglected and legacy technology that can lead to a “no longer supported” position by the manufacturer. This situation is common and poses a variety of risks to the enterprise: increasing capital and operating expenses as break-downs occur more frequently, diminishing parts availability coupled with fewer qualified engineers and technicians to service the system and non-correctable security flaws exploitable by a growing number of bad actors.
Within the SRMS context, this situation would be addressed by the development of a Security Technology Roadmap, a tool that provides a business case with the following objectives:
Provide a framework to migrate the video system from its current technology stack (the end-to-end video system components), and provide an approved security technology management process that ensures system security and performance are maintained across the video system life-cycle and components are updated within a structured framework.
For example, an SRMS process would not just superficially consider replacing an analog system with an IP-based system, but would encourage each discipline to bring their unique perspective to bear with the presumption that it aligns with the CSO’s definition and measurement of risk. For example, the Information Security leader ought to mandate the application security scorecard for the video management system. The Network Architect should set the network standards. An Enterprise Application analyst would be focused on the hosting and application performance management program to support the VMS. An SRMS approach brings the best in-house and third party expertise to bear and focuses on the ideal systems design and performance measures.
An SRMS roadmap for video surveillance generally includes four phases:
1. Planning and Preparation: Forming an SRMS-based guiding coalition, defining the scope and roles, selecting key stake holders across the entire ecosystem and creating an inventory baseline of the existing system and its performance.
2. Envisioning: Developing a common understanding of the mitigation and management of risk and then applying the desired video technology infrastructure and stack, taking into account the broad interests of all key stakeholders.
3. Roadmap Development: Developing the strategy and operational plan to migrate from the current video system to the envisioned one.
4. Roadmap Implementation and Management: Executing against the plan, including an SRMS evaluation of performance-to-metrics and modifying the implementation as warranted.
Following these four phases with the right partners measuring the right things orchestrated by an experienced SRMS program manager, will help drive efficiency into your security program and, ultimately accelerate your program value and performance.