Most organisations understand that there`s not really such a thing as complete security - as with other areas of IT, threats remain ever-evolving and dynamic, and subsequently unpredictable.
Indeed, excellence in security management continues to elude us despite the vast availability of guidance, maturity models, standards and methodologies such as CoBIT, ISO, King II and ITIL.
Companies state that these guidelines and standards are vague and written in general terms so they can be applied to any type of environment. Valid, but in all fairness they tend to become even more vague when companies aren`t probably schooled in the many facets of information security.
As a computing society we need to understand that security is not just about technology, but is in fact a business process. The problem with this mantra is, however, that we have essentially no way of accomplishing this with our current models.
On top of this, business people are at a huge disadvantage today as they have various government regulations coming down on them, laws they have to comply with, plus they have to create a security budget and spend money but have no true ROI of understanding of their spending.
And the clincher is that these business people don`t have a lot of places to turn to in order to learn and understand security in their own terms. We have an incredible amount of books, white papers and courses flying around simply because we as a society have been totally focused and fascinated with the technical aspects of security.
The problem with this picture is that technology is a small part of overall security and needs to become a business process, integrated with other company processes.
And yes, there are solutions, but none of them are holistic. Point solutions only solve individual problems, missing the most important piece - getting business people to understand security on their terms.
The stratosphere view model
Corporate security does have a lot of pits and peaces, but no one company should be expected to know it all. If a company, for example, makes toasters, no one knows the entire process of when an order comes in to when it`s delivered to a customer. That is because everyone knows their piece of this process - there`s an order taker, an order processor and inventory person, an inventory person and so on.
Although each entity does not understand each and every piece of the intricate jigsaw puzzle, a company must set up processes so that these can be accomplished in a way to determine if there`s a breakdown along the way. The same goes for security.
The Stratosphere View Model identifies the necessary components of every security programme and associates these components with different levels of an organisation.
Indeed, these different components that make up a security programme need to be understood from different perspectives. A CEO does not need to know how to configure a firewall, IT personnel do not need know to create metrics for ROI purposes and the CFO definitely does not need to know how to monitor the intrusion detection system.
So, essentially the Stratosphere Model takes today`s standards, regulations and best practices and breaks them down into understandable and usable action items that can be assigned to specific roles within an organisation. Importantly, it`s not only about assigning these items but also teaching individuals how to carry out the tasks to meet these action items and exactly when needs to be done.
The model has been developed to simplify information security and make it achievable in any environment. Indeed, it has been designed for each individual who has a security responsibility, providing an implementation guidance framework that demystifies security activities by bringing it into business context.
There is no distinction between business and security roles and this is a key step moving towards comprehensive organisational security model. It teaches companies how to integrate security into their business processes, how to leverage current skills and increase protection of IT systems without adversely affecting business objects or budgets.
Importantly, as security becomes more managed with co-ordinated control, the fear of security threats subsides.
The goal of the Stratosphere View Model is to empower companies, letting them take more control of a component of their business that will never go away - information security.
Share