In today's complex digital world, security is very complex. There are numerous attack vectors into and within an enterprise physical and logically. I have found that explaining security to senior non-IT managers and Board members is tough. While they want to understand, many get lost in all the terminology, can't begin to understand the thousands of different roles, their privileges, how they're terminated, etc. Their eyes often begin to glaze over.
Ten years ago, while I was working at Oblix, I was thinking about it. I told my friend Derek Small my visions, one of which this blog will dive into, namely how to convey security and risk to senior managers and Board members.
I told Derek that one day ERP vendors would own the identity and almost all of the security space. I then said that they would develop ERP "risk" modules. The risk module would determine business, content, intellectual property and physical risk. From this, the risk module would then set the security privileges for physical, logical and content access together with the ERP access control and content management modules.
Then I went on to describe to Derek how complex security information would be explained to senior managers and board members. Using the approach that a picture is worth a thousand words, I explained how a three dimensional image would depict the enterprise physically, The executives could zoom in an see a particular facility. They would see red, yellow, blue and green color areas depicting critical, high, medium and low risk.
Then they could overlay on this the logical security. They would be able to see logical security color coded as well. By examining this they could see where there was combination of risk physically and logically. They could then see which roles had access to the critical and high risk areas. They could apply an authentication risk chart to their high and critical risk areas and determine if there was a need to strengthen identity and application authentication security.
My thinking was that by graphically depicting this, executives and board members would begin to understand how their security dollars were being spent and make more informed decisions.
Ten years later I am seeing the early days of my vision begin to unfold. Alert Enterprise! is releasing a series of products that work with SAP to display risk and integrate physical and logical security together.
This is still early days in the marketplace. I predict that over the next five years there will be a variety of new products that begin to deliver what I had in my vision.
Regards,
Guy
del.icio.us
Comments (1)
Interesting post and while it seems to me this is a long-term survival strategy it will require some major corporate shifts. For example, selling PACS is different than selling IdM. Different customers, selling strategy, and delivery strategy. Could require an overhaul in many of orgs. Also their business model is typically one of total domination - homogeneous PACS environments on their systems. Would require freedom to embrace others and move up the chain. Then we are back to point #1.
Glad I came across the blog. Will be a regular reader.
Posted by Jeffrey Huth | July 10, 2009 12:43 PM
Posted on July 10, 2009 12:43