If you are a CSO or head of security, you will inevitably face the day when a senior business executive will ask you for a detailed analysis of your strategy including the level of service you provide and how it will scale over time. That is a request that can be translated like this: “How do I know you are deploying your people the right way, measuring them the right way, and optimizing the processes they live in the right way?”

Inevitably you will be asked to challenge your assumptions about your program. Do you really need an extra headcount? Why do you have IT people on staff when we have an IT department? Are you carrying costs that can be eliminated through technology?

Which brings us to the title of this month’s column: The Cloud is NOT a Product. It is a Total Quality Management kick-starter.

The entire risk and security ecosystem of consultants, integrators, manufacturers and end users have a funny way of quickly moving to a product answer when we may have a systemic problem on our hands that is being sustained by our assumptions or belief system. Underlying the product solution is a business problem.

Today, there are consultants who specialize in risk assessments. But rarely is it asked: “Am I organized around the value and risk drivers of my organization?” or “Am I deploying technology in such a way that reduces budget and deployment risk as well as information asset risks?”                

We need a consolidated effort around the risk assessment of the security program itself; the people, performing roles in a process using technology. Should the head of security outsource the subject matter expertise they need in risk assessments, program management, and IT infrastructure and support? Have they looked at ways to virtualize a part of their guard services?          Do they have someone persistently looking at their performance metrics and their risk intelligence who is paid to optimize while improving their overall risk picture? Are they working alongside their line of business peers to embed the cost and value of risk and resilience within their programs?

The Cloud is forcing all of us in the risk and security ecosystem to look at new ways of operating. It challenges our assumptions around people, infrastructure and security. It forces us to move beyond the hype and the scare tactics to address real world problems of scale and performance.

We can solve the security performance, integration and bandwidth issues that have stalled us in physical security. We know this because our IT peers are moving at breakneck speed to virtualize and outsource many of their core services to the cloud. And nothing forces us to consider deploying cloud and managed services like a budget process and the scrutiny over our metrics and value.

Global data center traffic is expected to grow exponentially. Companies are moving to the cloud to gain productivity, reduce cost and improve uptime. This market disruption is creating a need to look at the Total Cost of Ownership (TCO) of the entire security technology solution and program. It will consider the Time to Value (T2V) for implementing new capabilities and quickly scaling to meet the organization’s needs.

The new threshold for us as leaders is to cast a vision of performance that is not choked by our inability to adapt or innovate. Courage is needed as well as a process for understanding our program metrics and testing our infrastructure and technology assumptions. Be prepared for the new world of Security Risk Management Services (SRMS).